Wireless Access

Reply
New Contributor

Resilient IPSEC Tunnels

Hello Everybody,

 

Just wondering if anybody could share any ideas I haven't thought of in terms of the following scenario please?

 

We have a customer with a pair of v6 7000 controllers in a large site, along with another pair of 7000 master/standby in a datacentre. In each datacentre, there is also a pair of Cisco ASA firewalls that we aim to use for WiFi guest user termination and internet egress.

 

When doing IPSEC tunnels (for the Guest WiFi egress, starting from the locals at the site) I'm pretty sure we can only set one IP peer in each IPSEC tunnel. This gives us a problem with resilience when targetting 2 data centre firewalls on different IP subnets (no layer2 between DCs).

 

Things that aren't a resilience problem are: resilience FROM the locals, as they run a v6 VRRP for AP termination (controllers AREN'T active/active therefore), and we will have another VRRP for IPSEC egress to the DCs, which tracks the AP VRRP. Also at the individual DC end, the ASAs work in resilent pairs with vitual interfaces. So the only issue should be failing between datacentres.

 

We could either...

 

1. Look at GRE over IPSEC and use tunnel-groups on the controllers, however, not sure if Cisco ASAs will cope with that? Sounds like lots of experimentation required? Outcomes should be nice and slick if they work though?


2. Setup a pair of default routes in the controllers with weighted metrics, which use a pair of IPSEC tunnels in order of priority. Having of course already taken into account other existing IPSEC tunnels and any "normal" controller IP traffic flows that must remain in tact (e.g. authenticiation/monitoring/management etc.) and prioritised with normal IP routes with better metrics. My big problem with this option is an operational one. Whilst it will be time consuming to "tweak-out" IP stuff that shouldn't be routed up the IPSEC tunnels and get the routing table "just right", it feels like one day, this setup is REALLY easy for somebody to make a mistake with and cause havoc?

 

Thoughts?

Aruba Employee

Re: Resilient IPSEC Tunnels

I haven't set up this specific scenario, but curious if you could use route policies in the guest user role to determine which IPSec tunnel the guest traffic gets routed down. 


Charlie Clemmer
Aruba Customer Engineering
New Contributor

Re: Resilient IPSEC Tunnels

Having looked into it quickly, not sure I can see a way to have route policies take into account when a particular tunnel is down?

 

Aruba Employee

Re: Resilient IPSEC Tunnels

Under Network -> IP -> NextHop

 

You can add a list, and select a list of available next hop IP addresses, along with whether preemptive failover. The nexthop list is then referenced in the route policy.


Charlie Clemmer
Aruba Customer Engineering
New Contributor

Re: Resilient IPSEC Tunnels

Hi,

 

Thanks for the suggestion. Are you sure that would work? I did a quick read up on it. The first thing that makes me think this might not be feasible, is in the information I read about it, it says "A nexthop IP is the IP address of a adjacent router or device with layer-2 connectivity to the controller.". If I have to do IPSEC with no GRE, I don't have a layer 2 adjacency. Also, I can't find any information regarding how the "Preemptive-Failover" feature actually establishes that any given next hop is "healthy/available"? I.e. what is the controller doing in order to work that out? I don't suppose you have an example configuration you could share?

 

Highlighted
Aruba Employee

Re: Resilient IPSEC Tunnels

I haven't done this specific scenario (tunneling from the WLC to an ASA), but have done site-to-site tunnels between WLCs with GRE over IPSec and done similar with route policies.

 

Another idea, depending on the HA functionality with the ASAs (can't remember if they are in the same DC, or different DCs) would be to use VRRP/HSRP between the ASAs so that tunnel failover is automatic between the ASAs, in which case the WLC does not know the tunnel has been moved to a different firewall.


Charlie Clemmer
Aruba Customer Engineering
New Contributor

Re: Resilient IPSEC Tunnels

The ASAs are in different DCs with no L2 between them. Which is part of the problem obviously.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: