Redundant IPsec tunnels

ohitz · August 17, 2017, 2:46pm

Hi all,

In order to create two redundant IPsec tunnels to two destinations, I have created two IPsec policies with the same src-address and dst-address, but with a different sa-dst-address. This results in two properly set up SA’s to the two destinations, but for some reason one of the policies shows as “IA” (invalid/active):

Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  A  src-address=<network-a> src-port=any dst-address=<network-b> dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=<my-ip> sa-dst-address=<peer-1> proposal=my-proposal ph2-count=1                       

 2  IA src-address=<network-a> src-port=any dst-address=<network-b> dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=<my-ip> sa-dst-address=<peer-2> proposal=my-proposal ph2-count=1

What I am doing wrong?

By the way, this is on a CCR1009 with firmware 6.40.1.

Thanks in advance,

Oliver

pe1chl · August 17, 2017, 2:50pm

What would you expect to happen instead?

ohitz · August 17, 2017, 9:09pm

Oh, I forgot to write that when I tear down the active peer, I lose connectivity, so no redundancy there, which is what I was expecting.

The policy which is marked “Invalid” and “Active” doesn’t become “Active” automatically. It stays “IA”, until I disable and re-enable it. But this is not what I expect.

Any ideas?

Oliver

pe1chl · August 18, 2017, 5:42am

Remove those policies and make GRE tunnels with IPsec transport instead.
Put /30 addresses on those tunnel interfaces and run a routing protocol like BGP or OSPF to route your subnets.
The routing protocol will select from the tunnels that actually work. When one goes down, the alternate will be used.

ohitz · August 18, 2017, 5:58am

Thanks for your suggestion. I will see if my peer allows me to do that.

pe1chl · August 18, 2017, 9:37am

I use this method with a 3-location network with 6 tunnels: between each location there is a GRE and a GRE6 (GRE over IPv6) tunnel,
and BGP (with private AS#) as routing protocol. Each location has several subnets (separate for data and voice, and some for management).
It works very well. When IPv4 or IPv6 connectivity fails, it just uses the other one.
This kind of network is very hard to get right when using plain IPsec tunnels, for reasons you already discovered.