Fault-tolerant IPSec Configuration Using EDGE Gateway

Before you start

GRE tunnelling technology was added in NSX 6.4. This technology has minimal functionality: IPSec and OSPF services do not recognize GRE interfaces and there is no logging or monitoring implementation except for simple ping. Currently, GRE tunnels can only be created by NSX administrators via the REST API. VCloud users cannot use this feature.

However, VMware has implemented the creation of encrypted tunnels via Route-Based IPSec VPN (VTI over IPSec). This technology is identical to Generic Routing Encapsulation (GRE) over IPSec, except that no additional encapsulation is added to the packet before IPSec processing is applied. The table below shows which vendors support this feature. The difference from normal GRE lies in the encapsulation method: VTI saves 4 bytes by eliminating the GRE header..

Vendor Route-Based IPSec VPN support
Cisco yes
Juniper yes
Mikrotik no

 

Introduction

The original problem's goal is to achieve fault tolerance under the scheme when two encrypted tunnels are created from a remote OFFICE on the same channel to two Edges (EDGE-2 and EDGE-3) which are located in different data centers but connected by an L2 line. You can see the scheme below.

We need to configure the infrastructure so that in the event of a loss of connection between the OFFICE and one of the EDGE devices is lost, the availability of the infrastructure in subnets 10.20.20.0/29 and 10.100.100.0/29 can be maintained. To achieve this, follow these steps:

  1. Deploy the infrastructure in each VDC (networks, vApp and VM).
  2. Create Route-Based IPSec VPN tunnels between OFFICE-EDGE-2 and OFFICE-EDGE-3 nodes.
  3. On the EDGE-2 and EDGE-3 nodes, create static routes to OFFICE via GRE.
  4. On the OFFICE node, create static routes to EDGE-2 and EDGE-3.
  5. Test the created infrastructure for availability.
  6. Ensure the availability of all nodes in the scheme by turning off one of the tunnels.

For ease of identification, all screenshots of the nodes will be colour-coded according to the following key::

OFFICE - 45.134.62.220

EDGE-2 - 176.53.182.220

EDGE-3 - 176.53.182.209

This article on EDGE covers the Office node, but you can configure any supported device to implement this scheme.

To reduce the amount of information, duplication of screenshots from the same nodes has been minimised.

Preparing the infrastructure

  1. Create a vApp (VAPP_TWO) and a VM (VM-EDGE-2) in the VDC. Do the same for the other nodes.

Create an EDGE-2 LAN 10.100.100.0/29 and connect it to EDGE-2. Do the same for EDGE-3 (LAN-EDGE-3 10.20.20.0/29) and for Office (192.168.10.0/29)

  1. Go to EDGE>VPN>IPSec settings and choose to create IPsec VPN Sites

  1. Create Route-Based IPSec according to the matrix of all three nodes (on the Office side you must configure two tunnels, one to each EDGE node):
Parameter EDGE-3 EDGE-2 OFFICE
Name TO Office
To Office
To EDGE-1, To EDGE-2
Local ID 176.53.182.220 45.134.62.220 176.53.182.209
Peer Subnets 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0
Encryption Algorithm AES-256 AES-256 AES-256
Peer Subnets 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0
Encryption Algorithm AES-256 AES-256 AES-256
Authentication PSK PSK PSK
Pre-Shared Key *** *** ***
Diffie-Hellman Group DH14 DH14 DH14
Digest Algorithm SHA-256 SHA-256 SHA-256
IKE Option iKEv-2 iKEv-2 iKEv-2
Session Type Route-Based Session Route-Based Session Route-Based Session
Tunnel Interface IP CIDR 172.16.0.2/30 172.10.0.2/30 172.16.0.1/30, 172.10.0.1/30
Tunnel Interface MTU 1500 1500 1500
  1. Configure static routes between the created tunnels on each node.

SOURCE NETWORK NEXT HOP DISTANCE
EDGE-3 to EDGE-2 (L2) 10.100.100.0/29 192.168.3.102 1
EDGE-3 to Office (VTI) 192.168.10.0/29 172.10.0.1 1
EDGE-3 to Office через EDGE-2
192.168.10.0/29
192.168.3.102
2
EDGE-2 to EDGE-3 (L2) 10.20.20.0/29 192.168.3.101 1
EDGE-2 to Office (VTI) 192.168.10.0/29 172.16.0.1 1
EDGE-2 to Office через EDGE-3
192.168.10.0/29
192.168.3.101
2

When creating the static routes, specify the subnet behind the opposite node in the Network field. In the 'Next Hop' field, enter the IP address of the opposite node's IPSec tunnel.

  1. From the Office node, record the availability of subnets connected to EDGE-2 and EDGE-3

 

  1. Use the created tunnels to fix the traffic to subnets.

 

Checking availability after disconnecting the tunnel.

 

  1. With all the hosts connected, we need to disable the tunnel on the Office > EDGE-2 (172.16.0.0/30) route. This will allow us to verify that the route to the subnet behind EDGE-2 goes through EDGE-3. To achieve this, the IPSec VTI tunnel on the EDGE-2 host must be disabled.

2. Note that the EDGE-2 subnet remains accessible via a route through the EDGE-3 node.

  1. Similarly, check the availability of Office on EDGE-2

As you can see, the node is still available, so the fault tolerance is fixed.

Have you tried Cloud4U services? Not yet?

Visit a Website

Try for free

  • GRE, Tunnels, VTI, over IPsec, VmWare, Cloud4y.ru
  • 100 Users Found This Useful
Was this answer helpful?

Related Articles

Site-to-Site VPN settings between Edge gateway and Juniper SRX

Scheme: How it works. A detailed description of the tunnel parameters can be found in a...

Site to Site IPsec Policy Based VPN between Edge Gateway and Mikrotik. Dual WAN (two providers)

This tutorial describes the Site to Site IPsec VPN configuration scenario between Cloud4Y (Edge...

VPN connection reservation

One client contacted us with a request to provide a VPN tunnel reservation between the office and...

IPSec Site-to-Site VPN Settings Supported by Edge Gateway (vCloud Director v 9.7)

This table lists the IPSec S2S VPN tunnel parameters for vCloud Director version 9.7. Parameters...

Site to Site IPsec Policy Based VPN between Edge Gateway and Mikrotik. Routing multiple subnets

This tutorial covers a scenario where there are 2 local subnets on the client side and 2 local...