How to setup redundancy with ipsec over gre

MVP Expert
MVP Expert
Requirement:

To setup redundancy with ipsec over gre between two Master-Standby setups on different locations and allow specific VLAN(s) in it. 

 



Solution:

Create a non-routable L3 interface to act as GRE endpoint on the controllers. 

Only one tunnel needs to be up at any time so that it does not form any loop. 

Configure the peer-IP as VRRP IP on one master-standby setup and physical IP as peer-IP on the other master-standby setup. 

 



Configuration:

On HQ-Master:

Create ipsec-map:
crypto-local ipsec-map To_DMZ 100
  peer-ip 10.0.0.1
  vlan 30
  src-net 192.168.30.0 255.255.255.0
  dst-net 192.168.10.0 255.255.255.0
  set transform-set "default-transform"
  pre-connect enable
  trusted enable
  uplink-failover disable
  force-natt disable
!

Create isakmp key:
crypto-local isakmp key "arubavpn123" address 10.0.0.0 netmask 255.255.255.0

Create a L3 interface for GRE-endpoint:
interface vlan 100
        ip address 192.168.30.2 255.255.255.0
        operstate up
!

Configure GRE tunnels. (Only one tunnel will be up at a time)
interface tunnel 100
        tunnel mode gre 1
        tunnel source vlan 100
        tunnel destination 192.168.10.2
        tunnel keepalive
        trusted
        tunnel vlan 1501
!
interface tunnel 101
        tunnel mode gre 1
        tunnel source vlan 100
        tunnel destination 192.168.10.3
        tunnel keepalive
        trusted
        tunnel vlan 1501
!

On HQ-Standby:

Create ipsec-map:
crypto-local ipsec-map To_DMZ 100
  peer-ip 10.0.0.1
  vlan 30
  src-net 192.168.30.0 255.255.255.0
  dst-net 192.168.10.0 255.255.255.0
  set transform-set "default-transform"
  pre-connect enable
  trusted disable
  uplink-failover disable
  force-natt disable
!

Create isakmp key:
crypto-local isakmp key "arubavpn123" address 10.0.0.0 netmask 255.255.255.0

Create a L3 interface for GRE-endpoint:
interface vlan 100
        ip address 192.168.30.3 255.255.255.0
        operstate up
!

Configure GRE tunnels. (Only one tunnel will be up at a time)
interface tunnel 100
        tunnel mode gre 1
        tunnel source vlan 100
        tunnel destination 192.168.10.2
        tunnel keepalive
        trusted
        tunnel vlan 1501
!
interface tunnel 101
        tunnel mode gre 1
        tunnel source vlan 100
        tunnel destination 192.168.10.3
        tunnel keepalive
        trusted
        tunnel vlan 1501
!

On DMZ-Master:

Create ipsec-map:
crypto-local ipsec-map To_HQ-Master 100
  peer-ip 30.0.0.2
  vlan 10
  src-net 192.168.10.0 255.255.255.0
  dst-net 192.168.30.2 255.255.255.255
  set transform-set "default-transform"
  pre-connect disable
  trusted disable
  uplink-failover disable
  force-natt disable
!    
crypto-local ipsec-map To_HQ-standby 100
  peer-ip 30.0.0.3
  vlan 10
  src-net 192.168.10.0 255.255.255.0
  dst-net 192.168.30.3 255.255.255.255
  set transform-set "default-transform"
  pre-connect disable
  trusted disable
  uplink-failover disable
  force-natt disable
!

Create isakmp key:
crypto-local isakmp key "arubavpn123" address 30.0.0.0 netmask 255.255.255.0

Create a L3 interface for GRE-endpoint:
interface vlan 100
        ip address 192.168.10.2 255.255.255.0
        operstate up
!

Configure GRE tunnels. (Only one tunnel will be up at a time)
interface tunnel 100
        description "Tunnel Interface"
        tunnel mode gre 1
        tunnel source vlan 100
        tunnel destination 192.168.30.2
        tunnel keepalive
        trusted
        tunnel vlan 1501
!
interface tunnel 101
        description "Tunnel Interface"
        tunnel mode gre 1
        tunnel source vlan 100
        tunnel destination 192.168.30.3
        tunnel keepalive
        trusted
        tunnel vlan 1501
!

On DMZ-Standby:

Create ipsec-map:
crypto-local ipsec-map yas-master 100
  peer-ip 30.0.0.2
  vlan 10
  src-net 192.168.10.0 255.255.255.0
  dst-net 192.168.30.2 255.255.255.255
  set transform-set "default-transform"
  pre-connect enable
  trusted disable
  uplink-failover disable
  force-natt disable
!

crypto-local ipsec-map yas-standby 100
  peer-ip 30.0.0.3
  vlan 10
  src-net 192.168.10.0 255.255.255.0
  dst-net 192.168.30.3 255.255.255.255
  set transform-set "default-transform"
  pre-connect enable
  trusted disable
  uplink-failover disable
  force-natt disable
!

Create isakmp key:
crypto-local isakmp key "arubavpn123" address 30.0.0.0 netmask 255.255.255.0

Create a L3 interface for GRE-endpoint:

interface vlan 100
        ip address 192.168.10.3 255.255.255.0
        operstate up
!

Configure GRE tunnels. (Only one tunnel will be up at a time)

interface tunnel 100
        tunnel mode gre 1
        tunnel source vlan 100
        tunnel destination 192.168.30.2
        tunnel keepalive
        trusted
        tunnel vlan 1501
!
interface tunnel 101
        tunnel mode gre 1
        tunnel source vlan 100
        tunnel destination 192.168.30.3
        tunnel keepalive
        trusted
        tunnel vlan 1501
!



Verification

(Aruba7010) #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP     Responder IP     InitiatorID         ResponderID         Flags    Start Time      Inner IP
------------     ------------     -----------         -----------         -----  ---------------   --------
30.0.0.2          10.0.0.2              30.0.0.2/32          10.0.0.2/32/32      T      Nov 30 05:46:38     -

 

(Aruba7010) (config) #show ip interface brief

Interface                   IP Address / IP Netmask        Admin   Protocol
tunnel 101                  unassigned / unassigned        up      up
 

Version history
Revision #:
2 of 2
Last update:
‎03-15-2019 01:22 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: