Configuring the failover VPN topology using a peer-group

Last Updated : Nov 06, 2012 |

  1. Define the private VLAN1 and VLAN2 interfaces (IP address and mask), and define one of them as the PMI and ICC-VLAN.

  2. Define the public FastEthernet 10/3 interface (IP address and mask).

  3. Define the default gateway (the IP address of the next router).

  4. Define the object tracking configuration, and define when an object tracker is considered down, as follows:

    Define a track list that will monitor (by ICMP) five hosts behind the specific peer. If two or more hosts are not working then the object tracker is down. The Branch Gateway will then pass on to the next peer in the peer group list.

  5. Define the ISAKMP policy, using the crypto isakmp policy command.

  6. Define the 3 remote peers, using the crypto isakmp peer address command, and specify for each one:

    • the pre-shared key

    • the ISAKMP policy

    • keepalive track. This track is the object tracker that checks if the peer is still alive. If an active peer is considered dead, the next peer in the peer group becomes the active peer.

  7. Define a peer group that include all three remote peers, using the crypto isakmp peer-group command.

  8. Define the IPSEC transform-set, using the crypto ipsec transform-set command.

  9. Define the Crypto map entity, using the crypto map command.

  10. Define the crypto list as follows:

    1. Set the local address to the public interface name (for example, FastEthernet 10/3.0).

    2. For each private interface, define an ip-rule using the following format:

      • source-ip <private subnet> <private subnet wild card mast>. For example, 10.10.10.0 0.0.0.255

      • destination-ip any

      • protect crypto map 1

  11. Define the ingress access control list to protect the device from incoming traffic from the public interface, as follows:

    1. Permit IKE Traffic (UDP port 500) for VPN control traffic (IKE)

      Note:

      If you are using NAT Traversal, you must also open UDP port 4500 and 2070.

    2. Permit ESP traffic (IP Protocol ESP) for VPN data traffic (IPSEC)

    3. Permit ICMP traffic, to support PMTU application support, for a better fragmentation process

    4. For each private subnet, add a permit rule, with the destination being the private subnet, and the source being any. This traffic will be allowed only if it tunnels under the VPN, because of the crypto list.

    5. Define all other traffic (default rule) as deny in order to protect the device from non-secure traffic

  12. Optionally, define the egress access control list to protect the device from sending traffic that is not allowed to the public interface:

    1. Permit IKE Traffic (UDP port 500) for VPN control traffic (IKE)

      Note:

      If you are using NAT Traversal, you also need to open UDP port 4500 and 2070.

    2. Permit ESP traffic (IP Protocol ESP) for VPN data traffic (IPSEC)

    3. Permit ICMP traffic, to support the PMTU application, for a better fragmentation process

    4. For each private subnet add a permit rule, with the source being the private subnet, and the destination being any

    5. Define all other traffic (default rule) as deny in order to protect the device from sending non-secure traffic

  13. Activate the crypto list, the ingress access control list, and the egress access control list, on the public interface.

Related information
IPSec VPN