WAN Backed Up by an IPsec VPN

This chapter has focused on how to ensure that the loss of one IPsec VPN can be easily recovered by a second. Both stateful and stateless methods were examined. IPsec VPN tunnels can also be used to back up "normal" WAN connections.

Most of Part III, "IPsec VPNs," of this book deals with IPsec VPNs, which offer confidentiality to data as it passes from one site to another. A "normal" WAN connection is simply a PVC, such as a Frame Relay or ATM link between sites. No confidentiality or integrity is offered for such connections. However, if such a connection should fail, there is no reason that the traffic that does not expect protection cannot travel through the IPsec VPN.

The assumption is that both a "normal" WAN connection and an IPsec VPN link exist between two sites. The WAN connection is some sort of provider-based PVC, while the IPsec VPN travels across the untrusted Internet. As already explained in Chapter 13, an IPsec VPN can be statically configured to know which traffic is permitted to travel through it (interesting traffic). It has also been shown how to configure dynamic routing protocols across the IPsec VPN through the use of GRE over IPsec (refer to Chapter 14).

The "normal" WAN connection exchanges dynamic routing updates via OSPF or EIGRP. When this link fails, both sides realize the loss very quickly, due to the fast convergence time of both OSPF and EIGRP. There are two ways that routers on either end can decide to forward traffic over the IPsec VPN link.

The first solution is to ensure that the same dynamic routing protocol is also configured to run across the IPsec VPN, which is accomplished with GRE over IPsec. The IPsec VPN connection should be used only after the "normal" WAN connection fails. To ensure this, the EIGRP interface delay or OSPF cost can be adjusted to make the dynamic IPsec VPN routes less favorable than the "normal" WAN ones.

A second way to route traffic through the IPsec VPN upon WAN failure is to use floating static routes. A floating static route is a manually configured route with a high administrative distance (AD). Due to the high AD, the static route is not chosen as the best available path until the dynamic routes (with lower ADs) have evaporated. The loss of such dynamic routes occurs as a result of either path failure to the prefix or failure of the prefix itself.

With either of these solutions, the IPsec VPN is used primarily for specific traffic. Upon failure of the WAN connection, all traffic is permitted to temporarily travel through the VPN. When the primary WAN path has been reestablished, the normal WAN traffic returns to its desired connection.

Was this article helpful?

0 0

Post a comment