We have a customer that has a T1 terminated 3200. They have a VPN set up with our city government and their office. The city government has recently enabled an additional ISP. When the original ISP had to be turned down for maintenance, our customer's VPN with the city government went down, and did not come back up until the ISP was restored. Since then I've been contacted by our city government to create a "dual-homing VPN' so that the VPN to our customer can stay up if one of the ISP's goes down.
I admit, I only briefly looked over the site, but nothing is standing out to me. Any help on how to configure the 3200 for dual-homing VPN would be appreciated.
Thank you for asking this question in the support community. Typically, this concept is accomplished with VPN failover. The guide Configuring Redundant VPN Tunnel Fail-Over in AOS will explain this network design and configuration. Also, please note that only the 3rd Generation NetVanta 3200 supports probes (which is covered in the document).
I hope that makes sense, but please do not hesitate to reply to this post with any additional questions or information. I will be happy to help in any way I can.
Levi
I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.
Levi
Thanks. Our local government hasn’t returned my call to move forward. I’ll update the thread once we have something in place.
Jamie
We had a conference call testing the configuration I had set, but the failover didnt work. I'm not confident in my config. I had one address wrong, but I wanted to run this by someone to see if it's ok.
Keeping as much as I can anonymous, here's the proposed network:
[Peer Lan IP] --- (VPN Peer Primary) ---\
\--- (Adtran 3200) -- [Local LAN]
[Peer Lan IP] --- (VPN Peer Backup) ---/
Here's my config:
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.02.02.00.E
! Boot ROM version 17.02.01.00
! Platform: NetVanta 3200, part number 1203860G1
!
!
!
probe VPNPeerWAN1 icmp-echo
destination (VPN Peer Primary)
period 3
tolerance consecutive fail 3 pass 3
no shutdown
!
probe VPN-KeepAlive icmp-echo
destination [Peer LAN IP]
source-address [Local LAN]
period 10
tolerance consecutive fail 3 pass 3
no shutdown
!
track "VPNPeerWAN1"
snmp trap state-change
test if probe VPNPeerWAN1
no shutdown
!
track "NotVPNPeerWAN1"
snmp trap state-change
test if not probe VPNPeerWAN1
no shutdown
!
!
!
!
ip crypto
ip crypto fast-failover
!
crypto ike policy 90
initiate main
respond anymode
local-id address (Adtran 3200)
peer (VPN Peer Primary)
attribute 2
encryption 3des
hash md5
authentication pre-share
group 2
!
crypto ike policy 91
initiate main
respond anymode
local-id address (Adtran 3200)
peer (VPN Peer Backup)
attribute 2
encryption 3des
hash md5
authentication pre-share
group 2
!
crypto ike remote-id address (VPN Peer Backup) preshared-key (key) ike-policy 91 crypto map VPN 10 no-mode-config no-xauth
crypto ike remote-id address (VPN Peer Primary) preshared-key (key) ike-policy 90 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
crypto map VPN 10 ipsec-ike
description customerP
match track VPNPeerWAN1
match address VPN-10-vpn-selectors
set peer (VPN Peer Primary)
set transform-set esp-3des-esp-md5-hmac
ike-policy 90
crypto map VPN 11 ipsec-ike
description customerB
match track NotVPNPeerWAN1
match address VPN-10-vpn-selectors
set peer (VPN Peer Backup)
set transform-set esp-3des-esp-md5-hmac
ike-policy 91
!
interface eth 0/1
ip address [Local LAN]
ip access-policy Private
...
no shutdown
!
interface ppp 1
ip address (Adtran 3200)
ip access-policy Public
crypto map VPN
ip flow ingress
ip flow egress
no shutdown
...
!
!
ip access-list extended VPN-10-vpn-selectors
permit ip [Local LAN] host [Peer LAN IP]
!
ip policy-class Private
allow list VPN-10-vpn-selectors stateless
nat source list MATCHALL interface ppp 1 overload
allow list VPN-10-vpn-selectors stateless
!
ip policy-class Public
allow reverse list VPN-10-vpn-selectors stateless
allow list Admin_Access
allow reverse list VPN-10-vpn-selectors stateless
!
!
end
It is possible that some of the parts you left out may be confusing me, but I'll put some of my recommendations below in bold. Also, can you explain what didn't work in the failover? Did it not failover at all, or did it not fail back over when the primary came back up?
probe VPNPeerWAN1 icmp-echo
destination (VPN Peer's Primary Public IP address)
period 3
tolerance consecutive fail 3 pass 3
no shutdown
!
crypto ike policy 90
initiate main
respond anymode
local-id address (Adtran 3200)
peer (VPN Peer's Primary Public IP address)
attribute 2
encryption 3des
hash md5
authentication pre-share
group 2
!
crypto ike policy 91
initiate main
respond anymode
local-id address (Adtran 3200)
peer (VPN Peer's Backup Public IP address)
attribute 2
encryption 3des
hash md5
authentication pre-share
group 2
!
crypto ike remote-id address (VPN Peer's Backup Public IP address) preshared-key (key) ike-policy 91 crypto map VPN 10 no-mode-config no-xauth
crypto ike remote-id address (VPN Peer's Primary Public IP address) preshared-key (key) ike-policy 90 crypto map VPN 10 no-mode-config no-xauth
!
crypto map VPN 10 ipsec-ike
description customerP
match track VPNPeerWAN1
match address VPN-10-vpn-selectors
set peer (VPN Peer's Primary Public IP address)
set transform-set esp-3des-esp-md5-hmac
ike-policy 90
crypto map VPN 11 ipsec-ike
description customerB
match track NotVPNPeerWAN1
match address VPN-10-vpn-selectors
set peer (VPN Peer's Backup Public IP address)
set transform-set esp-3des-esp-md5-hmac
ike-policy 91
!
ip access-list extended VPN-10-vpn-selectors
permit ip [Local LAN] host [Peer LAN IP] (this ACL should be sourced from the LAN of the 3200 to the LAN of the remote site)
Levi
With Adtran's help (Mark), we got it working. The setup is unique because the path to both VPN peers is through the same firewall, and one side is NAT'ed through it. We had to
The following is a working configuration. We tested failing the probe successfully. We have both versions of nat-t configured, but we were trying to make it work. We left them in and it works fine.
The ike Policy was changed to aggressive.
In the crypto ike remote-id, we had to make it 'any' since the vpn peer is NAT'ed and the remote -id would be the same as the other crypto ike remote-id entry.
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.02.02.00.E
! Boot ROM version 17.02.01.00
! Platform: NetVanta 3200, part number 1203860G1
!
!
!
probe VPNPeerWAN1 icmp-echo
destination (VPN Peer Primary)
period 3
tolerance consecutive fail 3 pass 3
no shutdown
!
probe VPN-KeepAlive icmp-echo
destination [Peer LAN IP]
source-address [Local LAN]
period 10
tolerance consecutive fail 3 pass 3
no shutdown
!
track "VPNPeerWAN1"
snmp trap state-change
test if probe VPNPeerWAN1
no shutdown
!
track "NotVPNPeerWAN1"
snmp trap state-change
test if not probe VPNPeerWAN1
no shutdown
!
!
!
!
ip crypto
ip crypto fast-failover
!
crypto ike policy 90
initiate aggressive
respond anymode
local-id address (Adtran 3200)
nat-traversal v1 force
nat-traversal v2 force
peer (VPN Peer Primary)
attribute 2
encryption 3des
hash md5
authentication pre-share
group 2
!
crypto ike policy 91
initiate main
respond anymode
local-id address (Adtran 3200)
peer (VPN Peer Backup)
attribute 2
encryption 3des
hash md5
authentication pre-share
group 2
!
crypto ike remote-id address any preshared-key (key) ike-policy 91 crypto map VPN 11 no-mode-config no-xauth nat-t v1 force nat-t v2 force
crypto ike remote-id address (VPN Peer Primary) preshared-key (key) crypto map VPN 10 no-mode-config no-xauth nat-t v1 force nat-t v2 force
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
crypto map VPN 10 ipsec-ike
description customerP
match track VPNPeerWAN1
match address VPN-10-vpn-selectors
set peer (VPN Peer Primary)
set transform-set esp-3des-esp-md5-hmac
ike-policy 90
crypto map VPN 11 ipsec-ike
description customerB
match track NotVPNPeerWAN1
match address VPN-10-vpn-selectors
set peer (VPN Peer Backup)
set transform-set esp-3des-esp-md5-hmac
ike-policy 91
!
interface eth 0/1
ip address [Local LAN]
ip access-policy Private
...
no shutdown
!
interface ppp 1
ip address (Adtran 3200)
ip access-policy Public
crypto map VPN
ip flow ingress
ip flow egress
no shutdown
...
!
!
ip access-list extended VPN-10-vpn-selectors
permit ip [Local LAN] host [Peer LAN IP]
!
ip policy-class Private
allow list VPN-10-vpn-selectors stateless
nat source list MATCHALL interface ppp 1 overload
allow list VPN-10-vpn-selectors stateless
!
ip policy-class Public
allow reverse list VPN-10-vpn-selectors stateless
allow list Admin_Access
allow reverse list VPN-10-vpn-selectors stateless
!
!
end