This document provides configuration guidance for configuring the Cisco IOS® Server Load Balancer (SLB) feature to distribute large numbers of IP Security (IPsec) tunnels onto a Cisco® 7200/7301 IPsec server farm. The server farm hubs are configured with dynamic Virtual Tunnel Interface (VTI) while the remote spokes can be configured using VTI or crypto maps (supporting single proxy).
1. Audience
This configuration guide is intended to provide best practices and configuration guidelines for Cisco customers, Systems® engineers and customer support engineers.
2. Network Topology
Figure 1. Topology
3. System Components
• Tested version on IPsec hubs: Cisco IOS Software Release 12.4(4)T1
• Tested version on 6500 SLB: Cisco IOS Software Release 12.2(18)SXF
• Tested version on the spokes (crypto maps): Cisco IOS Software Release 12.2(15)T14
4. SLB Configuration
!
! Failure detection mechanism is set to ICMP. Failure to respond to
! three pings will change the status of IPsec server to DOWN
!
ip slb probe PING-PROBE ping
faildetect 3
!
! Define the REAL servers in the server farm. Least loaded server
! will accept new connection. If the server fails, all the connection
! entries will be purged. Max Connections on the servers are set to
! 500 (per server).
!
ip slb serverfarm 7301-FARM
predictor leastconns
failaction purge
probe PING-PROBE
!
real 192.168.1.1
weight 1
maxconns 500
inservice
!
real 192.168.2.1
weight 1
maxconns 500
inservice
!
! Define ESP and ISAKMP (500 and 4500) to be load balanced on these
! servers. To add stickiness between ISAKMP and IPsec, "sticky"
! command is used. IKE and IPsec sessions should never go to two
! different servers. This stickiness should be maintained more than
! the IPsec re-key interval. If the stickiness time is not long
! enough, both the sessions might initially go to same routers but
! when IPsec re-keys after 1 hour, IPsec session can end up on wrong
! server. Similarly idle time is set to a little more than IPsec
! re-key interval to avoid accidental clearance of the connection on
! the SLB. Virtual IP address defined is 200.1.1.1.
!
ip slb vserver ESP
virtual 200.1.1.1 esp
serverfarm 7301-FARM
sticky 3650 group 1
idle 3660
inservice
!
ip slb vserver ISAKMP
virtual 200.1.1.1 udp isakmp
serverfarm 7301-FARM
sticky 3650 group 1
idle 3660
inservice
!
ip slb vserver NAT-T
virtual 200.1.1.1 udp 4500
serverfarm 7301-FARM
sticky 3650 group 1
idle 3660
inservice
!
5. Dynamic VTI Configuration
5.1. Basic IPsec Configuration
crypto keyring all
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 60
!
crypto ipsec transform-set SHA_3DES esp-3des esp-sha-hmac
!
crypto ipsec profile vti
set transform-set SHA_3DES
!
5.2. ISAKMP Profile Configuration
crypto isakmp profile IPSEC-DVTI
keyring all
match identity address 0.0.0.0
virtual-template 1
!
5.3. Virtual Tunnel Interface Configuration
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile vti
5.4. Loopback Interface
!
! The VIP address on the SLB is defined as the Loopback address on the IPsec Server
! IPsec tunnels are sourced from this address and SLB pings this address to
! determine IPsec Server availability.
!
interface Loopback0
ip address 200.1.1.1 255.255.255.255
!
