Solutions for Remote-Access VPN High Availability


The availability of a remote access VPN infrastructure is largely centered around the concentration point of RAVPN tunnels. This chapter has focused on presenting designs scenarios that can be used to increase the availability of RAVPN concentration points. The designs presented in this chapter include:

  • Resilient RAVPN Concentrator Cluster Designs with VRRP

  • Resilient RAVPN Concentrator Cluster Designs with HSRP

  • Resilient RAVPN Concentrator Cluster Designs with VCA

  • Geographically Resilient Concentrator Designs with DNS-Based Load Balancing to HSRP Virtual Interfaces

  • Geographically Resilient Concentrator Designs with DNS-Based Load Balancing to VCA Virtual IP Addresses

All of the RAVPN design concepts discussed in this chapter can be deployed in tandem to maximize RAVPN accessibility for IPsec VPN clients. However, tying all of these components together can be daunting. Keeping that in mind, it is helpful to approach designing HA and load balancing in to the RAVPN in a layered format presented in this chapter:

Step 1.
Design Local HA for IPsec VPN Concentrators: First, ensure that the VPN concentrator located at the Internet Edge is available to the IPsec VPN clients. This can be accomplished using the following methods discussed in this chapter:

  • VRRP-Based Stateless IPsec VPN Tunnel Termination

  • HSRP-Based Stateful IPsec VPN Tunnel Termination

  • VCA Concentrator Clustering

  • DNS-Based Redundancy to Standalone Concentrators

Step 2.
Incorporate Intracluster Load-Balancing Techniques: Second, once the concentrator cluster has been designed using one of the above Local HA methods, investigate the available options for load balancing within the redundancy method selected:

  • DNS-Based Load Balancing to Multiple Standalone Concentrators

  • VCA Session and Platform-Aware IPsec Session Load Balancing

Step 3.
Incorporate Geographic HA Techniques: Lastly, once the concentrator cluster is highly available and properly load balancing IPsec sessions across the various concentrators in the cluster, administrators should evaluate the benefits of incorporating multiple, geographically redundant concentrator clusters into the RAVPN design. The two methods for providing Geographic HA between IPsec VPN clients and multiple IPsec VPN concentrators discussed in this chapter are:

  • Resolving a single concentrator hostname to multiple IPsec VPN concentrator public IP addresses, or, if VRRP/HSRP is used, multiple VRRP/HSRP Virtual Router IP addresses corresponding to different VRRP/HSRP groups.

  • Defining multiple IPsec VPN peers in the VPN clients IPsec profile.

In this chapter, we have covered the basic construction of a remote access VPN deployment, and applied the Local and Geographic HA concepts discussed in Chapters 6 and 7 to that construct to yield several highly available RAVPN design alternatives. In addition to RAVPN HA, we have embedded several effective means by which to load balance inbound client IPsec VPN sessions on a concentrator cluster. Lastly, the concept of multiple peers was introduced to provide the clients with Geographic HA by leveraging the use of geographically disperse and redundant IPsec VPN concentrator clusters.

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows