Home > Articles > Security > Network Security

Dial Backup for IPSec Tunnels

Network availability in a VPN environment can be significantly enhanced through support of redundant communications links, either in the form of VPNs through other ISPs or, as discussed in this article, via dial backup.
This article demonstrates one way that the concepts developed in the author's book High Availability Networking with Cisco (Addison-Wesley, 2001, ISBN 0-201-70455-2) can be adapted to other applications.

Building a virtual private network (VPN) using IP Security Protocol (IPSec) tunnels is a popular cost-saving approach to wide area networking. One disadvantage of using a VPN is the lack of tools to provide resilience in the face of router, firewall, or network failure. The challenge is to detect failure of an IPSec tunnel so that an alternate route can be used. This article looks at how the Border Gateway Protocol (BGP), normally associated with routing between routing domains on the Internet, can be used to drive ISDN dial backup in a VPN using firewalls to provide an IPSec tunnel between LANs at two locations.

Background

VPNs are growing in popularity due to their ability to reduce WAN costs. Tempering this growth trend is the difficulty of providing useful redundancy so that network operations can continue uninterrupted despite failures that disrupt the ability of a particular link to carry traffic.

The underlying challenge is that useful redundancy requires the ability to detect when a link is down so that an alternate link, such as dial backup, can be used. If a failed link is not detected, it becomes a black hole for all traffic attempting to use that link.

Interior gateway protocols such as RIP, OSPF, and Cisco's EIGRP assume that routing exchanges are always between routers on a common subnetwork. While there is considerable flexibility in the choice of underlying subnetworks, ranging from Ethernet LANs to ATM and frame relay WANs, there is no provision for supporting neighbor relationships between routers that are not on the same IP subnetwork. In a VPN where the connectivity is via IPSec tunnels, this adjacency requirement is no longer satisfied, and configurations suitable for point-to-point or LAN links won't work.

Adding to the confusion are the many different ways that a VPN can be implemented. While all approaches may provide similar functionality to the end user, they can be very different from the point of view of the routers trying to establish and maintain reliable communications. Even a decision as rudimentary as whether the IPSec tunnels terminate on the firewalls or on the inside routers can fundamentally change the available solutions.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.