IPsec Fault Tolerance

IPsec Fault Tolerance


IPsec Fault Tolerance


IPsec Fault Tolerance

In today’s interconnected world, network security is of utmost importance. Organizations rely heavily on secure communication channels to safeguard sensitive information from unauthorized access. One such technology that plays a vital role in ensuring secure data transmission is IPsec (Internet Protocol Security). However, even the most robust security measures are not immune to failures. That’s where IPsec fault tolerance comes into play. In this blog post, we will explore the concept of IPsec fault tolerance and the measures organizations can take to ensure uninterrupted network security.

IPsec fault tolerance refers to the ability of a network or system to continue functioning effectively in the event of a failure or disruption in IPsec services. It involves implementing redundancy and failover mechanisms to maintain continuous secure communication, even during adverse conditions.

Highlights: IPsec Fault Tolerance

  • Highlighting IPsec

IPsec is a secure network protocol used to encrypt and authenticate data over the internet. It is a critical part of any organization’s secure network infrastructure, and it is essential to ensure fault tolerance. Optimum end-to-end IPsec networks require IPsec fault tolerance in several areas for ingress and egress traffic flows. Key considerations must include asymmetric routing, where a packet traverses from a source to a destination in one path and takes a different path when it returns to the source.

  • Reverse Route Injection

Potential options include Reverse Route Injection (RRI), which can inject static routes automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. The diagram below displays components susceptible to failure to achieve an IPsec fault tolerance. Design each element with redundancy in mind. Failure components include the Backbone network, Access links, and IPsec gateway.


For additional pre-information, you may find the following helpful

  2. VPNOverview
  3. Dead Peer Detection
  4. What Is Generic Routing Encapsulation
  5. Routing Convergence


Back to basics with IPsec Fault tolerance

Concept of IPsec

Internet Protocol Security (IPsec) is a set of protocols to secure communications over an IP network. It provides authentication, integrity, and confidentiality of data transmitted over an IP network. IPsec establishes a secure tunnel between two endpoints, allowing data to be transmitted securely over the Internet. In addition, IPsec provides security by authenticating and encrypting each packet of data that is sent over the tunnel.

IPsec is typically used in Virtual Private Network (VPN) connections to ensure secure data sent over the Internet. It can also be used for tunneling to connect two remote networks securely. IPsec is an integral part of ensuring the security of data sent over the Internet and is often used in conjunction with other security measures such as firewalls and encryption.

Diagram: IPsec VPN. Source Wikimedia.


IPsec session

There are Several components exist used to create and maintain an IPsec session. By integrating these components, we get the required security services that protect the traffic for unauthorized observers. IPsec establishes tunnels between endpoints; these can also be described as peers. The tunnel can be protected by various means, such as integrity and confidentiality.

IPsec provides security services using two protocols, the Authentication Header and Encapsulating Security Payload. Both protocols use cryptographic algorithms for authenticated integrity services; Encapsulation Security Payload provides encryption services in combination with authenticated integrity.


  • A key point: Lab on IPsec between two ASAs. Site to Site IKEv1

In this lab, we will look at site-to-site IKEv1. Site-to-site IPsec VPNs are used to “bridge” two distant LANs together over the Internet.  So we want IP reachability for R1 and R2, which are in the INSIDE interfaces of their respective ASAs. Generally, on the LAN, we use private addresses, so the two LANs cannot communicate without tunneling.

This lesson will teach you how to configure IKEv1 IPsec between two Cisco ASA firewalls to bridge two LANs. In the diagram below, you will see we have two ASAs. ASA1 and ASA2 are connected using their G0/1 interfaces. This is to simulate the outside connection. In the real world, this would be the WAN.

This is also set to the “OUTSIDE” security zone, so imagine this is their Internet connection. Each ASA has a G0/0 interface connected to the “INSIDE” security zone. R1 is on the network /24 while R2 is in /24. The goal of this lesson is to ensure that R1 and R2 can communicate with each other through the IPsec tunnel.


Site to Site VPN


IPsec and DMVPN

DMVPN builds tunnels between locations as needed, unlike IPsec VPN tunnels that are hard coded. As with SD-WAN, it uses standard routers without additional features. However, unlike hub-and-spoke networks, DMVPN tunnels are mesh networks. Organizations can choose from three basic DMVPN topologies when implementing a DMVPN network.

The first topology is the Hub and Spoke topology. The second topology is the Fully Meshed topology. Finally, the third topology is the Hub and Spoke with Partial Mesh topology.  To create these DMVPN topologies, we have phases, such as DMVPN Phase 3, that are the most flexible enabling a pull mesh of on-demand tunnels that can use IPsec for security.


Concept of Reverse Routing Injection (RRI)

For network and host endpoints protected by a remote tunnel endpoint, reverse route injection (RRI) allows static routes to be automatically injected into the routing process. These protected hosts and networks are called remote proxy identities.

The next hop to the remote proxy network and mask is the remote tunnel endpoint, and each route is created based on these parameters. Traffic is encrypted using the remote Virtual Private Network (VPN) router as the next hop.

Static routes are created on the VPN router and propagated to upstream devices, allowing them to determine the appropriate VPN router to send returning traffic to maintain IPsec state flows. When multiple VPN routers are used to provide load balancing or failover, or remote VPN devices cannot be accessed via a default route, choosing the right VPN router is crucial. Global routing tables or virtual route forwarding tables (VRFs) are used to create routes.


IPsec fault tolerance
Diagram: IPsec fault tolerance with multiple areas to consider.


The Networks Involved

Backbone network

IPsec uses an underlying backbone network for endpoint connectivity. It does not deploy its underlying packet-forwarding mechanism and relies on backbone IP packet-routing functions. Usually, the backbone is controlled by a 3rd-party provider, ensuring IPsec gateways trust redundancy and high availability methods applied by separate administrative domains.


Access link 

Adding a second link to terminate IPsec sessions and enabling both connections for IPsec termination improves redundant architectures. However, access link redundancy requires designers to deploy either Multiple IKE identities or Single IKE identities. Multiple IKE identity design involves two different peer IP addresses, one peer for each physical access link. The IKE identity of the initiator is derived from the source IP of the initial IKE message, and this will remain the same. Single IKE identity involves one peer neighbor, potentially terminating on a logical loopback address.


  • Physical interface redundancy

Design physical interface redundancy by terminating IPsec on logical interfaces instead of multiple physical interfaces. Useful when the router has multiple exit points and you do not want the other side to use multiple peers’ addresses. Single IPsec session terminating on loopback instead of multiple IPsec sessions terminating on physical interfaces. You still require the crypto map configured on two physical interfaces. Issue the command to terminate IPsec on the loopback: “crypto map VPN local-address lo0.”


  • A key point: Link failure

In the event of a single physical link failure, Phase 1 and 2 do not converge. Convergence is based on an underlying network routing protocol. No IKE convergence occurs if one of the physical interfaces goes down.


Asymmetric Routing

Routing protocol convergence

Asymmetric routing may occur in multipath environments. For example, in the diagram below, traffic leaves spoke A, creating an IPsec tunnel to interface Se1/1:0 on Hub A. Asymmetric routing occurs when return traffic flows via Se0:0. The effect is a new IPsec SA between Se0:0 and Spoke A, introducing additional memory usage on peers. Overcome this by proper routing mechanism and IPsec state replication ( discussed later ).

Asymmetric routing
Diagram: Asymmetric routing.


Design to ensure routing protocol convergence does not take longer than IKE dead peer detection. Routing protocols should not introduce repeated disruptions to IPsec processes. If you have control of the underlying routing protocol, deploy fast convergence techniques so that routing protocols converge faster than IKE detects a dead peer.


IPsec Fault Tolerance and IPsec Gateway

A redundant gateway involves a second IPsec gateway in standby mode. It does not have any IPsec state or replicate IPsec information between peers. Because either gateway may serve as an active gateway for spoke return traffic, you may experience asymmetric traffic flows. Also, due to the failure of the hub peer gateway, all traffic between sites drops until IKE and IPSec SAs are rebuilt on the standby peer.


Routing mechanism at gateway nodes

A common approach to overcome asymmetric routing is to deploy a routing mechanism at gateway nodes. IPsec’s high availability can be incorporated with HSRP, which pairs two devices with a single VIP address. VIP address terminates IPsec tunnel. HSRP and IPsec work perfectly fine as long as the traffic is symmetric.

Asymmetric traffic occurs when the return traffic does not flow via the active HSRP device. To prevent this, enable HSRP on the other side of IPsec peers, resulting in Front-end / Back-end HSRP design model. Or deploy Reverse Route Injection ( RRI ), and static routes are injected only by active IPsec peer. You no longer need Dead Peer Detection ( DPD ) as you use VIP for IPsec termination. In the event of a node failure, the IPsec peer does not change. A different method to resolve the asymmetric problem is implementing Reverse Route Injection. 

Reverse Route Injection
Diagram: Routing mechanisms and Reverse Route Injection.


Reverse Route Injection (RRI)

RRI is a method that synchronizes return routes for the spoke to the active gateway. The idea behind RRI is to make routing decisions dependent on the IPsec state. For end-to-end reachability, a route to a “secure” subnet must exist with a valid network hop. RRI inserts a route to the “secure” subnet in the RIB and associates it with an IPsec peer. Then, it injects based on the Proxy ACL; matches the destination address in the proxy ACL.

  •  RRI injects a static route for the upstream network.

 HSRPs’ or RRI IPsec is limited because it does not carry any state between the two IPsec peers. A better high-availability solution is to carry state ( Security Association Database ) between the two gateways, offering stateful failover.


Implementing IPsec Fault Tolerance:

1. Redundant VPN Gateways: Deploying multiple VPN gateways in a high-availability configuration is fundamental to achieving IPsec fault tolerance. These gateways work in tandem, with one as the primary gateway and the others as backups. In case of a failure, the backup gateways seamlessly take over the traffic, guaranteeing uninterrupted, secure communication.

2. Load Balancing: Load balancing mechanisms distribute traffic across multiple VPN gateways, ensuring optimal utilization of resources and preventing overloading of any single gateway. This improves performance and provides an additional layer of fault tolerance.

3. Automatic Failover: Implementing automatic failover mechanisms ensures that any failure or disruption in the primary VPN gateway triggers a swift and seamless switch to the backup gateway. This eliminates manual intervention, minimizing downtime and maintaining continuous network security.

4. Redundant Internet Connections: Organizations can establish redundant Internet connections to enhance fault tolerance further. This ensures that even if one connection fails, the IPsec infrastructure can continue operating using an alternate connection, guaranteeing uninterrupted, secure communication.


IPsec fault tolerance is a crucial aspect of maintaining uninterrupted network security. Organizations can ensure that their IPsec infrastructure remains operational despite failures or disruptions by implementing redundancy, failover, and load-balancing mechanisms. Such measures enhance reliability and enable seamless scalability as the organization’s network grows. With IPsec fault tolerance, organizations can rest assured that their sensitive information is protected and secure, irrespective of unforeseen circumstances.


IPsec Fault Tolerance

Matt Conran
Latest posts by Matt Conran (see all)

Comments are closed.