Monday, April 28, 2008

Configuring VPN as leased line backup

Q:
Hi every body
Can you help me in configuring a VPN.
The setup is like this my customer has a point to point lease line as a primary link going to head office using Router 1841 , OSPF is running on this segment
, he has a ASA 5510 behind the the router , from ASA he has a ADSL modem directly connected
Now , what he wants to achieve is once the primary link (lease line) goes down , traffic start going out ffrom the ADSL link through a VPN tunnel.
Keep in mind on the Head Office he is running with Juniper Products.
Do you have any idea how it will be achieved.
I will really appreciate your quick response.



A:
Hi ...,
We deploy similar IPSEC VPNs over Internet links for high availability requirements. I call this MPLS Plan B... (In your case Leased Line Plan B :)

Here is my understanding of your setup:
Remote Office: Cisco ASA connected to Internet, Cisco 1841 connected to leased line
Headend: Juniper firewall connected to Internet, Some Cisco hardware connected to leased line
Internal Routing: OSPF


What you need is to extend dynamic routing (in your setup OSPF) to Cisco ASA and the Juniper appliances. Make sure that both ASA and the Juniper appliances participate in the OSPF. First build the IPSEC tunnel between the remote site ASA 5510 and the headend Juniper. Firewalls will route traffic to IPSEC tunnel interfaces as a by product of OSPF routing decision.

An important catch is the validation of the cost of Internet links for OSPF. Internet OSPF cost must be higher than the leased line cost, this will assure that leased line will stay as the primary link. Increase costs manually if that is not the case.

Inter-product IPSEC tunnels (in this case ASA to Juniper) can be tricky I do recommend a lab proof of concept before production cutover.

Another way of building Internet failover is to use GRE tunnels between internal Cisco hardware, so that you can bypass the Juniper headend firewall integration for routing (All you will need is a simple IPSEC VPN between ASA and the Juniper that allows GRE traffic between internal Cisco routers) . I prefer the first option.

cheers,
- yinal

Add this post to:

DiggIt!| Reddit| Technorati|

Posted by yinal at

Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)