- IPSec Configuration
- VPN Routing Using Border Gateway Protocol (BGP)
- Implementation Experience
Conceptually, routing with BGP in a VPN environment is identical to the use of BGP to provide redundant routing across firewalls, as discussed in Chapter 9 of High Availability Networking with Cisco (Addison-Wesley, 2001, ISBN 0-201-70455-2). Unlike the examples in that chapter, you no longer need to deal with the complications of network address translation or untrustworthy peers. However, a number of "tricks" are still required to get everything to work correctly, particularly if BGP is also in use for other purposes.
For example, if both routers are configured to be in the same autonomous system (which I recommend to keep the design simple), synchronization must be disabled or the routes learned by BGP will never be inserted into the local routing table. Modification of the BGP hello and dead timers usually is also desirable to minimize response time to VPN failure. However, that must be balanced against the extra packets that shorter timer values will require across the VPN. Users of low-end routers may also discover that BGP is not supported on the routers they currently have installed, and software and/or hardware upgrades may be required.
Despite these challe-nges, the bottom line is that VPN usage need not be restricted solely to applications with low or modest availability requirements. Network availability in a VPN environment can be significantly enhanced through support of redundant communications links, either in the form of VPNs through other ISPs or, as discussed here, via dial backup. The key is to use a routing protocol that can detect a VPN failure despite the operational limitations inherent in a VPN environment.