6 Replies Latest reply on Oct 14, 2013 6:10 AM by otiecoyote

    Is it possible to create a "dual-homing VPN" on a 3200?

    otiecoyote New Member

      We have a customer that has a T1 terminated 3200. They have a VPN set up with our city government and their office. The city government has recently enabled an additional ISP. When the original ISP had to be turned down for maintenance, our customer's VPN with the city government went down, and did not come back up until the ISP was restored. Since then I've been contacted by our city government to create a "dual-homing VPN' so that the VPN to our customer can stay up if one of the ISP's goes down.

       

      I admit, I only briefly looked over the site, but nothing is standing out to me. Any help on how to configure the 3200 for dual-homing VPN would be appreciated.

        • Re: Is it possible to create a "dual-homing VPN" on a 3200?
          levi Employee

          otiecoyote:

           

          Thank you for asking this question in the support community.  Typically, this concept is accomplished with VPN failover.  The guide Configuring Redundant VPN Tunnel Fail-Over in AOS will explain this network design and configuration.  Also, please note that only the 3rd Generation NetVanta 3200 supports probes (which is covered in the document).

           

          I hope that makes sense, but please do not hesitate to reply to this post with any additional questions or information.  I will be happy to help in any way I can.

           

          Levi

          • Re: Is it possible to create a "dual-homing VPN" on a 3200?
            levi Employee

            otiecoyote:

             

            I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

             

            Levi

            • Re: Is it possible to create a "dual-homing VPN" on a 3200?
              otiecoyote New Member

              We had a conference call testing the configuration I had set, but the failover didnt work. I'm not confident in my config. I had one address wrong, but I wanted to run this by someone to see if it's ok.

               

              Keeping as much as I can anonymous, here's the proposed network:

               

              [Peer Lan IP] --- (VPN Peer Primary) ---\
                                                                        \--- (Adtran 3200) -- [Local LAN]
              [Peer Lan IP] --- (VPN Peer Backup)  ---/

              Here's my config:

               

              Building configuration...

              !

              !

              ! ADTRAN, Inc. OS version 18.02.02.00.E

              ! Boot ROM version 17.02.01.00

              ! Platform: NetVanta 3200, part number 1203860G1

              !

              !

              !

              probe VPNPeerWAN1 icmp-echo

                destination (VPN Peer Primary)

                period 3

                tolerance consecutive fail 3 pass 3

                no shutdown

              !

              probe VPN-KeepAlive icmp-echo

                destination [Peer LAN IP]

                source-address [Local LAN]

                period 10

                tolerance consecutive fail 3 pass 3

                no shutdown

              !

              track "VPNPeerWAN1"

                snmp trap state-change

                test if probe VPNPeerWAN1

                no shutdown

              !

              track "NotVPNPeerWAN1"

                snmp trap state-change

                test if not probe VPNPeerWAN1

                no shutdown

              !

              !

              !

              !

              ip crypto

              ip crypto fast-failover

              !

              crypto ike policy 90

                initiate main

                respond anymode

                local-id address (Adtran 3200)

                peer (VPN Peer Primary)

                attribute 2

                  encryption 3des

                  hash md5

                  authentication pre-share

                  group 2

              !

              crypto ike policy 91

                initiate main

                respond anymode

                local-id address (Adtran 3200)

                peer (VPN Peer Backup)

                attribute 2

                  encryption 3des

                  hash md5

                  authentication pre-share

                  group 2

              !

              crypto ike remote-id address (VPN Peer Backup) preshared-key (key) ike-policy 91 crypto map VPN 10 no-mode-config no-xauth

              crypto ike remote-id address (VPN Peer Primary) preshared-key (key) ike-policy 90 crypto map VPN 10 no-mode-config no-xauth

              !

              crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

                mode tunnel

              !

              crypto map VPN 10 ipsec-ike

                description customerP

                match track VPNPeerWAN1

                match address VPN-10-vpn-selectors

                set peer (VPN Peer Primary)

                set transform-set esp-3des-esp-md5-hmac

                ike-policy 90

              crypto map VPN 11 ipsec-ike

                description customerB

                match track NotVPNPeerWAN1

                match address VPN-10-vpn-selectors

                set peer (VPN Peer Backup)

                set transform-set esp-3des-esp-md5-hmac

                ike-policy 91

              !

              interface eth 0/1

                ip address  [Local LAN]

                ip access-policy Private

              ...

                no shutdown

              !

              interface ppp 1

                ip address  (Adtran 3200)

                ip access-policy Public

                crypto map VPN

                ip flow ingress

                ip flow egress

                no shutdown

              ...

              !

              !

              ip access-list extended VPN-10-vpn-selectors

                permit ip [Local LAN] host [Peer LAN IP]

              !

              ip policy-class Private

                allow list VPN-10-vpn-selectors stateless

                nat source list MATCHALL interface ppp 1 overload

                allow list VPN-10-vpn-selectors stateless

              !

              ip policy-class Public

                allow reverse list VPN-10-vpn-selectors stateless

                allow list Admin_Access

                allow reverse list VPN-10-vpn-selectors stateless

              !

              !

              end

                • Re: Is it possible to create a "dual-homing VPN" on a 3200?
                  levi Employee

                  otiecoyote:

                   

                  It is possible that some of the parts you left out may be confusing me, but I'll put some of my recommendations below in bold.  Also, can you explain what didn't work in the failover?  Did it not failover at all, or did it not fail back over when the primary came back up?

