Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Backup IPsec tunnel

This thread has been viewed 1 times

  • 1.  Backup IPsec tunnel

    Posted Jan 05, 2016 08:39 AM
      |   view attached

    We have two separate master/local controller pairs on a customer network, one at the core containing a DMZ and one at a branch office. Guest at the branch office are routed to the core through an IPsec tunnel. In the event of a failure of one of the controllers is there a way for the core controller to bring up a new tunnel to the other branch controller. Currently I think i can only configure routing to the branch guest subnet on one tunnel. Is there any way to configure resilience in this scenario?

    Diagram attached.



  • 2.  RE: Backup IPsec tunnel

    Posted Jan 05, 2016 09:13 AM

    As per your diagram, if you are using VRRP between the core master/local controllers and the IPSEC tunnel is targetting the VRRP IP address does this not provide the resiliency you require?

     

    If not, what breaks when the master controller fails??



  • 3.  RE: Backup IPsec tunnel

    Posted Jan 05, 2016 09:20 AM

    Unfortunately you cannot configure both ends on VRRP addresses so one end has to terminate on a static address.



  • 4.  RE: Backup IPsec tunnel

    Posted Jan 05, 2016 09:29 AM

     

    Each edge controller should have its own IPSEC tunnel to the core controller VRRP address. In the event of a core controller failure, VRRP should handle the failover to the other controller and the tunnels should be rebuilt. 

    If an edge controller fails, either VRRP or HA fast failover can handle the APs failing over to the other edge controller and the Guest traffic can utilise the IPSEC tunnel for this controller.

     

    Does this make sense or am I missing something obvious?

    I have done the above set-up for a customer using GRE tunnels over IPSEC and it worked without issue.



  • 5.  RE: Backup IPsec tunnel

    Posted Jan 05, 2016 09:35 AM

    Each controller is configured to have a connection back to the core controller - one solid blue line and one blue dotted line. The configuration issue is at the core end - I cannot configure two tunnels with the same subnet (branch guest) routed down both. Are you saying GRE over IPsec will allow this configuration?



  • 6.  RE: Backup IPsec tunnel

    EMPLOYEE


  • 7.  RE: Backup IPsec tunnel

    Posted Jan 05, 2016 09:40 AM

    Yes. Create the same VLAN on all controllers and then add GRE tunnels between the edge controllers and the core VRRP. The tunnels can just be L2 with the Guest VLAN on them. The GRE tunnel config on the edge controllers would look similar to the below:

     

    interface tunnel 1
    description "Tunnel Interface"
    tunnel mode gre 0
    tunnel source x.x.x.x
    tunnel destination y.y.y.y
    tunnel keepalive
    trusted
    tunnel vlan zzz
    !

     

    where x.x.x.x is the edge controller IP, y.y.y.y is the VRRP of the core controllers and zzz is your Guest VLAN number.



  • 8.  RE: Backup IPsec tunnel

    Posted Jan 05, 2016 10:07 AM

    Sounds like a good suggestion, I will try and lab this up to see if everything works as expected.

    Thanks.