dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2942
ed001
join:2006-05-07
East Hanover, NJ

ed001

Member

IPsec help 1811

Hello all,
I am not looking to be spoon fed answers (unless you want to). I am looking for some assistance regarding redundant VPN topology. I am part of a family business with a very limited budget. At a quoted $625 per month and three locations T1 is out. We currently have dual wan routers on DSL and Cable deployed with VPN backup functionality and although it does work, the routers don't manage VPN very well resulting in some down time. The redundancy is great for long term outages. Like the squirrel that chewed through the telephone line last month and brought the DSL down but the squirrelly (no pun intended) IPsec tunnels are countering the intended effect.
Anyway, my question is I need some info on IPSec backup with regard to Cisco gear. Our budget would be in the neighborhood of the 1811.
That would be 3 1811's each with 1 static DSL and 1 Dynamic cable line.
It is my understanding that this can be done by creating two tunnels on each side and using OSPF but not having access to the gear to set up a lab and test I can't sell it to the rest of the family without saying "YES, it will work".
As I understand it OSPF handles choosing the best route but how does that work with regard to VPN? Does the router see the IPsec tunnels as virtual interfaces which would allow me the ability to enable OSPF on them?
I am not a complete newb to cisco. I have some seat time with the cli. I just can't seem to find any documentation either way.
Someone, somewhere has also mentioned looking the default route command but again I could find no reference to it's use with IPsec.

Thanks for any help you can offer. Feel free to ask if I did not explain something in enough detail.
aryoba
MVM
join:2002-08-22

aryoba

MVM

After reading your description, it looks like you are trying to setup full-mesh site-to-site VPN with OSPF running on top of GRE over IPSec. Since all the routers are Cisco, you can also choose to run EIGRP if you like.

There is another approach on the network design. You can set up the network as "hub and spoke". Choose one site as a hub and the rest would the spokes. Compared to the full mesh that requires three tunnels, you only need to run two tunnels with hub and spoke.

Another good thing is that with hub and spoke, you don't need to run dynamic routing protocol since static routes would do. Since you only run static routes, no GRE tunnel necessary.

Keep in mind that more features you use on routers (GRE tunnel, OSPF, etc.) in addition of the bandwidth-hungry applications, the more CPU and memory intensive the router work would have. Another good point is that hub and spoke is scalable when you will have more sites to connect.
ed001
join:2006-05-07
East Hanover, NJ

ed001

Member

Thanks for your quick response.
But if I could just ask a question and maybe an opinion.

Q. Not sure how to ask this one. Would Hub and Spoke allow me to use both wan ports from each location to provide the site redundancy? What I am trying to get at here is I want redundancy at all sites not just the main office where the servers are. Another way, would I be able to tunnel to the "hub" with each wan port separately from the "spokes". Let me know if that doesn't make sense, I'll try to rephrase.

O. I will look into the OSPF v. EIGRP issue but it would be nice to get your opinion on the benefits of one over the other. I assume from your post you lean towards EIGRP.
aryoba
MVM
join:2002-08-22

1 edit

aryoba

MVM

A. Yes, you can setup your network as Full Mesh (which equals to Hub and Spoke plus site-to-site connection between all Spokes). However since you are running dynamic routing protocol over VPN tunnel, then you need to run GRE tunnel over IPSec to support the dynamic routing protocol. In addition, there would be applications (probably bandwidth-hungry one) running over the tunnel.

With this Full Mesh setup, each router at each site has to deal with complexity of applications, dynamic routing, GRE, IPSec, and Internet traffic (done on split tunnel). When you have Hub and Spoke, each router only deals with applications, IPSec, and Internet traffic.

Keep in mind that I'm not saying that Full Mesh is bad. I'm saying that you need to consider multiple aspects (cost and benefit) when designing a network; i.e. from reliability and scalability aspects.

A. On the contrary, I would recommend OSPF over EIGRP. OSPF is not Cisco proprietary, unlike EIGRP. Therefore you can have non-Cisco routers to join the routing domain.

