IPSec Peer Backup Behavior in Asymmetric Routing Scenario

IPSec Peer Backup feature is a name that is not really widely know to all the cisco guys out there because it is mostly hidden behind the ability to put two (or more) IPSec peer IPs to a single crypto-map statement. In this article, I will provide a little insight to this feature that, with luck, will make you appreciate the complex operations with all the management/transport IPSec tunnels that must be handled when this feature is in use. Recently I put this feature to the limits in asymmetric routing environment and I want to share some lab results.

Contents

Peer Backup Feature

Let’s start with the basic topology and configuration of the feature itself. I will not provide IPSec configuration details as I am sure there are many sources for this on the internet, I will only show the interesting parts.

In this lab, I used Cisco ASA to use the IPSec Peer Backup feature, but the exactly same functionality is available on IOS routers as well. So in my lab, the configuration was:

crypto map IPSec_map 10 match address ecnrypt_acl
# NOTE TWO PEERS IN THE FOLLOWING LINE
crypto map IPSec_map 10 set peer 5.100.34.3 5.100.42.2
crypto map IPSec_map 10 set transform-set myset
crypto map IPSec_map interface outside

If you want, you can change this lab topology from ASA to IOS router and just change the crypto-map to IOS based syntax:

crypto map mmax-map 10 ipsec-isakmp
  set peer 5.100.34.3 
  set peer 5.100.42.2
  set transform-set myset
  match address encrypt_acl

Routing asymmetry configuration

The routing is setup in the following way using only static routes to create the whole scenario with asymmetric routing and R4 “playing” Internet:

1. R4 simulates Internet. R4 routes only between the directly connected networks.
2. ASA, R2 and R3 have default route pointing to the Internet (R4)
3. R5 has default route pointing to ASA
4. R6 has routing to 10.26.242.1/24 via R2 and 10.26.242.1/24 via R3

Scenario A

(ASA starts communication with “wrong” peer for returning traffic)

1. R5 sends “icmp” ping from 10.26.241.1 to 195.160.0.1 (on R6).
2. ASA matches crypto traffic and chooses first peer 5.100.34.3 (R3) and establishes IPSec tunnel for encryption domain 10.26.241.0/24-195.160.0.1/26
3. Icmp ping is transported encrypted to R2, R2 decrypts the packet and forwards to R6.

Scenario A - part 1 — Scenario A – part 1

4. R6 gets Icmp ping “echo request” and generates icmp “echo reply” packet.
5. R6 however has next hop of 5.100.26.2 (R2) as next hop for destination of the reply packet (10.26.241.1). So the packet is forwarded to R2.
6. On R2, the packet will match the crypto map and R2 starts to negotiate IPSec tunnel to ASA.

Scenario A - part 2 — Scenario A – part 2

7. Once the R2 successfully establishes the tunnel to ASA, ASA will graciously drop the tunnel to R3
8. ALL subsequent communication is flowing between 10.26.241.0/24-195.160.0.0/26 via IPSec tunnel of ASA to R2

Scenario A - part 3 — Scenario A – part 3

Scenario B

(Encryption domain on ASA side has two subnets (on lo0/lo1) and R6 has different “return” routes to these destinations via R2 and R3):

1. R5 sends “icmp” ping from 10.26.241.1 to 195.160.0.1 (on R6). And also from 10.26.242.1 to 195.160.0.1 (on R6).
2. ASA matches crypto traffic and chooses first peer 5.100.34.3 (R3) and establishes IPSec tunnel for both encryption domains 10.26.241.0/24-195.160.0.1/26 and 10.26.242.0/24-195.160.0.1/26
3. Icmp pings are transported encrypted to R2, R2 decrypts the packets and forwards them to R6.

Scenario B - part 1 — Scenario B – part 1

4. R6 gets Icmp ping “echo requests” and generates icmp “echo reply” packets for both destinations.
5. R6 however has next hop of 5.100.26.2 (R2) as next hop for destination of the reply packet (10.26.241.1). So the packet is forwarded to R2. For 10.26.242.1 the next hop is R3.
6. On R2, the packet will match the crypto map and R2 starts to negotiate IPSec tunnel to ASA.

Scenario B - part 2 — Scenario B – part 2

7. Once the R2 successfully establishes the tunnel to ASA, ASA will graciously drop ONLY phase 2 Ipsec transport tunnel for encryption domain 10.26.241.0/24-195.160.0.1/26 previously established with R3
8. ALL subsequent communication between 10.26.241.0/24-195.160.0.0/26 is flowing via IPSec tunnel from ASA to R2, and for 10.26.242.0/24-195.160.0.0/26 vie tunnel from ASA to R3

Scenario B - part 3 — Scenario B – part 3

Summary

In summary, this small ability can be a life-saver when used and it is very easy to use as you only add multiple peer IPs to the crypto-map definition, yet the mechanisms behind the scenes are complex.

I hope you enjoyed this article first new year (2012) article.

Peter

kokotina

vmWare vRealize Automation (with embedded vRO) – Full Example of Custom Resources for Executing Ansible Playbooks from Blueprints

Network Topology Visualization #3 – Exploring other D3 visualization options for a DataCenter

[mini-update] Network Topology Visualization #2 – Using SNMP as data source and enhanced visuals

Autopilot for Elite Dangerous using OpenCV and thoughts on CV enabled bots in visual-to-keyboard loop

Network Topology Visualization – Example of Using LLDP Neighborships, NETCONF and little Python/Javascript

HP Networking/Comware NETCONF interface quick tutorial (using python’s ncclient and pyhpecw7)

[minipost] Protecting SSH on Mikrotik with 3-strike SSH ban using only firewall rules

Example of private VLAN isolation across Virtual and Physical servers using ESX/dvSwitch and HP Networking Comware switches

HPE’s DCN / Nuage SDN – Part 3 – REST API introduction

[minipost] Capturing bidirectional traffic of virtual machine (VMs) on vmWare ESX 6.x

HPE’s DCN / Nuage SDN – Part 2 – First Steps Creating Virtual/Overlay Customer Network

HPE’s DCN / Nuage SDN – Part 1 – Introduction and LAB Installation Tutorial

Tutorial for small Hadoop cloud cluster LAB using virtual machines and compiling/running first “Hello World” Map-Reduce example project

Ping on you! – Beta 2.0 is online

[minipost]Quick LAB/config example for IPv6 BGP between HP Networking Comware v5 andCisco

Ping on You! – small weekend web/CGI project

[minipost] Windows partition editing with diskpart

Checkpoint Firewall CLI tool “dbedit” and quick lab examples

Soviet Mi-24V Hind E, 1/72 scale

Tutorial for creating first external SDN application for HP SDN VAN controller – Part 3/3: “Node Cutter” SDN application in perl with web interface

Tutorial for creating first external SDN application for HP SDN VAN controller – Part 2/3: Influencing Flows via cURL commands

Tutorial for creating first external SDN application for HP SDN VAN controller – Part 1/3: LAB creation and REST API introduction

Tutorial: Email server for a small company – including IMAP for mobiles, SPF and DKIM

Eycalyptus – cloud introduction and auto-scaling tutorial