Failover with Ospf and OpenVpn

From ImageStream Router Documentation

Jump to: navigation, search

In this tech note we will setup link failover between a Wireless link and VPN that takes a different path to the internet. To do this we will first setup an OpenVpn Link between the two routers. Then we will configure Quagga Ospf to distribute a default route and learn the networks at the remote site.

We have two locations, Site A which has an existing internet connection and is the normal default route for Site B. Site B has a microwave link(connected via Ethernet to the router). Site B also has a second independent Internet connection. Below is a diagram showing the basic topology.

Fail-over ospf - Page 1 (2).png

OpenVpn Configuration

The OpenVpn configuration below is a simple peer to peer setup.

Site B OpenVpn configuration

!
interface Tunnel0
 description Tunnel to Site A 
 tunnel mode openvpn
 tunnel source 10.10.20.1 1194
 tunnel destination 205.168.66.1 1194
 tunnel key b232292562bde187ae65431ecc643147
 tunnel options --float --passtos --dev-type tap
 pointopoint address 192.168.45.1
 ip address 192.168.45.2 255.255.255.252
!
ip route add 205.168.66.1 via 10.10.20.2 dev eth7 

This establishes a OpenVpn Tunnel to Site A. One thing to note, in this example we what to direct traffic for the Site A router out a specific secondary Internet connection. In this case the secondary Internet connection is connected to Ethernet7 and the secondary router has an Ip address of 10.10.20.2. So we add a static host route to the remote Internet IP address that we are using as the tunnel destination. This will force the Vpn traffic to use the secondary Internet connection.

Site A OpenVpn configuration

!
interface Tunnel0
 description Tunnel to Site B 
 tunnel mode openvpn
 tunnel source 205.168.66.1 1194
 tunnel destination 0.0.0.0 1194
 tunnel key b232292562bde187ae65431ecc643147
 tunnel options --float --passtos --dev-type tap
 pointopoint address 192.168.45.2
 ip address 192.168.45.1 255.255.255.252
!

This configuration will listen to incoming Vpn requests from Site B. In this example Site B is behind a Router that is performing NAT. So we are unable to initiate the VPN from the Site A location.

This finishes the OpenVpn Configuration.

Quagga and OSPF configuration

Before configuring OSPF, you will need to enable and start the Quagga Routing system and then start OSPF. The recommended method to configure Quagga/OSPF is via the Quagga Command Line interface. The Quagga command line interface can be accessed through the Quagga menu or from the bash command line via the command "vtysh". The Quagga command line interface works similar to the Cisco Command line interface.

Site B Quagga and OSPF configuration

!
router ospf
 ospf router-id 192.168.45.2
 redistribute connected route-map OSPF-connected
 network 192.168.45.0/30 area 0.0.0.0
 network 192.6.126.0/24 area 0.0.0.0
!
ip prefix-list OSPF_OUT seq 10 permit 10.10.21.0/24
ip prefix-list OSPF_OUT seq 20 permit 10.10.23.0/24
ip prefix-list OSPF_OUT seq 30 permit 10.10.24.0/24
!
route-map OSPF-connected permit 10
 match ip address prefix-list OSPF_OUT
!

In this example we wish to advertise three networks via OSPF. These are the networks connected to Site B. We only redistribute these networks by using a prefix-list and a route map.

We also want to modify the OSPF cost on the Vpn interface so we will need to add the following command to interface Tunnel0(note, this must AFTER the Vpn tunnel has been configured and connected).

!
 interface Tunnel0
 ip ospf cost 20
!

Site A Quagga and OSPF configuration

!
router ospf
 ospf router-id 192.168.45.1
 default-information originate always
 network 192.168.45.0/30 area 0.0.0.0
 network 192.6.126.0/24 area 0.0.0.0
!

The OSPF configuration at Site A only distributes a default route. The Site A router learns the networks behind Site B via OSPF.

We also want to modify the OSPF cost on the Vpn interface so we will need to add the following command to interface Tunnel0(note, this must AFTER the Vpn tunnel has been configured and connected).

!
 interface Tunnel0
 ip ospf cost 20
!


Conclusion

This configuration will allow failover between Site A and Site B using the VPN connection when the Microwave Link is down. Please note that all static default routes should be removed from the Site B router. Take care if implementing this change from remote.

Personal tools
Router software releases