topic IPsec Dual ISP Failover in Security e-Series https://community.hpe.com/t5/security-e-series/ipsec-dual-isp-failover/m-p/6690812#M266 <P>Hi all!&nbsp;</P><P>&nbsp;</P><P>I have been working on IPsec dual ISP failover setup using 3 HP MSR routers. The setup looks like the one below.</P><P>&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| -- Hub1 -- via ISP1-- \</P><P>LAN (192.168.10.x) -- | &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &gt;&gt;&gt; Spoke (10.10.20.x)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| -- Hub2 -- via ISP2-- /</P><P><BR />Hub1 has static, Hub2 and&nbsp;Spoke has dynamic IP address (Hub2 will be static in the future actual implem, I just don't have another static line at the moment). Spoke connects via Hub1 but in case ISP1 goes down, it should failover to ISP2, and should go back to ISP1 again in case ISP1 goes up again (it's like preemption). Please note that I will be having several spokes in the future that's why failover between ISP1 and ISP2 is important.</P><P>&nbsp;</P><P>I was already able to up the two tunnels to the Hubs from the Spoke at the same time but the failover doesn't work as I intended it to be. If I down the ISP1, the traffic does not pass through ISP2 even if the tunnel to ISP2 is up. Please see configs below.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>HUB1:</P><P>#</P><P>ike local-name Hub1</P><P>#</P><P>acl number 3001<BR />description To_IPsec_Tunnel<BR />rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 10.10.20.0 0.0.0.255</P><P>acl number 3005</P><P>description To_Internet<BR />rule 0 deny ip destination 10.10.20.0 0.0.0.255</P><P>#</P><P>ike proposal 1<BR />encryption-algorithm 3des-cbc<BR />dh group2<BR />sa duration 3600<BR />#<BR />ike peer spoke<BR />exchange-mode aggressive<BR />pre-shared-key xxx<BR />id-type name<BR />remote-name Spoke<BR />nat traversal<BR />#<BR />ipsec transform-set tran1<BR />encapsulation-mode tunnel<BR />transform esp<BR />esp authentication-algorithm sha1<BR />esp encryption-algorithm 3des</P><P>#</P><P>ipsec policy vpn 20 isakmp<BR />security acl 3001</P><P>ike-peer spoke<BR />transform-set tran1<BR />sa duration time-based 28800</P><P>#</P><P>interface Ethernet0/0<BR />port link-mode route<BR />nat outbound 3005<BR />ip address ISP1<BR />ipsec policy vpn</P><P>#</P><P>ip route-static 0.0.0.0 0.0.0.0 ISP1<BR />ip route-static 10.10.20.0 255.255.255.0 ISP1</P><P>#</P><P>ipsec policy vpn local-address LoopBack0</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Hub2:</P><P>#</P><P>ike local-name Hub2</P><P>#</P><P>acl number 3001<BR />description To_IPsec_Tunnel<BR />rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 10.10.20.0 0.0.0.255</P><P>acl number 3005</P><P>description To_Internet<BR />rule 0 deny ip destination 10.10.20.0 0.0.0.255</P><P>#</P><P>ike proposal 1<BR />encryption-algorithm 3des-cbc<BR />dh group2<BR />sa duration 3600<BR />#<BR />ike peer spoke2<BR />exchange-mode aggressive<BR />pre-shared-key xxx<BR />id-type name<BR />remote-name Spoke<BR />nat traversal<BR />#<BR />ipsec transform-set tran1<BR />encapsulation-mode tunnel<BR />transform esp<BR />esp authentication-algorithm sha1<BR />esp encryption-algorithm 3des</P><P>#</P><P>ipsec policy vpn 20 isakmp<BR />security acl 3001</P><P>ike-peer spoke2<BR />transform-set tran1<BR />sa duration time-based 28800</P><P>#</P><P>interface Ethernet0/0<BR />port link-mode route<BR />nat outbound 3005<BR />ip address&nbsp;dhcp-alloc<BR />ipsec policy vpn</P><P>#</P><P>ip route-static 0.0.0.0 0.0.0.0 ISP2<BR />ip route-static 10.10.20.0 255.255.255.0 ISP2</P><P>#</P><P>ipsec policy vpn local-address LoopBack0</P><P>&nbsp;</P><P>&nbsp;</P><P>Spoke:</P><P>#</P><P>ike local-name Spoke<BR />#<BR />acl number 3001<BR />description To_IPsec_Tunnel<BR />rule 5 permit ip source 10.10.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255<BR />acl number 3002<BR />description To_IPSec_Tunnel<BR />rule 5 permit ip source 10.10.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255<BR />acl number 3005<BR />description To_Internet<BR />rule 3 deny ip destination 192.168.10.0 0.0.0.255<BR />rule 5 permit ip source 10.10.20.0 0.0.0.255<BR />#<BR />ike proposal 1<BR />encryption-algorithm 3des-cbc<BR />dh group2<BR />sa duration 3600<BR />#<BR />ike dpd deadpeer<BR />#<BR />ike peer spoke<BR />exchange-mode aggressive<BR />pre-shared-key xxx<BR />id-type name<BR />remote-name Hub1<BR />remote-address ISP1<BR />nat traversal<BR />dpd deadpeer<BR />#<BR />ike peer spoke2<BR />exchange-mode aggressive<BR />pre-shared-key xxx<BR />id-type name<BR />remote-name Hub2<BR />remote-address ISP2<BR />nat traversal<BR />dpd deadpeer<BR />#<BR />ipsec transform-set tran1<BR />encapsulation-mode tunnel<BR />transform esp<BR />esp authentication-algorithm sha1<BR />esp encryption-algorithm 3des<BR />#<BR />ipsec policy vpn 10 isakmp<BR />security acl 3001<BR />ike-peer spoke<BR />transform-set tran1<BR />sa duration time-based 28800<BR />#<BR />ipsec policy vpn 20 isakmp<BR />security acl 3002<BR />ike-peer spoke2<BR />transform-set tran1<BR />sa duration time-based 28800<BR />#<BR />interface Ethernet0/0<BR />port link-mode route<BR />nat outbound 3005<BR />ip address dhcp-alloc<BR />ipsec policy vpn<BR />#<BR />ip route-static 0.0.0.0 0.0.0.0 SpokeISP<BR />ip route-static 192.168.10.0 255.255.255.0 SpokeISP<BR />#</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 06 Jan 2015 03:19:51 GMT Ayeesha 2015-01-06T03:19:51Z IPsec Dual ISP Failover https://community.hpe.com/t5/security-e-series/ipsec-dual-isp-failover/m-p/6690812#M266 <P>Hi all!&nbsp;</P><P>&nbsp;</P><P>I have been working on IPsec dual ISP failover setup using 3 HP MSR routers. The setup looks like the one below.</P><P>&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| -- Hub1 -- via ISP1-- \</P><P>LAN (192.168.10.x) -- | &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &gt;&gt;&gt; Spoke (10.10.20.x)</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| -- Hub2 -- via ISP2-- /</P><P><BR />Hub1 has static, Hub2 and&nbsp;Spoke has dynamic IP address (Hub2 will be static in the future actual implem, I just don't have another static line at the moment). Spoke connects via Hub1 but in case ISP1 goes down, it should failover to ISP2, and should go back to ISP1 again in case ISP1 goes up again (it's like preemption). Please note that I will be having several spokes in the future that's why failover between ISP1 and ISP2 is important.</P><P>&nbsp;</P><P>I was already able to up the two tunnels to the Hubs from the Spoke at the same time but the failover doesn't work as I intended it to be. If I down the ISP1, the traffic does not pass through ISP2 even if the tunnel to ISP2 is up. Please see configs below.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>HUB1:</P><P>#</P><P>ike local-name Hub1</P><P>#</P><P>acl number 3001<BR />description To_IPsec_Tunnel<BR />rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 10.10.20.0 0.0.0.255</P><P>acl number 3005</P><P>description To_Internet<BR />rule 0 deny ip destination 10.10.20.0 0.0.0.255</P><P>#</P><P>ike proposal 1<BR />encryption-algorithm 3des-cbc<BR />dh group2<BR />sa duration 3600<BR />#<BR />ike peer spoke<BR />exchange-mode aggressive<BR />pre-shared-key xxx<BR />id-type name<BR />remote-name Spoke<BR />nat traversal<BR />#<BR />ipsec transform-set tran1<BR />encapsulation-mode tunnel<BR />transform esp<BR />esp authentication-algorithm sha1<BR />esp encryption-algorithm 3des</P><P>#</P><P>ipsec policy vpn 20 isakmp<BR />security acl 3001</P><P>ike-peer spoke<BR />transform-set tran1<BR />sa duration time-based 28800</P><P>#</P><P>interface Ethernet0/0<BR />port link-mode route<BR />nat outbound 3005<BR />ip address ISP1<BR />ipsec policy vpn</P><P>#</P><P>ip route-static 0.0.0.0 0.0.0.0 ISP1<BR />ip route-static 10.10.20.0 255.255.255.0 ISP1</P><P>#</P><P>ipsec policy vpn local-address LoopBack0</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Hub2:</P><P>#</P><P>ike local-name Hub2</P><P>#</P><P>acl number 3001<BR />description To_IPsec_Tunnel<BR />rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 10.10.20.0 0.0.0.255</P><P>acl number 3005</P><P>description To_Internet<BR />rule 0 deny ip destination 10.10.20.0 0.0.0.255</P><P>#</P><P>ike proposal 1<BR />encryption-algorithm 3des-cbc<BR />dh group2<BR />sa duration 3600<BR />#<BR />ike peer spoke2<BR />exchange-mode aggressive<BR />pre-shared-key xxx<BR />id-type name<BR />remote-name Spoke<BR />nat traversal<BR />#<BR />ipsec transform-set tran1<BR />encapsulation-mode tunnel<BR />transform esp<BR />esp authentication-algorithm sha1<BR />esp encryption-algorithm 3des</P><P>#</P><P>ipsec policy vpn 20 isakmp<BR />security acl 3001</P><P>ike-peer spoke2<BR />transform-set tran1<BR />sa duration time-based 28800</P><P>#</P><P>interface Ethernet0/0<BR />port link-mode route<BR />nat outbound 3005<BR />ip address&nbsp;dhcp-alloc<BR />ipsec policy vpn</P><P>#</P><P>ip route-static 0.0.0.0 0.0.0.0 ISP2<BR />ip route-static 10.10.20.0 255.255.255.0 ISP2</P><P>#</P><P>ipsec policy vpn local-address LoopBack0</P><P>&nbsp;</P><P>&nbsp;</P><P>Spoke:</P><P>#</P><P>ike local-name Spoke<BR />#<BR />acl number 3001<BR />description To_IPsec_Tunnel<BR />rule 5 permit ip source 10.10.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255<BR />acl number 3002<BR />description To_IPSec_Tunnel<BR />rule 5 permit ip source 10.10.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255<BR />acl number 3005<BR />description To_Internet<BR />rule 3 deny ip destination 192.168.10.0 0.0.0.255<BR />rule 5 permit ip source 10.10.20.0 0.0.0.255<BR />#<BR />ike proposal 1<BR />encryption-algorithm 3des-cbc<BR />dh group2<BR />sa duration 3600<BR />#<BR />ike dpd deadpeer<BR />#<BR />ike peer spoke<BR />exchange-mode aggressive<BR />pre-shared-key xxx<BR />id-type name<BR />remote-name Hub1<BR />remote-address ISP1<BR />nat traversal<BR />dpd deadpeer<BR />#<BR />ike peer spoke2<BR />exchange-mode aggressive<BR />pre-shared-key xxx<BR />id-type name<BR />remote-name Hub2<BR />remote-address ISP2<BR />nat traversal<BR />dpd deadpeer<BR />#<BR />ipsec transform-set tran1<BR />encapsulation-mode tunnel<BR />transform esp<BR />esp authentication-algorithm sha1<BR />esp encryption-algorithm 3des<BR />#<BR />ipsec policy vpn 10 isakmp<BR />security acl 3001<BR />ike-peer spoke<BR />transform-set tran1<BR />sa duration time-based 28800<BR />#<BR />ipsec policy vpn 20 isakmp<BR />security acl 3002<BR />ike-peer spoke2<BR />transform-set tran1<BR />sa duration time-based 28800<BR />#<BR />interface Ethernet0/0<BR />port link-mode route<BR />nat outbound 3005<BR />ip address dhcp-alloc<BR />ipsec policy vpn<BR />#<BR />ip route-static 0.0.0.0 0.0.0.0 SpokeISP<BR />ip route-static 192.168.10.0 255.255.255.0 SpokeISP<BR />#</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 06 Jan 2015 03:19:51 GMT https://community.hpe.com/t5/security-e-series/ipsec-dual-isp-failover/m-p/6690812#M266 Ayeesha 2015-01-06T03:19:51Z