Last month, I worked on an IPSec VPN site-to-site connection project between the Sophos XG firewall and Cisco routers that connect more than 50 branches. Where both ends have a dynamic public IP address. I am not willing to share the configuration of the Sophos XG router or firewall, but I am willing to share a dynamic IP address solution for the IP address.
Technical Details: Sophos XG is installed in the client's central office with a dynamic public IP address (which will resolve to FQDN) and also the Cisco router installed with a dynamic public IP address in branches. We plan to redirect all traffic in the central office for the intranet and internet for the implementation of security policies.
Issue: Both Headoffice and remote sites have a dynamic public IP address, so routers could not connect VPN after changing the IP address in Sophos XG (Headoffice). We use a DynDNS in the central office only due to budget constraints and simplify the administrative process.
Root cause: Cisco has a predefined method to resolve DDNS only once during configuration. If you set up IPSec VPN with an FQDN as the "set target peer" command but the show run command shows the IP address instead of the name. This is because the resolution occurs only once:
How we solved the problem: there is a simple method to solve this problem since your router must resolve the FQDN from time to time, so we plan to use the EEM scripts. Here, the client also added some additional requirements, as it must obtain the IP address of the interface when connecting or disconnecting the VPN services of each Cisco router.
Then, we had chosen an additional and fast method to detect inactive VPN and erase peer SAs and update the FQDN at a specific interval. We use the EEM and IP SLA script for the same as:
Technical Details: Sophos XG is installed in the client's central office with a dynamic public IP address (which will resolve to FQDN) and also the Cisco router installed with a dynamic public IP address in branches. We plan to redirect all traffic in the central office for the intranet and internet for the implementation of security policies.
Issue: Both Headoffice and remote sites have a dynamic public IP address, so routers could not connect VPN after changing the IP address in Sophos XG (Headoffice). We use a DynDNS in the central office only due to budget constraints and simplify the administrative process.
Root cause: Cisco has a predefined method to resolve DDNS only once during configuration. If you set up IPSec VPN with an FQDN as the "set target peer" command but the show run command shows the IP address instead of the name. This is because the resolution occurs only once:
How we solved the problem: there is a simple method to solve this problem since your router must resolve the FQDN from time to time, so we plan to use the EEM scripts. Here, the client also added some additional requirements, as it must obtain the IP address of the interface when connecting or disconnecting the VPN services of each Cisco router.
Then, we had chosen an additional and fast method to detect inactive VPN and erase peer SAs and update the FQDN at a specific interval. We use the EEM and IP SLA script for the same as:
ip sla 2
icmp-echo 10.100.1.90 source-ip 10.100.119.90
threshold 300
timeout 600
frequency 2
ip sla schedule 2 life forever start-time now
!
track 2 ip sla 2 reachability
!
Here, 10.100.1.90 is the IP address of the central office and 10.100.119.90 is the IP address of the LAN interface of the branch office router.
event manager environment _email_to notify@xyz.net
event manager environment _email_from notify@xyz.net
event manager environment _email_server mail.xyz.net
!
event manager applet IPSec_Down
event syslog pattern "%TRACK-6-STATE: 2 ip sla 2 reachability Up -> Down"
action 1.0 cli command "enable"
action 1.5 cli command "clear crypto isakmp"
action 1.6 cli command "clear crypto sa"
action 2.0 cli command "config t"
action 2.5 cli command "crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp "
action 2.9 cli command "set peer sophos.xyz.co"
action 3.0 cli command "end"
action 4.5 syslog priority notifications msg "VPN failed at Brach1"
!
Here, you can see that we are detecting the status of the track and once it detects that it is inactive, the router will execute some commands to clear the existing Phase 1 and 2 tunnels and add a new DYDNS name under the crypto map. It will help us deactivate the VPN immediately after the IP SLA fails without the wait for a timeout.
event manager applet NEW_DNS_Update
event timer watchdog time 120
action 1.0 cli command "enable"
action 1.5 cli command "config t"
action 2.0 cli command "crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp "
action 2.5 cli command "set peer sophos.xyz.co"
action 3.0 cli command "end"
action 4.5 syslog priority notifications msg "DNS_Updated_IPSEC"
!
Here, we are updating the FQDN every 120 seconds so that the router has updated the DYDNS resolution.
event manager applet IP_Change_Down
event syslog pattern "%TRACK-6-STATE: 2 ip sla 2 reachability Up -> Down"
action 1.0 cli command "enable"
action 3.6 cli command "sho ip interface brief | exclude unassigned"
action
4.0 mail server "$_email_server" to "$_email_to" from "$_email_from"
subject "$_event_pub_time: VPN & IP address failed at Brach1" body "$_cli_result"
action 4.5 syslog priority notifications msg "VPN down & IP at Branch1 mail sent"
!
Somehow, if the VPN goes down, the client will receive the public IP address of the router. If necessary, you can access the router using the public IP address (do not worry, we have taken some additional steps for SSH security).
event manager applet IP_Change_up
event syslog pattern " %TRACK-6-STATE: 2 ip sla 2 reachability Down -> Up"
action 1.0 cli command "enable"
action 3.6 cli command "sho ip interface brief | exclude unassigned"
action
4.0 mail server "$_email_server" to "$_email_to" from "$_email_from"
subject "$_event_pub_time: VPN up & IP address at Branch1"
body "$_cli_result"
action 4.5 syslog priority notifications msg "VPN up & IP Branch1 mail sent"
!
Once the VPN will restore then the client will also receive the router's public IP
address.
No comments:
Post a Comment