No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Dual ADSL Links for Link Redundancy and IPSec VPN

Publication Date:  2012-07-24 Views:  70 Downloads:  0
Issue Description

The customer used to adopt one ADSL link to access the Internet. Since the bandwidth is insufficient, the customer adds another ADSL. Using one ADSL link, the customer can access the Internet and the IPSec VPN works properly. However, after another ADSL link is added, the establishment of the IPSec VPN tunnel fails, accessing the Internet is very slow, and packet loss occurs.
Alarm Information
None.
Handling Process
1. Use one ADSL link for test. If you can access the Internet and IPSec VPN works properly, it indicates that basic configurations of each link are correct, and the IPSec is correctly configured.
2. Check the default route.
ip route-static 0.0.0.0 0.0.0.0 Dialer 1
 ip route-static 0.0.0.0 0.0.0.0 Dialer 2
Since the two ADSL links belong to the same carrier, the two default equal-cost routes may can cause inconsistency of incoming and outgoing paths. Change the configuration as follows:
ip route-static 0.0.0.0 0.0.0.0 Dialer 1 
 ip route-static 0.0.0.0 0.0.0.0 Dialer 2  preference  65
Connect two ADSL links. The network becomes stable.
3. Query the NAT policy, and modify it to dual-link backup.
The original NAT policy is as follows:
acl number 3001
 description nat_dia1
 rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255  //Deny IPSec traffic
 rule 2 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
 rule 3 permit ip source 192.168.1.0 0.0.0.255
 
acl number 3002
 description nat_dia2
 rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255  //deny IPSec traffic
 rule 2 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
 rule 3 permit ip source 192.168.2.0 0.0.0.255
 
firewall interzone trust untrust
 nat outbound 3001 interface Dialer 1
 
firewall interzone trust untrust10
 nat outbound 3002 interface Dialer 2
 
This NAT policy enables users on the 192.168.1.0 network segment to access the Internet through NAT on Dialer 1, and those on 192.168.2. network segment through NAT on Dialer 2. If either link is disconnected, the users on the corresponding network segment cannot access the Internet. To realize the dual-link redundancy backup, modify the NAT ACL as follows:
acl number 3001
 description nat_dia1
 rule 0 deny ip source 192.168.0.0 0.0.3.255 destination 192.168.0.0 0.0.0.255 //IPSec traffic is not translated.
rule 3 permit ip  source 192.168.1.0 0.0.0.255
rule 4  permit ip  source 192.168.2.0 0.0.0.255            //allow traffic of the two network segments through for link redundancy
 
acl number 3002
 description nat_dia2
 rule 0 deny ip source 192.168.0.0 0.0.3.255 destination 192.168.0.0 0.0.0.255 //Address translation
rule 3 permit  ip  source 192.168.1.0 0.0.0.255   
rule 4 permit  ip  source 192.168.2.0 0.0.0.255         //allow traffic of the two network segments through for link redundancy
 
4. Query the policy-based route and configurations, modify the policy-based route, and force IPSec traffic to pass through only Dialer 2.
Original configuration:
interface Vlanif1
ip address 10.10.1.1 255.255.255.0    
undo ip fast-forwarding qff
ip policy route-policy 123
 
acl number 3003
rule 3 permit ip source 192.168.1.0 0.0.0.255
 
route-policy 123 permit node 5
 if-match acl 3003
 apply output-interface Dialer 2
This policy-based route forces the traffic on network segment 1 to pass through Dialer 2, Which means that xxx can pass through Dialer 2. After the policy-based route is modified, the traffic diversion is clearer.
The modified policy-based route is as follows:
interface Vlanif1
ip address 10.10.1.1 255.255.255.0
undo ip fast-forwarding qff
ip policy route-policy 123
 
acl number 3003
rule 0 permit ip source 192.168.0.0 0.0.3.255 destination 192.168.0.0 0.0.0.255
rule 5 permit ip source 192.168.1.0 0.0.0.255
 acl number 3004
rule 5 permit ip source 192.168.2.0 0.0.0.255
 
route-policy 123 permit node 5
 if-match acl 3003
 apply output-interface Dialer 2
route-policy 123 permit node 10
if-match acl 3004
 apply output-interface Dialer 1
 
5. Modify security ACL 3000 and enable mirroring of the both ends.
acl number 3000
rule 0 permit ip source 192.168.0.0 0.0.3.255 destination 192.168.0.0 0.0.0.255
 
6. After test, users on the two network segments can normally access the Internet and the VPN.
 
Root Cause
1. The configuration of the policy-based route is incorrect.
2. Routing is incorrectly configured.
3. The configuration of the NAT policy is incorrect.
Suggestions
1. If the dual links are of the same Internet Service Provider (ISP) and there are only two default routes, you need to assign the default routes to different priorities.
2. In this scheme, when both links work properly, traffic diversion can be realized through the policy-based route; when either link is disconnected, the traffic on all network segments can also access the Internet through NAT. Note that the NAT ACL should include all network segments. The simplest ACL is that it first denies IPSec traffic and then rule permit ip.
3. To make sure that the IPSec works properly, in this example, the tunnel is established only between the Dialer 2 interface and the center. If you modify the ACL between the center and the branch and apply the IPSec policy to two dialer interfaces, the IPSec link redundancy of the branch can be realized. When the two links work properly, according to the policy-based route, all interested traffic passes through Dialer 2. Then a tunnel between Dialer 2 and the center is established. When all links of Dialer 2 are Down, a tunnel between Dialer 1 and the center will be established. Modify the configuration as follows:
interface Dialer 1
ipsec policy map1
 
interface Dialer 2
ipsec policy map1
 

END