[afnog] PIX VPN & Backup Link Issues

Thu Feb 24 21:32:02 EAT 2005

Hi,

Thanks for the enlightenment.
Indeed, short of BGP, only a second tunnel to the same destination can 
do the job.

I'll stick to good old DDR as my 'routing protocol'. Works fine for 
backup links, esp ISDN-based ones.

Regards,

Bernard

> On Tue, Feb 22, 2005 at 01:59:34PM +0300, Bernard Wanyama wrote:
> > I now need to bring in a backup link from a second ISP, ISP B to 
cover 
> > me in case the main link fails. 
> >  
> > Here is my ASCII network diagram  
> >  
> > 212.x.x.x/30        193.x.x.x/29               192.168.x.x/24  
> >  
> > Primary   +--------+             +------+         +--------+ 
> > Link via  | Cisco  |             |Cisco |         |  LAN   | LAN 
PCs 
> >  ---------| 2620   |-------------|PIX   |---------| Switch |--------

> > ISP A     |        |             |      |         |        | 
> >           +---+----+             +------+         +--------+ 
> >               | 
> >               |Proposed 
> >               |Backup Link 
> >               |via ISP B 
> >               | 
> >           81.x.x.x/30  
> 
> In principle it should probably go like this:
> 
> 1. You will need to get a second /29 network allocation from ISP B. 
Then the
> Cisco PIX (and any other devices on that /29) can have two separate IP
> addresses. In fact a single /32 (used as a loopback on the PIX) would 
be OK,
> but it'll be easier to understand with another /29. Let's call it 
200.y.y.y
> 
> 2. The Cisco PIX can set up two VPN tunnels bound to two different
> interfaces: one from 193.x.x.x and one from 200.y.y.y. The remote
> destination tunnel endpoint can be the same, or different if you're 
doing
> the same trick at that end.
> 
> 3. Outbound packets sent via the Cisco 2620 will have to choose which 
way to
> go. I suggest you use policy routing, so that outbound packets with 
source
> address 193.x.x.x are sent via the ISP A link, and those from 
200.y.y.y are
> sent via the ISP B link.
> 
> (You could send all traffic via ISP A, and then if the link fails 
fallover
> to ISP B, by using static routes of different metrics; however this 
will
> only work if ISP A does not have anti-spoofing filters which prevent 
packets
> with source addresses belonging to ISP B. And it doesn't give you any 
extra
> resilience benefit).
> 
> 4. Now you have two separate sets of tunnels from the PIX to the far 
end,
> running over two different ISP links. You need to decide which tunnel 
to use
> at any one time. I think you need to run OSPF (or BGP or RIP) *over* 
both
> the tunnels. How to set that up on a PIX, I have no idea.
> 
> But if ISP A fails, then the tunnel link which goes via ISP A should 
also
> fail; then your routing protocol will detect this, and reroute all VPN
> traffic over the other tunnel. The same applies at the far end. But 
note
> that you are not talking BGP to your upstream ISPs, only over the 
tunnels to
> the VPN router at the far end.
> 
> With OSPF and equal-cost multipath, you could even load-share between 
ISP A
> and ISP B links (this may not be a good idea though, because traffic 
may
> arrive out of sequence, and problems will be hard to pin down)
> 
> Regards,
> 
> Brian.
> 
> 

-- 
Bernard Wanyama
Support Engineer
Linux Solutions 
Kampala, UGANDA
Cell: +256 71 193979