How to configure redundancy with Site-to-Site VPN tunnel.

Aruba Employee

Starting from image 7.4.x.x, the Mobility Access Switch provides support for a standby VPN uplink when the primary VPN uplink interface goes down. Whenever the primary uplink is detected to be down, the standby uplink is used to establish VPN.

Mobility Access Switch also provides support for preemption so that when the primary VPN uplink is found to be up while on the standby uplink, it automatically re-establishes VPN connection using the primary uplink. Preemption is enabled by default. It is applicable only for the standby configuration. We can choose to disable or enable it back.

 

  • Ensure that you enable Route monitoring on both the primary and standby uplinks of the Mobility Access Switch to determine the status of the uplinks.
  • VPN survivability is supported with IKE version 2 only

Environment : Remote Networking

 

Network Topology : Trying to establish Site-to-Site VPN tunnel between two devices(Between Aruba Switches or between Aruba controller and Aruba Switch or between Aruba Switch and 3rd party devices)

 

Configuring Standby Uplink for VPN:

You can configure the standby VPN using the following CLI commands:

(host) (config) #crypto-local ipsec-map <map-name> <map-number>
(host) (config-ipsec-map) #standby-interface vlan <ipsec-map-standby-vlan-id>

 

 

Sample Configuration:

(host) (config) #crypto-local ipsec-map mapA 10
(host) (config-ipsec-map) # peer-ip 20.1.1.2
(host) (config-ipsec-map) # local-fqdn test.arubanetworks.com
(host) (config-ipsec-map) # interface vlan 2
(host) (config-ipsec-map) # src-net 4.1.1.0 255.255.255.255
(host) (config-ipsec-map) # dst-net 3.1.1.0 255.255.255.255
(host) (config-ipsec-map) # standby-interface vlan 4

 

Verifying Standby Configuration:

You can use the following command to verify the standby VPN configuration on the Mobility Access Switch:
(host) #show running-config
crypto-local ipsec-map mapA 10
version v2
peer-ip 20.1.1.2
local-fqdn test.arubanetworks.com
interface vlan 2
standby-interface vlan 4
src-net 4.1.1.0 255.255.255.255
dst-net 3.1.1.0 255.255.255.255
set transform-set "default-transform"
pre-connect disable
force-natt disable
!

Use the following command to view the uplink VLAN interface in use:
(host) #show crypto-local ipsec-map
Crypto Map Template "mapA" 10
IKE Version: 2
IKEv2 Policy: 10
Security association lifetime: 7200 seconds
PFS (Y/N): N
Transform sets={ default-transform}
Peer gateway: 20.1.1.2
Local FQDN: test.arubanetworks.com
Interface: vlan 2
Source network: 4.1.1.1/255.255.255.255
Destination network: 3.1.1.1/255.255.255.255
Pre-Connect (Y/N): N
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N

The following examples display the status of the primary and the standby VPN uplink interface before and after a
switch-over. The Probe column in the following examples indicates the status of the uplink:
(host) #show ip interface brief
Flags: S - Secondary IP address
Probe: U - Up, D - Down, U/O - Up & Own IP, N/A - Not Applicable
Interface IP Address / IP Netmask Admin Protocol Probe Flags
vlan 2 10.1.1.1 / 255.255.255.0 Up Up U
vlan 4 10.1.2.1 / 255.255.255.0 Up Up U
(host) #show ip interface brief
Flags: S - Secondary IP address
Probe: U - Up, D - Down, U/O - Up & Own IP, N/A - Not Applicable
Interface IP Address / IP Netmask Admin Protocol Probe Flags
vlan 2 10.1.1.1 / 255.255.255.0 Up Up D
vlan 4 10.1.2.1 / 255.255.255.0 Up Up U

The following command displays that the VPN is on the standby uplink after the switchover:
(host) #show crypto-local ipsec-map
Crypto Map Template "mapA" 10
IKE Version: 2
IKEv2 Policy: 10
Security association lifetime: 7200 seconds
PFS (Y/N): N
Transform sets={ default-transform }
Peer gateway: 20.1.1.2
Local FQDN: test.arubanetworks.com
Interface: vlan 4                                     <--
Source network: 4.1.1.1/255.255.255.255
Destination network: 3.1.1.1/255.255.255.255
Pre-Connect (Y/N): N
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N

Version history
Revision #:
1 of 1
Last update:
‎04-07-2015 02:21 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: