- Community Home
- >
- Networking
- >
- Security e-Series
- >
- IPsec Dual ISP Failover
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2015 07:19 PM
01-05-2015 07:19 PM
IPsec Dual ISP Failover
Hi all!
I have been working on IPsec dual ISP failover setup using 3 HP MSR routers. The setup looks like the one below.
| -- Hub1 -- via ISP1-- \
LAN (192.168.10.x) -- | >>> Spoke (10.10.20.x)
| -- Hub2 -- via ISP2-- /
Hub1 has static, Hub2 and Spoke has dynamic IP address (Hub2 will be static in the future actual implem, I just don't have another static line at the moment). Spoke connects via Hub1 but in case ISP1 goes down, it should failover to ISP2, and should go back to ISP1 again in case ISP1 goes up again (it's like preemption). Please note that I will be having several spokes in the future that's why failover between ISP1 and ISP2 is important.
I was already able to up the two tunnels to the Hubs from the Spoke at the same time but the failover doesn't work as I intended it to be. If I down the ISP1, the traffic does not pass through ISP2 even if the tunnel to ISP2 is up. Please see configs below.
HUB1:
#
ike local-name Hub1
#
acl number 3001
description To_IPsec_Tunnel
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
acl number 3005
description To_Internet
rule 0 deny ip destination 10.10.20.0 0.0.0.255
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
sa duration 3600
#
ike peer spoke
exchange-mode aggressive
pre-shared-key xxx
id-type name
remote-name Spoke
nat traversal
#
ipsec transform-set tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy vpn 20 isakmp
security acl 3001
ike-peer spoke
transform-set tran1
sa duration time-based 28800
#
interface Ethernet0/0
port link-mode route
nat outbound 3005
ip address ISP1
ipsec policy vpn
#
ip route-static 0.0.0.0 0.0.0.0 ISP1
ip route-static 10.10.20.0 255.255.255.0 ISP1
#
ipsec policy vpn local-address LoopBack0
Hub2:
#
ike local-name Hub2
#
acl number 3001
description To_IPsec_Tunnel
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
acl number 3005
description To_Internet
rule 0 deny ip destination 10.10.20.0 0.0.0.255
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
sa duration 3600
#
ike peer spoke2
exchange-mode aggressive
pre-shared-key xxx
id-type name
remote-name Spoke
nat traversal
#
ipsec transform-set tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy vpn 20 isakmp
security acl 3001
ike-peer spoke2
transform-set tran1
sa duration time-based 28800
#
interface Ethernet0/0
port link-mode route
nat outbound 3005
ip address dhcp-alloc
ipsec policy vpn
#
ip route-static 0.0.0.0 0.0.0.0 ISP2
ip route-static 10.10.20.0 255.255.255.0 ISP2
#
ipsec policy vpn local-address LoopBack0
Spoke:
#
ike local-name Spoke
#
acl number 3001
description To_IPsec_Tunnel
rule 5 permit ip source 10.10.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
acl number 3002
description To_IPSec_Tunnel
rule 5 permit ip source 10.10.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
acl number 3005
description To_Internet
rule 3 deny ip destination 192.168.10.0 0.0.0.255
rule 5 permit ip source 10.10.20.0 0.0.0.255
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
sa duration 3600
#
ike dpd deadpeer
#
ike peer spoke
exchange-mode aggressive
pre-shared-key xxx
id-type name
remote-name Hub1
remote-address ISP1
nat traversal
dpd deadpeer
#
ike peer spoke2
exchange-mode aggressive
pre-shared-key xxx
id-type name
remote-name Hub2
remote-address ISP2
nat traversal
dpd deadpeer
#
ipsec transform-set tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy vpn 10 isakmp
security acl 3001
ike-peer spoke
transform-set tran1
sa duration time-based 28800
#
ipsec policy vpn 20 isakmp
security acl 3002
ike-peer spoke2
transform-set tran1
sa duration time-based 28800
#
interface Ethernet0/0
port link-mode route
nat outbound 3005
ip address dhcp-alloc
ipsec policy vpn
#
ip route-static 0.0.0.0 0.0.0.0 SpokeISP
ip route-static 192.168.10.0 255.255.255.0 SpokeISP
#