5. Validation¶
5.1. VRRP failover and HA swact¶
A first test will consist in forcing VPN Concentrator 1 - the VRRP Master -
to become faulty by disabling one of its interfaces. Its VRRP state should
move to fault and VPN Concentrator 2 should become master. Also, the IKE
state should change accordingly and IKE sessions must transit to
ESTABLISHED on VPN Concentrator 2 and PASSIVE on VPN Concentrator 1.
Disable a VRRP interface on VPN Concentrator 1:
concentrator1-vm> edit running
concentrator1-vm running config# vrf main interface physical ntfp1 enabled false
concentrator1-vm running config# commit
Configuration committed.
The VRRP state is changed to fault:
concentrator1-vm running config# show state vrf main vrrp
vrrp
enabled true
router-id concentrator1
traps-enabled false
group vrrp_group
instance vrrp_lan
instance vrrp_public
notify-ha-group ha_for_ike
state fault
..
..
concentrator1-vm running config#
The VRRP state is changed to master on VPN Concentrator 2:
concentrator2-vm> show state vrf main vrrp
vrrp
enabled true
router-id concentrator2
traps-enabled false
group vrrp_group
instance vrrp_lan
instance vrrp_public
notify-ha-group ha_for_ike
state master
..
..
concentrator2-vm>
The IKE state is changed to PASSIVE on VPN Concentrator 1:
concentrator1-vm running config# show ike ike-sa details
vpn_hq: #2, PASSIVE, IKEv2, 7a0e17fba5af1ed4_i b7d2d02835fd0952_r
local 'concentrator.6wind.com' @ 66.66.66.66[500]
remote 'user2@dev.6wind.com' @ 2.2.2.2[500]
aes128-cbc/hmac-sha512/hmac-sha512/modp2048
access_to_lan: #2, reqid 2, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha256
installed 781s ago, rekeying in 2521s, expires in 3179s
in c7b832c7, 0 bytes, 0 packets
out c104ceb4, 0 bytes, 0 packets
local 172.30.0.0/24
remote 172.31.0.2/32
vpn_hq: #1, PASSIVE, IKEv2, 080d80b4b06a2b2c_i ae34351d8c1c30d0_r
local 'concentrator.6wind.com' @ 66.66.66.66[500]
remote 'user1@dev.6wind.com' @ 1.1.1.1[500]
aes128-cbc/hmac-sha512/hmac-sha512/modp2048
access_to_lan: #1, reqid 1, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha256
installed 804s ago, rekeying in 2578s, expires in 3156s
in ca18ffbd, 0 bytes, 0 packets
out c095e9c5, 0 bytes, 0 packets
local 172.30.0.0/24
remote 172.31.0.1/32
concentrator1-vm running config#
The IKE state is changed to ESTABLISHED on VPN Concentrator 2:
concentrator2-vm> show ike ike-sa details
vpn_hq: #2, ESTABLISHED, IKEv2, 7a0e17fba5af1ed4_i b7d2d02835fd0952_r
local 'concentrator.6wind.com' @ 66.66.66.66[500]
remote 'user2@dev.6wind.com' @ 2.2.2.2[500]
aes128-cbc/hmac-sha512/hmac-sha512/modp2048
established 49s ago, rekeying in 13976s
access_to_lan: #2, reqid 2, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha256
installed 829s ago, rekeying in 2751s, expires in 3131s
in c7b832c7, 0 bytes, 0 packets
out c104ceb4, 0 bytes, 0 packets
local 172.30.0.0/24
remote 172.31.0.2/32
vpn_hq: #1, ESTABLISHED, IKEv2, 080d80b4b06a2b2c_i ae34351d8c1c30d0_r
local 'concentrator.6wind.com' @ 66.66.66.66[500]
remote 'user1@dev.6wind.com' @ 1.1.1.1[500]
aes128-cbc/hmac-sha512/hmac-sha512/modp2048
established 49s ago, rekeying in 13662s
access_to_lan: #1, reqid 1, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha256
installed 842s ago, rekeying in 2556s, expires in 3118s
in ca18ffbd, 0 bytes, 0 packets
out c095e9c5, 0 bytes, 0 packets
local 172.30.0.0/24
remote 172.31.0.1/32
concentrator2-vm>
5.2. VRRP and HA swact back to initial state¶
A second test will consist in launching a ping from road warrior 1 (it should be successful as it goes through VPN Concentrator 2), then bringing back the disabled interface on VPN Concentrator 1. VPN Concentrator 1 should hold for 60 seconds, then preempt its Master state; the IKE state should transit accordingly, and the ping should not be interrupted.
Start ping from road warrior 1:
warrior1-vm> show interface details name int_vlan1
7: int_vlan1@ntfp1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether de:ed:01:53:da:36 brd ff:ff:ff:ff:ff:ff
inet 1.1.1.1/24 scope global int_vlan1
valid_lft forever preferred_lft forever
inet 172.31.0.1/32 scope global int_vlan1
valid_lft forever preferred_lft forever
inet6 fe80::dced:1ff:fe53:da36/64 scope link
valid_lft forever preferred_lft forever
warrior1-vm> cmd ping 172.30.0.10 source 172.31.0.1
PING 172.30.0.10 (172.30.0.10) from 172.31.0.1 : 56(84) bytes of data.
64 bytes from 172.30.0.10: icmp_seq=1 ttl=63 time=1.28 ms
64 bytes from 172.30.0.10: icmp_seq=2 ttl=63 time=0.770 ms
64 bytes from 172.30.0.10: icmp_seq=3 ttl=63 time=0.641 ms
(...)
Check VRRP and IKE states on VPN Concentrator 1 (respectively backup and
PASSIVE):
concentrator1-vm running config# show ike ike-sa details
vpn_hq: #2, PASSIVE, IKEv2, 7a0e17fba5af1ed4_i b7d2d02835fd0952_r
local 'concentrator.6wind.com' @ 66.66.66.66[500]
remote 'user2@dev.6wind.com' @ 2.2.2.2[500]
aes128-cbc/hmac-sha512/hmac-sha512/modp2048
access_to_lan: #2, reqid 2, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha256
installed 781s ago, rekeying in 2521s, expires in 3179s
in c7b832c7, 0 bytes, 0 packets
out c104ceb4, 0 bytes, 0 packets
local 172.30.0.0/24
remote 172.31.0.2/32
vpn_hq: #1, PASSIVE, IKEv2, 080d80b4b06a2b2c_i ae34351d8c1c30d0_r
local 'concentrator.6wind.com' @ 66.66.66.66[500]
remote 'user1@dev.6wind.com' @ 1.1.1.1[500]
aes128-cbc/hmac-sha512/hmac-sha512/modp2048
access_to_lan: #1, reqid 1, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha256
installed 804s ago, rekeying in 2578s, expires in 3156s
in ca18ffbd, 0 bytes, 0 packets
out c095e9c5, 0 bytes, 0 packets
local 172.30.0.0/24
remote 172.31.0.1/32
concentrator1-vm running config# show state vrf main vrrp
vrrp
enabled true
router-id concentrator1
traps-enabled false
group vrrp_group
instance vrrp_lan
instance vrrp_public
notify-ha-group ha_for_ike
state fault
..
..
concentrator1-vm running config#
The IPsec traffic goes through VPN Concentrator 2:
concentrator2-vm> cmd show-traffic ntfp1 filter esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ntfp1, link-type EN10MB (Ethernet), capture size 262144 bytes
08:57:16.354446 de:ed:02:69:30:81 > 00:00:5e:00:01:02, ethertype IPv4 (0x0800), length 170: 1.1.1.1 > 66.66.66.66: ESP(spi=0xc146d5d6,seq=0x138), length 136
08:57:16.354710 de:ed:01:2e:23:19 > de:ed:02:69:30:81, ethertype IPv4 (0x0800), length 170: 66.66.66.66 > 1.1.1.1: ESP(spi=0xce1daf17,seq=0x20131), length 136
08:57:17.378435 de:ed:02:69:30:81 > 00:00:5e:00:01:02, ethertype IPv4 (0x0800), length 170: 1.1.1.1 > 66.66.66.66: ESP(spi=0xc146d5d6,seq=0x139), length 136
08:57:17.378724 de:ed:01:2e:23:19 > de:ed:02:69:30:81, ethertype IPv4 (0x0800), length 170: 66.66.66.66 > 1.1.1.1: ESP(spi=0xce1daf17,seq=0x20132), length 136
(...)
Enable the interface previously shut down on VPN Concentrator 1 and check that after a while traffic starts flowing through VPN Concentrator 1:
concentrator1-vm running config# vrf main interface physical ntfp1 enabled true
concentrator1-vm running config# commit
Configuration committed.
concentrator1-vm running config# cmd show-traffic ntfp1 filter esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ntfp1, link-type EN10MB (Ethernet), capture size 262144 bytes
08:59:52.002775 de:ed:02:69:30:81 > 00:00:5e:00:01:02, ethertype IPv4 (0x0800), length 170: 1.1.1.1 > 66.66.66.66: ESP(spi=0xc146d5d6,seq=0x1d0), length 136
08:59:52.002964 de:ed:01:6b:02:ab > de:ed:02:69:30:81, ethertype IPv4 (0x0800), length 170: 66.66.66.66 > 1.1.1.1: ESP(spi=0xce1daf17,seq=0x301c7), length 136
08:59:53.026740 de:ed:02:69:30:81 > 00:00:5e:00:01:02, ethertype IPv4 (0x0800), length 170: 1.1.1.1 > 66.66.66.66: ESP(spi=0xc146d5d6,seq=0x1d1), length 136
08:59:53.026982 de:ed:01:6b:02:ab > de:ed:02:69:30:81, ethertype IPv4 (0x0800), length 170: 66.66.66.66 > 1.1.1.1: ESP(spi=0xce1daf17,seq=0x301c8), length 136
08:59:54.050736 de:ed:02:69:30:81 > 00:00:5e:00:01:02, ethertype IPv4 (0x0800), length 170: 1.1.1.1 > 66.66.66.66: ESP(spi=0xc146d5d6,seq=0x1d2), length 136
08:59:54.050957 de:ed:01:6b:02:ab > de:ed:02:69:30:81, ethertype IPv4 (0x0800), length 170: 66.66.66.66 > 1.1.1.1: ESP(spi=0xce1daf17,seq=0x301c9), length 136
(...)
^C
100 packets captured
100 packets received by filter
0 packets dropped by kernel
concentrator1-vm running config#
The VRRP state becomes master after some time, and the IKE state becomes
ESTABLISHED:
concentrator1-vm running config# show state vrf main vrrp
vrrp
enabled true
router-id concentrator1
traps-enabled false
group vrrp_group
instance vrrp_lan
instance vrrp_public
notify-ha-group ha_for_ike
state backup
..
..
concentrator1-vm running config# show state vrf main vrrp
vrrp
enabled true
router-id concentrator1
traps-enabled false
group vrrp_group
instance vrrp_lan
instance vrrp_public
notify-ha-group ha_for_ike
state master
..
..
concentrator1-vm running config# show ike ike-sa details
vpn_hq: #2, ESTABLISHED, IKEv2, 7a0e17fba5af1ed4_i b7d2d02835fd0952_r
local 'concentrator.6wind.com' @ 66.66.66.66[500]
remote 'user2@dev.6wind.com' @ 2.2.2.2[500]
aes128-cbc/hmac-sha512/hmac-sha512/modp2048
established 1s ago, rekeying in 12983s
access_to_lan: #2, reqid 2, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha256
installed 1055s ago, rekeying in 2247s, expires in 2905s
in c7b832c7, 0 bytes, 0 packets
out c104ceb4, 0 bytes, 0 packets
local 172.30.0.0/24
remote 172.31.0.2/32
vpn_hq: #1, ESTABLISHED, IKEv2, 080d80b4b06a2b2c_i ae34351d8c1c30d0_r
local 'concentrator.6wind.com' @ 66.66.66.66[500]
remote 'user1@dev.6wind.com' @ 1.1.1.1[500]
aes128-cbc/hmac-sha512/hmac-sha512/modp2048
established 1s ago, rekeying in 12823s
access_to_lan: #1, reqid 1, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha256
installed 1078s ago, rekeying in 2304s, expires in 2882s
in ca18ffbd, 0 bytes, 0 packets
out c095e9c5, 0 bytes, 0 packets
local 172.30.0.0/24
remote 172.31.0.1/32
concentrator1-vm running config#
The ping was not discontinued on road warrior 1 during the swact:
(...)
64 bytes from 172.30.0.10: icmp_seq=53 ttl=63 time=0.996 ms
64 bytes from 172.30.0.10: icmp_seq=54 ttl=63 time=0.906 ms
64 bytes from 172.30.0.10: icmp_seq=55 ttl=63 time=0.880 ms
64 bytes from 172.30.0.10: icmp_seq=56 ttl=63 time=0.945 ms
64 bytes from 172.30.0.10: icmp_seq=57 ttl=63 time=0.889 ms
64 bytes from 172.30.0.10: icmp_seq=58 ttl=63 time=0.851 ms
^C64 bytes from 172.30.0.10: icmp_seq=59 ttl=63 time=1.10 ms
--- 172.30.0.10 ping statistics ---
59 packets transmitted, 59 received, 0% packet loss, time 58662ms
rtt min/avg/max/mdev = 0.701/0.939/1.609/0.146 ms
warrior1-vm>