6. SLB Verification
6.1. Show Commands on SLB (No Connections)
SLB#sh ip slb serverfarms
server farm predictor nat reals bind id interface(s)
---------------------------------------------------------------------
7301-FARM LEASTCONNS none 2 0 <any>
SLB#sh ip slb reals
Real farm name weight state conns
-------------------------------------------------------------------
192.168.1.1 7301-FARM 1 OPERATIONAL 0
192.168.2.1 7301-FARM 1 OPERATIONAL 0
SLB#sh ip slb vservers
slb vserver prot virtual state cons interface(s)
---------------------------------------------------------------------
ESP ESP 200.1.1.1/32:0 OPERATIONAL 0 <any>
ISAKMP UDP 200.1.1.1/32:500 OPERATIONAL 0 <any>
NAT-T UDP 200.1.1.1/32:4500 OPERATIONAL 0 <any>
SLB#sh ip slb conn
Vserver prot client real state nat
---------------------------------------------------------------------
6.2. Show Commands on SLB (With Connections)
SLB#sh ip slb conn
Vserver prot client real state nat
---------------------------------------------------------------------
ESP ESP 1.1.1.1:0 192.168.1.1 ESTAB none
ISAKMP UDP 1.1.1.1:500 192.168.1.1 ESTAB none
ESP ESP 2.2.2.2:0 192.168.2.1 ESTAB none
ISAKMP UDP 2.2.2.2:500 192.168.2.1 ESTAB none
SLB#sh ip slb vserver
slb vserver prot virtual state cons interface(s)
---------------------------------------------------------------------
ESP ESP 200.1.1.1/32:0 OPERATIONAL 2 <any>
ISAKMP UDP 200.1.1.1/32:500 OPERATIONAL 2 <any>
NAT-T UDP 200.1.1.1/32:4500 OPERATIONAL 0 <any>
SLB#sh ip slb reals
Real farm name weight state conns
-------------------------------------------------------------------
192.168.1.1 7301-FARM 1 OPERATIONAL 2
192.168.2.1 7301-FARM 1 OPERATIONAL 2
SLB#sh ip slb stick
ip/netmask id cons server real firewall real
---------------------------------------------------------------------
1.1.1.1/32 1 2 192.168.1.1
2.2.2.2/32 1 2 192.168.2.1
7. IPsec Verification
7.1. IPsec-1 Show Commands
IPsec-1#sh cry isa sa
IPv4 Crypto ISAKMP SA
Dst src state conn-id slot status
200.1.1.1 1.1.1.1 QM_IDLE 1009 0 ACTIVE
IPsec-1#sh cry ipsec sa
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 200.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.1.1.1, remote crypto endpt.: 1.1.1.1
path mtu 1514, ip mtu 1514
current outbound spi: 0x43C4D43C(1136972860)
inbound esp sas:
spi: 0x6961ED15(1768025365)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 15, flow_id: SW:15,
crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4435562/3364)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x43C4D43C(1136972860)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 16, flow_id: SW:16,
crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4435562/3363)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
IPsec-1#sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1,
L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default,
U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.1.254 to network 0.0.0.0
200.1.1.0/32 is subnetted, 1 subnets
C 200.1.1.1 is directly connected, Loopback0
172.20.0.0/24 is subnetted, 1 subnets
C 172.20.1.0 is directly connected, FastEthernet0/1
10.0.0.0/24 is subnetted, 1 subnets
S 10.1.1.0 [1/0] via 0.0.0.0, Virtual-Access2
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.1.254
IPsec-1#sh int virtual-access 2
Virtual-Access2 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Loopback0 (200.1.1.1)
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from Virtual-Template1
Vaccess status 0x0, loopback not set
Keepalive not set
Tunnel source 200.1.1.1 (Loopback0), destination 1.1.1.1
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPsec (profile "vti")
Last input never, output never, output hang never
Last clearing of "show interface" counters 22:36:02
Input queue: 0/75/0/0 (size/max/drops/flushes);
Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
46 packets input, 4600 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
21 packets output, 2100 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
7.2. IPsec-2 Show Commands
IPsec-2#sh cry isa sa
IPv4 Crypto ISAKMP SA
Dst src state conn-id slot status
200.1.1.1 2.2.2.2 QM_IDLE 13002 0 ACTIVE
IPsec-2#sh cry ipsec sa
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 200.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.20.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1514, ip mtu 1514
current outbound spi: 0xA39C41F0(2744926704)
inbound esp sas:
spi: 0xF3B45D4(255542740)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: VAM2:7,
crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4392505/3072)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA39C41F0(2744926704)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: VAM2:8,
crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4392505/3071)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
IPsec-2#sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1,
L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default,
U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.2.254 to network 0.0.0.0
200.1.1.0/32 is subnetted, 1 subnets
C 200.1.1.1 is directly connected, Loopback0
172.20.0.0/24 is subnetted, 1 subnets
C 172.20.1.0 is directly connected, FastEthernet0/1
10.0.0.0/24 is subnetted, 1 subnets
S 10.1.2.0 [1/0] via 0.0.0.0, Virtual-Access2
C 192.168.2.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.2.254
IPsec-2#sh int virtual-access 2
Virtual-Access2 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Loopback0 (200.1.1.1)
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from Virtual-Template1
Vaccess status 0x0, loopback not set