[afnog] PIX VPN & Backup Link Issues

Brian Candler B.Candler at pobox.com
Thu Feb 24 16:14:23 EAT 2005


On Tue, Feb 22, 2005 at 01:59:34PM +0300, Bernard Wanyama wrote:
> I now need to bring in a backup link from a second ISP, ISP B to cover 
> me in case the main link fails. 
>  
> Here is my ASCII network diagram  
>  
> 212.x.x.x/30        193.x.x.x/29               192.168.x.x/24  
>  
> Primary   +--------+             +------+         +--------+ 
> Link via  | Cisco  |             |Cisco |         |  LAN   | LAN PCs 
>  ---------| 2620   |-------------|PIX   |---------| Switch |-------- 
> ISP A     |        |             |      |         |        | 
>           +---+----+             +------+         +--------+ 
>               | 
>               |Proposed 
>               |Backup Link 
>               |via ISP B 
>               | 
>           81.x.x.x/30  

In principle it should probably go like this:

1. You will need to get a second /29 network allocation from ISP B. Then the
Cisco PIX (and any other devices on that /29) can have two separate IP
addresses. In fact a single /32 (used as a loopback on the PIX) would be OK,
but it'll be easier to understand with another /29. Let's call it 200.y.y.y

2. The Cisco PIX can set up two VPN tunnels bound to two different
interfaces: one from 193.x.x.x and one from 200.y.y.y. The remote
destination tunnel endpoint can be the same, or different if you're doing
the same trick at that end.

3. Outbound packets sent via the Cisco 2620 will have to choose which way to
go. I suggest you use policy routing, so that outbound packets with source
address 193.x.x.x are sent via the ISP A link, and those from 200.y.y.y are
sent via the ISP B link.

(You could send all traffic via ISP A, and then if the link fails fallover
to ISP B, by using static routes of different metrics; however this will
only work if ISP A does not have anti-spoofing filters which prevent packets
with source addresses belonging to ISP B. And it doesn't give you any extra
resilience benefit).

4. Now you have two separate sets of tunnels from the PIX to the far end,
running over two different ISP links. You need to decide which tunnel to use
at any one time. I think you need to run OSPF (or BGP or RIP) *over* both
the tunnels. How to set that up on a PIX, I have no idea.

But if ISP A fails, then the tunnel link which goes via ISP A should also
fail; then your routing protocol will detect this, and reroute all VPN
traffic over the other tunnel. The same applies at the far end. But note
that you are not talking BGP to your upstream ISPs, only over the tunnels to
the VPN router at the far end.

With OSPF and equal-cost multipath, you could even load-share between ISP A
and ISP B links (this may not be a good idea though, because traffic may
arrive out of sequence, and problems will be hard to pin down)

Regards,

Brian.


More information about the afnog mailing list