EIGRP would be nice if you are sure that all routers within your network would Cisco. Another thing is that EIGRP is simpler to setup and requires less CPU/memory consumption.
ed001
join:2006-05-07
East Hanover, NJ

ed001

Member

To help illustrate!
ed001

ed001

Member


Here it is
Try again
aryoba
MVM
join:2002-08-22

1 edit

aryoba

MVM

Let's say you prefer to have Hub and Spoke network using VPN tunnel. The server site would be the Hub and other sites would be the Spokes.

Yes, it is possible to have the dual VPN tunnel with Hub and Spoke network setup. There are several requirements however to make it work

Network
* All the 1811 routers would terminate the VPN tunnel
* Each ISP (the Cable Internet and DSL) would provide to each site at least two usable Public IP addresses
* Total usable Public IP addresses for each site is 4 (2 from each ISP)
* From the 2 usable Public IP addresses, one would be for the VPN peer and another would be for Internet access
* All the 4 IP addresses must be static IP addresses (never change at any time)
* There would be GRE over IPSec tunnel to support the dynamic routing protocol
* You can run either EIGRP or OSPF as the routing protocol

Traffic flow
* Internal applications (i.e. Mail, Database) would take the VPN tunnel path
* External applications (i.e. Internet access) would take non-VPN tunnel path by doing split tunnel on each site
* From each site to go out to the Internet, the traffic would go out directly and not go through the VPN tunnel to the Server site first

DNS/WINS servers
* When there are internal DNS/WINS servers, it is suggested for each site to have local DNS/WINS servers
* If it is challenging for each site to have local DNS/WINS servers, then you can have these servers only at the Hub
* Should you decide to have the DNS/WINS servers only at the Hub site, then all machines or workstations at Spoke sites must have the Hub DNS/WINS server as Primary and local ISP DNS server as Secondary
ed001
join:2006-05-07
East Hanover, NJ

ed001

Member

Aryoba,
Thanks again for all the great info.
I have two problems with this scenario though. One, the cable connection is only available as dynamic IP. Two, the cable company won't give me another IP without another modem.

But, I should have mentioned that the two remote sites do not need internet access for anything but windows update. I made it a point to lock down access to the internet as these machines are basically fancy cash registers. All antivirus/malware update server, file share access, database access, etc. is at the "hub" location. Given that Win update is the only external source isn't there a way to negate the extra IP's at each location and use the 1811 at the hub as a default gateway so Win updates are pulled through the tunnel from the hub's access to the outside world?
Thanks again
aryoba
MVM
join:2002-08-22

3 edits

aryoba

MVM

One requirement for site-to-site VPN is to always have static IP address that never change at anytime. Therefore it would not work with dynamic IP address.

Another issue to verify is that your ISP (both DSL and cable Internet) must be able to support VPN tunnel. This also includes no blocking of necessary VPN protocols such as ESP, AH, UDP 500, UDP 4500 traffic from/to anywhere.

When you subscribe to some kind of Business Grade Internet services from your cable Internet and DSL providers, then they should be able to assign you a block of static Public IP addresses using only one modem. With the same service, there should be support for VPN tunnel as well. You can always verify this with them.

Since receiving Windows update means accessing Microsoft website at the Internet, then Windows update process is still considered Internet access.

It is possible however to set Windows updates for Spokes are retrieved only from Hub site and are never directly from Microsoft site.
Phraxos
Premium Member
join:2004-06-12
UK

Phraxos to ed001

Premium Member

to ed001
If you at least had a cable service at the hub that had a static IP then you could use DMVPN to create tunnels for the spokes with dynamic IPs. There is various info about this here: »www.cisco.com/en/US/prod ··· ome.html

Windows Server Update Services (WSUS) will allow you to have a central server that downloads all windows updates. The spoke sites can then be setup to get their updates from that central server. More info here: »www.microsoft.com/window ··· ult.mspx

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_ to aryoba

MVM

to aryoba
said by aryoba:

* Each ISP (the Cable Internet and DSL) would provide to each site at least two usable Public IP addresses
Why does he need two IPs per service? It is possible to do everything using one static IP per DSL and cable service.