                   

                  probe VPNPeerWAN1 icmp-echo

                    destination (VPN Peer's Primary Public IP address)

                    period 3

                    tolerance consecutive fail 3 pass 3

                    no shutdown

                  !

                  crypto ike policy 90

                    initiate main

                    respond anymode

                    local-id address (Adtran 3200)

                    peer (VPN Peer's Primary Public IP address)

                    attribute 2

                      encryption 3des

                      hash md5

                      authentication pre-share

                      group 2

                  !

                  crypto ike policy 91

                    initiate main

                    respond anymode

                    local-id address (Adtran 3200)

                    peer (VPN Peer's Backup Public IP address)

                    attribute 2

                      encryption 3des

                      hash md5

                      authentication pre-share

                      group 2

                  !

                  crypto ike remote-id address (VPN Peer's Backup Public IP address) preshared-key (key) ike-policy 91 crypto map VPN 10 no-mode-config no-xauth

                  crypto ike remote-id address (VPN Peer's Primary Public IP address) preshared-key (key) ike-policy 90 crypto map VPN 10 no-mode-config no-xauth

                  !

                  crypto map VPN 10 ipsec-ike

                    description customerP

                    match track VPNPeerWAN1

                    match address VPN-10-vpn-selectors

                    set peer (VPN Peer's Primary Public IP address)

                    set transform-set esp-3des-esp-md5-hmac

                    ike-policy 90

                  crypto map VPN 11 ipsec-ike

                    description customerB

                    match track NotVPNPeerWAN1

                    match address VPN-10-vpn-selectors

                    set peer (VPN Peer's Backup Public IP address)

                    set transform-set esp-3des-esp-md5-hmac

                    ike-policy 91

                  !

                  ip access-list extended VPN-10-vpn-selectors

                    permit ip [Local LAN] host [Peer LAN IP] (this ACL should be sourced from the LAN of the 3200 to the LAN of the remote site)

                   

                  Levi

                  1 of 1 people found this helpful
                • Re: Is it possible to create a "dual-homing VPN" on a 3200?
                  otiecoyote New Member

                  With Adtran's help (Mark), we got it working. The setup is unique because the path to both VPN peers is through the same firewall, and one side is NAT'ed through it. We had to

                  The following is a working configuration. We tested failing the probe successfully. We have both versions of nat-t configured, but we were trying to make it work. We left them in and it works fine.

                  The ike Policy was changed to aggressive.

                  In the crypto ike remote-id, we had to make it 'any' since the vpn peer is NAT'ed and the remote -id would be the same as the other crypto ike remote-id entry.

                   

                  Building configuration...

                  !

                  !

                  ! ADTRAN, Inc. OS version 18.02.02.00.E

                  ! Boot ROM version 17.02.01.00

                  ! Platform: NetVanta 3200, part number 1203860G1

                  !

                  !

                  !

                  probe VPNPeerWAN1 icmp-echo

                    destination (VPN Peer Primary)

                    period 3

                    tolerance consecutive fail 3 pass 3

                    no shutdown

                  !

                  probe VPN-KeepAlive icmp-echo

                    destination [Peer LAN IP]

                    source-address [Local LAN]

                    period 10

                    tolerance consecutive fail 3 pass 3

                    no shutdown

                  !

                  track "VPNPeerWAN1"

                    snmp trap state-change

                    test if probe VPNPeerWAN1

                    no shutdown

                  !

                  track "NotVPNPeerWAN1"

                    snmp trap state-change

                    test if not probe VPNPeerWAN1

                    no shutdown

                  !

                  !

                  !

                  !

                  ip crypto

                  ip crypto fast-failover

                  !

                  crypto ike policy 90

                    initiate aggressive

                    respond anymode

                    local-id address (Adtran 3200)

                    nat-traversal v1 force

                    nat-traversal v2 force

                    peer (VPN Peer Primary)

                    attribute 2

                      encryption 3des

                      hash md5

                      authentication pre-share

                      group 2

                  !

                  crypto ike policy 91

                    initiate main

                    respond anymode

                    local-id address (Adtran 3200)

                    peer (VPN Peer Backup)

                    attribute 2

                      encryption 3des

                      hash md5

                      authentication pre-share

                      group 2

                  !

                  crypto ike remote-id address any preshared-key (key) ike-policy 91 crypto map VPN 11 no-mode-config no-xauth nat-t v1 force nat-t v2 force

                  crypto ike remote-id address (VPN Peer Primary) preshared-key (key) crypto map VPN 10 no-mode-config no-xauth nat-t v1 force nat-t v2 force

                  !

                  crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

                    mode tunnel

                  !

                  crypto map VPN 10 ipsec-ike

                    description customerP

                    match track VPNPeerWAN1

                    match address VPN-10-vpn-selectors

                    set peer (VPN Peer Primary)

                    set transform-set esp-3des-esp-md5-hmac

                    ike-policy 90

                  crypto map VPN 11 ipsec-ike

                    description customerB

                    match track NotVPNPeerWAN1

                    match address VPN-10-vpn-selectors

                    set peer (VPN Peer Backup)

                    set transform-set esp-3des-esp-md5-hmac

                    ike-policy 91

                  !

                  interface eth 0/1

                    ip address  [Local LAN]

                    ip access-policy Private

                  ...

                    no shutdown

                  !

                  interface ppp 1

                    ip address  (Adtran 3200)

                    ip access-policy Public

                    crypto map VPN

                    ip flow ingress

                    ip flow egress

                    no shutdown

                  ...

                  !

                  !

                  ip access-list extended VPN-10-vpn-selectors

                    permit ip [Local LAN] host [Peer LAN IP]

                  !

                  ip policy-class Private

                    allow list VPN-10-vpn-selectors stateless

                    nat source list MATCHALL interface ppp 1 overload

                    allow list VPN-10-vpn-selectors stateless

                  !

                  ip policy-class Public

                    allow reverse list VPN-10-vpn-selectors stateless

                    allow list Admin_Access

                    allow reverse list VPN-10-vpn-selectors stateless

                  !

                  !

                  end