Support
Community

:

Thank you for asking this question in the support community.  Typically, this concept is accomplished with VPN failover.  The guide Configuring Redundant VPN Tunnel Fail-Over in AOS will explain this network design and configuration.  Also, please note that only the 3rd Generation NetVanta 3200 supports probes (which is covered in the document).

I hope that makes sense, but please do not hesitate to reply to this post with any additional questions or information.  I will be happy to help in any way I can.

Levi

:

I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

Levi

Thanks. Our local government hasn’t returned my call to move forward. I’ll update the thread once we have something in place.

Jamie

We had a conference call testing the configuration I had set, but the failover didnt work. I'm not confident in my config. I had one address wrong, but I wanted to run this by someone to see if it's ok.

Keeping as much as I can anonymous, here's the proposed network:

[Peer Lan IP] --- (VPN Peer Primary) ---\
                                                          \--- (Adtran 3200) -- [Local LAN]
[Peer Lan IP] --- (VPN Peer Backup)  ---/

Here's my config:

Building configuration...

!

!

! ADTRAN, Inc. OS version 18.02.02.00.E

! Boot ROM version 17.02.01.00

! Platform: NetVanta 3200, part number 1203860G1

!

!

!

probe VPNPeerWAN1 icmp-echo

  destination (VPN Peer Primary)

  period 3

  tolerance consecutive fail 3 pass 3

  no shutdown

!

probe VPN-KeepAlive icmp-echo

  destination [Peer LAN IP]

  source-address [Local LAN]

  period 10

  tolerance consecutive fail 3 pass 3

  no shutdown

!

track "VPNPeerWAN1"

  snmp trap state-change

  test if probe VPNPeerWAN1

  no shutdown

!

track "NotVPNPeerWAN1"

  snmp trap state-change

  test if not probe VPNPeerWAN1

  no shutdown

!

!

!

!

ip crypto

ip crypto fast-failover

!

crypto ike policy 90

  initiate main

  respond anymode

  local-id address (Adtran 3200)

  peer (VPN Peer Primary)

  attribute 2

    encryption 3des

    hash md5

    authentication pre-share

    group 2

!

crypto ike policy 91

  initiate main

  respond anymode

  local-id address (Adtran 3200)

  peer (VPN Peer Backup)

  attribute 2

    encryption 3des

    hash md5

    authentication pre-share

    group 2

!

crypto ike remote-id address (VPN Peer Backup) preshared-key (key) ike-policy 91 crypto map VPN 10 no-mode-config no-xauth

crypto ike remote-id address (VPN Peer Primary) preshared-key (key) ike-policy 90 crypto map VPN 10 no-mode-config no-xauth

!

crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

!

crypto map VPN 10 ipsec-ike

  description customerP

  match track VPNPeerWAN1

  match address VPN-10-vpn-selectors

  set peer (VPN Peer Primary)

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 90

crypto map VPN 11 ipsec-ike

  description customerB

  match track NotVPNPeerWAN1

  match address VPN-10-vpn-selectors

  set peer (VPN Peer Backup)

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 91

!

interface eth 0/1

  ip address  [Local LAN]

  ip access-policy Private

...

  no shutdown

!

interface ppp 1

  ip address  (Adtran 3200)

  ip access-policy Public

  crypto map VPN

  ip flow ingress

  ip flow egress

  no shutdown

...

!

!

ip access-list extended VPN-10-vpn-selectors

  permit ip [Local LAN] host [Peer LAN IP]

!

ip policy-class Private

  allow list VPN-10-vpn-selectors stateless

  nat source list MATCHALL interface ppp 1 overload

  allow list VPN-10-vpn-selectors stateless

!

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors stateless

  allow list Admin_Access

  allow reverse list VPN-10-vpn-selectors stateless

!

!

end

:

It is possible that some of the parts you left out may be confusing me, but I'll put some of my recommendations below in bold.  Also, can you explain what didn't work in the failover?  Did it not failover at all, or did it not fail back over when the primary came back up?

probe VPNPeerWAN1 icmp-echo

  destination (VPN Peer's Primary Public IP address)

  period 3

  tolerance consecutive fail 3 pass 3

  no shutdown

!

crypto ike policy 90

  initiate main

  respond anymode

  local-id address (Adtran 3200)

  peer (VPN Peer's Primary Public IP address)

  attribute 2

    encryption 3des

    hash md5

    authentication pre-share

    group 2

!

crypto ike policy 91

  initiate main

  respond anymode

  local-id address (Adtran 3200)

  peer (VPN Peer's Backup Public IP address)

  attribute 2

    encryption 3des

    hash md5

    authentication pre-share

    group 2

!

crypto ike remote-id address (VPN Peer's Backup Public IP address) preshared-key (key) ike-policy 91 crypto map VPN 10 no-mode-config no-xauth

crypto ike remote-id address (VPN Peer's Primary Public IP address) preshared-key (key) ike-policy 90 crypto map VPN 10 no-mode-config no-xauth

!

crypto map VPN 10 ipsec-ike

  description customerP

  match track VPNPeerWAN1

  match address VPN-10-vpn-selectors

  set peer (VPN Peer's Primary Public IP address)

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 90

crypto map VPN 11 ipsec-ike

  description customerB

  match track NotVPNPeerWAN1

  match address VPN-10-vpn-selectors

  set peer (VPN Peer's Backup Public IP address)

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 91

!

ip access-list extended VPN-10-vpn-selectors

  permit ip [Local LAN] host [Peer LAN IP] (this ACL should be sourced from the LAN of the 3200 to the LAN of the remote site)

Levi

With Adtran's help (Mark), we got it working. The setup is unique because the path to both VPN peers is through the same firewall, and one side is NAT'ed through it. We had to

The following is a working configuration. We tested failing the probe successfully. We have both versions of nat-t configured, but we were trying to make it work. We left them in and it works fine.

The ike Policy was changed to aggressive.

In the crypto ike remote-id, we had to make it 'any' since the vpn peer is NAT'ed and the remote -id would be the same as the other crypto ike remote-id entry.

Building configuration...

!

!

! ADTRAN, Inc. OS version 18.02.02.00.E

! Boot ROM version 17.02.01.00

! Platform: NetVanta 3200, part number 1203860G1

!

!

!

probe VPNPeerWAN1 icmp-echo

  destination (VPN Peer Primary)

  period 3

  tolerance consecutive fail 3 pass 3

  no shutdown

!

probe VPN-KeepAlive icmp-echo

  destination [Peer LAN IP]

  source-address [Local LAN]

  period 10

  tolerance consecutive fail 3 pass 3

  no shutdown

!

track "VPNPeerWAN1"

  snmp trap state-change

  test if probe VPNPeerWAN1

  no shutdown

!

track "NotVPNPeerWAN1"

  snmp trap state-change

  test if not probe VPNPeerWAN1

  no shutdown

!

!

!

!

ip crypto

ip crypto fast-failover

!

crypto ike policy 90

  initiate aggressive

  respond anymode

  local-id address (Adtran 3200)

  nat-traversal v1 force

  nat-traversal v2 force

  peer (VPN Peer Primary)

  attribute 2

    encryption 3des

    hash md5

    authentication pre-share

    group 2

!

crypto ike policy 91

  initiate main

  respond anymode

  local-id address (Adtran 3200)

  peer (VPN Peer Backup)

  attribute 2

    encryption 3des

    hash md5

    authentication pre-share

    group 2

!

crypto ike remote-id address any preshared-key (key) ike-policy 91 crypto map VPN 11 no-mode-config no-xauth nat-t v1 force nat-t v2 force

crypto ike remote-id address (VPN Peer Primary) preshared-key (key) crypto map VPN 10 no-mode-config no-xauth nat-t v1 force nat-t v2 force

!

crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

!

crypto map VPN 10 ipsec-ike

  description customerP

  match track VPNPeerWAN1

  match address VPN-10-vpn-selectors

  set peer (VPN Peer Primary)

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 90

crypto map VPN 11 ipsec-ike

  description customerB

  match track NotVPNPeerWAN1

  match address VPN-10-vpn-selectors

  set peer (VPN Peer Backup)

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 91

!

interface eth 0/1

  ip address  [Local LAN]

  ip access-policy Private

...

  no shutdown

!

interface ppp 1

  ip address  (Adtran 3200)

  ip access-policy Public

  crypto map VPN

  ip flow ingress

  ip flow egress

  no shutdown

...

!

!

ip access-list extended VPN-10-vpn-selectors

  permit ip [Local LAN] host [Peer LAN IP]

!

ip policy-class Private

  allow list VPN-10-vpn-selectors stateless

  nat source list MATCHALL interface ppp 1 overload

  allow list VPN-10-vpn-selectors stateless

!

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors stateless

  allow list Admin_Access

  allow reverse list VPN-10-vpn-selectors stateless

!

!

end