Page 1
Firewall HotBrick LB-2 VPN or VPN 800/2
How To
How to set up VPN Failover on the LB-2 VPN or VPN 800/2
Page 2
How to Establish VPN Failover using the LB2 VPN or VPN 800/2
This document describes a scenario for testing the VPN Redundancy (or Failover) feature of
the LB2 VPN (with or without requiring a license key) and the VPN 800/2.
What is VPN Redundancy?
VPN Redundancy is similar to the Connection Failover feature on the LB2 VPN and VPN
800/2. The purpose of VPN Redundancy is to provide an automatic backup connection for VPN
traffic.
This is different from just building two VPN tunnels simultaneously, because having 2
concurrent VPNs doesn’t mean that redundancy is present. Redundant VPNs indicates there is a
backup VPN tunnel for the active tunnel. If the active tunnel fails, the backup tunnel will take its
place and keep traffic moving through the tunnel.
There’s no load balance inside VPN tunnels. Load balance is only available for internet traffic.
Initial considerations:
This document is applicable to the related products:
• LB2 VPN
• VPN 800/2
This document is based on a laboratory scenario illustrated in the diagram below.
Image 1: The conceptual scenario
How to set up VPN Failover on the LB-2 VPN or VPN 800/2 Property of HotBrick — 2005
2
Page 3
• The products used in this lab have the March/2005 firmware installed.
Image 1a: The LB2 VPN with March/2005 firmware installed
Image 1b: The VPN 800/2 with March/2005 firmware installed
• This solution is recommended for scenarios where VPN redundancy is needed, required or
desirable.
• Two WAN connections are needed on every node of the VPN tunnel.
• This example was built using Static IP Connections on every WAN port, but it could be used
for other scenarios where PPPoE or dynamic connections are being used.
• The worst case of redundancy delay requires up to 2 minutes of latency before traffic resumes.
The network project must accept this delay in the applications, software or whatever that is
requiring the VPN connection to work properly.
Step – by – Step Setup Procedure
Step 1: Setting up the VPN tunnels
First of all, it is necessary to establish two tunnels between both sites, always taking care to
consider the WAN1 VPN tunnel as the mandatory, or principal, VPN Connection and the WAN2 VPN
Tunnel (always) as the secondary or backup tunnel.
You will always have to build the tunnels connecting WAN1 to WAN1 and WAN2 to WAN2.
To receive help on how to establish an IPSec VPN tunnel, search for the appropriate step – by
How to set up VPN Failover on the LB-2 VPN or VPN 800/2 Property of HotBrick — 2005
3
Page 4
– step procedure on our download webpage. For more information, go to http://www.hotbrick.com
and the support section, then the download page.
Image 2a: The LB2 VPN Tunnels.
Image 2b: The VPN 800/2 Tunnels.
Step 2: Setting up the RIP2 protocol
As shown on the screenshot below, the RIP2 protocol should be enabled and activated for all
network interfaces (LAN, WAN1 and WAN2).
Open the GUI interface of each product and click on the ‘Routing’ option under ‘Advanced
setup’.
On ‘Dynamic Routing’, click on the ‘enable’ check-box on the RIP v2 line. It should appear
checked. If it’s already checked, leave it that way.
Enable all the LAN, WAN1 and WAN2 check-boxes.
Click on the ‘Submit’ button.
How to set up VPN Failover on the LB-2 VPN or VPN 800/2 Property of HotBrick — 2005
4
Page 5
Image 3a: The LB2 VPN Routing page with all the check-boxes enabled.
Image 3b: The VPN 800/2 Routing page with all the check-boxes enabled.
The ‘system restarting’ message will appear. Wait for about 5 seconds before proceeding.
Image 4a: The LB2 VPN and VPN 800/2 restart message are identical.
Step 3: Setting the specific Options for each VPN Tunnel
For each VPN tunnel (WAN1_WAN1 or WAN2_WAN2) the ‘Set Option’ should have specific
configurations.
For the WAN1_WAN1 Tunnel on the LB2 VPN and the VPN 800/2:
Click on the ‘Set Options’ button on the WAN1_WAN1 VPN Tunnel setup screen.
The screen below (Image 5a and 5b) should appear.
How to set up VPN Failover on the LB-2 VPN or VPN 800/2 Property of HotBrick — 2005
5
Page 6
Click on the ‘enable’ check-box on the ‘Detection’ line
Click on the ‘ICMP’ radio-box on the ‘Check Method’ line
Type the IP of the remote HotBrick Appliance LAN Network Interface (LB2 VPN or VPN 800/2)
on the ‘Host’ box.
Type ‘15’ on the ‘Check After Idle’ box line
Click on the ‘Remove Tunnel’ radio-box on the ‘Action’ line
The other options shown are not directly connected to VPN redundancy. They’re all options
used for specific situations where VPNs are used or needed.
Image 5a: The LB2 VPN Set Options page. Note that ‘172.16.10.1’ is the LAN interface of the remote gateway.
How to set up VPN Failover on the LB-2 VPN or VPN 800/2 Property of HotBrick — 2005
6
Page 7
Image 5b: The VPN 800/2 Set Options page. Note that ’10.10.1.1’ is the LAN interface of the remote gateway.
NOTE: Please do not consider the ‘WAN 1 Disconnected’ and the ‘Status Idle’ information on these screenshots.
After setting everything up, click on the ‘Set’ button.
A message warning that the ‘Update’ button should be pressed will appear.
The WAN1_WAN1 setup screen will appear. Click on the ‘Update’ button.
Image 6a: The LB2 VPN Update Message.
Image 6b: The VPN 800/2 Update Message.
How to set up VPN Failover on the LB-2 VPN or VPN 800/2 Property of HotBrick — 2005
7
Page 8
Click on the ‘Update’ button. The Configuration change page will appear.
Click on the ‘Reload Policy’ button.
Repeat the same procedure for the WAN2_WAN2 tunnel.
Repeat the same procedure on both sides of the VPN tunnel (On both sites).
You should now be ready for the test procedures. If so, go to the next step.
Step 4. Testing the VPN Redundancy.
There are 2 major scenarios for testing VPN Redundancy.
The first scenario occurs when you are on the side of the tunnel that established the initial
connection and your side of the tunnel fails.
Image 7: The WAN1 connection of the local gateway crashes and the traffic then routes through the second VPN.
Start a ping –t command to an ICMP responder IP of the remote LAN. (For Example: your
desktop has the 10.10.1.11 IP and ping the 172.16.10.11 IP. The ping should start responding and
will keep pinging until you stop it manually. For help in using the ping command, access the Microsoft
Windows help system on your desktop.)
How to set up VPN Failover on the LB-2 VPN or VPN 800/2 Property of HotBrick — 2005
8
Page 9
Image 8: An example of the ping –t command. The several response lines indicate that the opposite IP is responding.
Take care to ping an INTERNAL LAN IP ON THE OPPOSITE SIDE. Do not ping any valid
internet IP or any other IP of your own LAN.
Go to the HotBrick product and pull the WAN1 connection (unplug it). The ping –t command
will fail and after a few seconds will keep pinging.
Image 9: An example of the ping –t command that fails for a brief moment.
This brief moment when you can detect a failed connection (looking at the ping command) is
the time that the product took to establish the second tunnel and redirect the traffic requisitions
through the second tunnel.
How to set up VPN Failover on the LB-2 VPN or VPN 800/2 Property of HotBrick — 2005
9
Page 10
In this scenario the time it took the product to backup the traffic using the second VPN
(WAN2_WAN2) varied from 1 second to about 5 seconds. This value may vary for a number of
reasons including your connection, your local network configuration, and your desktop configuration.
Plug the WAN1 connection again.
The first VPN tunnel should start working again and the traffic should use it. Note that after the
connection has been re-established for a few seconds, the WAN1 LED will start to blink and WAN2
will stop blinking.
The second scenario (Image 10 – Scenario II) is when you’re on the other side of the failed
connection, which means that you local connection is fine, but the remote site isn’t. The cause of
both failures could be broken links or just an unstable route. What’s important is that for some
reason, that tunnel is not available anymore.
Image 10: The WAN1 connection of the remote gateway crashes and the traffic routes through the second VPN.
Go to the HotBrick product and pull the WAN1 connection (unplug it) of the REMOTE SITE.
The ping –t command will fail.
This second scenario, where your local connections are up and running, is the worst (slowest)
case. It means that the traffic redirection could take up to 2 minutes to take place.
How to set up VPN Failover on the LB-2 VPN or VPN 800/2 Property of HotBrick — 2005
10
Page 11
It happens because a delay time, built into the RIPv2 protocol, is necessary for both end-points
to ‘talk’ to each other and negotiate the second route for the VPN traffic.
Image 11: An example of the ping –t command that fails for a long period.
Another VPN Failover setups
You can also build additional VPN failover setups, according top your specific situation. Here
are the three most common.
PS1: Setup A is the one described in this document.
PS2: PS2: Setup B has VPN Failover for those cases where one end of the tunnel has only a single broadband internet
connection.
How to set up VPN Failover on the LB-2 VPN or VPN 800/2 Property of HotBrick — 2005
11
Loading...