This feature is supported by Opengear management appliance firmware 3.10.1 and later. Also required is an Opengear model with a secondary network connection (cellular or Ethernet) for failover.
A common distributed network configuration is to have subnetted remote private LANs (e.g. branch office sites) connected back to a central private LAN (e.g. corporate headquarters) over the WAN. This is typically achieved by either site-to-site VPNs between branch routers and headquarters VPN concentrator, or with a private circuit from your primary network provider.
This topology allows Opengear management appliances at each branch site to transparently route back to the HQ LAN for in-band access to network services such as email server to send alerts, AAA server to authenticate user access, NMS for SNMP monitoring, and Lighthouse 4 for Call Home connections.
When the primary branch WAN connection is down, e.g. during initial provisioning or network outage, the Opengear can be configured to fail over to a separate out-of-band WAN connection, e.g. cellular. For robustness, this connection is typically separate from your primary WAN, so routes to the central HQ LAN are not automatically available.
This article details how to configure the Opengear to maintain connectivity to your central LAN during failover, by using Smart Connection Manager with Auto-Response to dynamically start and stop built-in VPN to your head-end VPN concentrator.
For this example, we’re using a private branch subnet of 10.12.34.0/24 and a central subnet of 10.0.0.0/16. The failover connection is cellular.
Branch Opengear 10.1.1.2
Branch LAN 10.1.1.0/24
HQ Gateway 123.45.67.89
HQ VPN Server 10.0.0.254
HQ Email Server 10.0.0.253
HQ LAN 10.0.0.0/16
1. Configure VPN server
The head-end of the VPN tunnel can be any IPsec or OpenVPN based server, e.g. Cisco ASA/IOS, Checkpoint or Fortinet appliances. This appliance may or may be the HQ gateway, or a separate system.
It’s also possible to use Opengear Lighthouse 4 as the head-end VPN concentrator, which we will demonstrate for this example.
Detailed VPN instructions in beyond the scope of this article, but here is a reference configuration:
On Lighthouse 4, click Configure -> IPsec VPN -> Add.
Tunnel Name |
headquarters_to_branch |
Initiate Tunnel |
<leave unchecked> |
Authentication Method |
Shared Secret (PSK) |
Shared Secret |
<choose a secret passphrase> |
Authentication Protocol |
ESP |
Aggressive Mode |
<leave unchecked> |
IKE Proposal (Phase 1) |
Negotiable |
Perfect Forward Secrecy |
<check> |
Left ID |
@headquarters |
Right ID |
<leave blank> |
Left Address |
<leave blank> |
Right Address |
<leave blank> |
Left Subnet |
10.0.0.0/16 i.e. the network address of the HQ LAN |
Right Subnet |
10.1.1.1.2/32 i.e. the internal address of the branch Opengear |
Click New Option three times:
Option Name |
dpddelay |
Argument |
30 |
Option Name |
dpdtimeout |
Argument |
90 |
Option Name |
dpdaction |
Argument |
clear |
Click Apply.
Note If your VPN server is behind another gateway such as a firewall, please ensure the appropriate ports and protocols are allowed and/or forwarded form the gateway’s external interface to the VPN server (i.e. UDP port 4500 if you are using Lighthouse 4 or your server supports NAT traversal, or UDP port 500 and protocol 50).
2. Configure VPN client
On the branch Opengear, click Serial & Network -> IPsec VPN:
Note All IPsec VPN tunnels will now be controlled en masse by Auto-Response, i.e. this configuration currently supports a single IPsec VPN tunnel only. OpenVPN supports per-tunnel Auto-Response control.
Control By Auto-Response |
<check> |
Click Apply, then click Add.
Tunnel Name |
branch_to_headquarters |
Initiate Tunnel |
<check> |
Authentication Method |
Shared Secret (PSK) |
Shared Secret |
<re-enter the secret passphrase> |
Authentication Protocol |
ESP |
Aggressive Mode |
<leave unchecked> |
IKE Proposal (Phase 1) |
Negotiable |
Perfect Forward Secrecy |
<check> |
Left ID |
@branch |
Right ID |
@headquarters |
Left Address |
<leave blank> |
Right Address |
123.45.67.89 i.e. the external or forwarded address of the VPN server |
Left Subnet |
10.1.1.1.2/32 i.e. the internal address of the branch Opengear |
Right Subnet |
10.0.0.0/16 i.e. the network address of the HQ LAN |
Click New Option four times:
Option Name |
dpddelay |
Argument |
30 |
Option Name |
dpdtimeout |
Argument |
90 |
Option Name |
dpdaction |
Argument |
restart |
Option Name |
leftsourceip |
Argument |
10.1.1.1.2 i.e. the internal address of the branch Opengear |
Click Apply.
3. Configure the failover interface
For this example, we are using a cellular-enabled Opengear at the branch office.
On the branch Opengear, click System -> Dial -> Internal Cellular Modem -> Enable Dial-Out.
Control via Auto-Response |
<leave unchecked> |
Complete the remaining fields as per your carrier’s details.
Note If you are using internal DNS to specify internal servers (e.g.an email servers for alerts), you may also choose to Override Returned DNS Servers and use the DNS servers on your HQ LAN.
Click Apply.
2. Configure branch primary interface for failover
On the branch Opengear, click System -> IP -> Network Interface, scroll down the Failover:
Failover Interface |
Internal Cellular Modem |
Dormant Failover Interface |
<check> |
Primary Probe Address |
10.0.0.254 i.e. any internal address on the HQ LAN |
Click Apply.
4. Start VPN on failover
On the branch Opengear, click Alerts & Logging -> Auto-Response -> New Auto-Response.
Name |
Start VPN Failover |
Reset Timeout |
0 |
Repeat Trigger Actions |
<leave unchecked> |
Repeat Trigger Action Delay |
0 |
Disable at Specific Times |
<leave unchecked> |
Under Check Conditions, select Network Interface Event.
Interface |
Network Interface |
Events |
Down |
Under Trigger Actions, select Perform Interface Action.
Action Name |
Start VPN |
Action Delay Time |
0 |
Interface |
IPsec VPN Service |
Action |
Start Interface |
Click Save New Action, Save Auto-Response, then Return to Auto-Response List.
5. Stop VPN on fail-forward
On the branch Opengear, click Alerts & Logging -> Auto-Response -> New Auto-Response.
Name |
Stop VPN Failover |
Reset Timeout |
0 |
Repeat Trigger Actions |
<leave unchecked> |
Repeat Trigger Action Delay |
0 |
Disable at Specific Times |
<leave unchecked> |
Under Check Conditions, select Network Interface Event.
Interface |
Network Interface |
Events |
Up |
Under Trigger Actions, select Perform Interface Action.
Action Name |
Stop VPN |
Action Delay Time |
0 |
Interface |
IPsec VPN Service |
Action |
Stop Interface |
Click Save New Action, Save Auto-Response, then Return to Auto-Response List.
6. Test
Force a failover on the branch Opengear e.g. by setting the System -> IP -> Network Interface -> Probe Address to an unreachable address, or disconnecting the branch LAN and connecting directly via a laptop.
Monitor failover status under Status -> Statistics -> Failover & Out-of-Band.
Once failed over, test you can reach the corporate HQ over the VPN by clicking Manage -> Terminal, logging in to the Opengear CLI and running the command below to ping e.g. an email server or other system on the HQ LAN:
ping -I ipsec0 10.0.0.253
Comments
0 comments
Article is closed for comments.