SD-WAN over IPSec/GRE/OSPF

In our other scenarios, we talked about SD-WAN over SSLVPN bonding with OSPF and bonding with LACP. In this scenario, we will explore using IPSec over GRE and use OSPF for bonding and dynamic routing purpose. In your actual deployment, you may not have dual/multiple Internet connections, eg. maybe just one link for per site, the concept will be the same, it's just you will only need one tunnel for each site (instead of 2 or more, if you need WAN bonding).

  • Can use any type of WAN connection (eg. fiber, PPPoE, ISP ONT/modem)
  • The HQ gateway must be CMG, remote site router can be either CMG or HSA depending on link size and no. of users (refer to this product sizing guide).

Common use cases

  • Enterprises requiring resilient multiple WAN/Internet connections
  • SD-WAN deployment for remote branches, retail outlets or bank ATM

Deployment notes

  1. GRE tunnel can be in layer 3 or layer 2 (tap) mode. It's recommended to be in layer-2 mode. (note if we want to use LACP bonding mode, GRE tunnel must be in tap mode).
  2. As of now, both HQ and remote sites must have static WAN IP addresses for each link (unlike SSLVPN, where remote site can have dynamic IP address), because GRE tunnel is "point-to-point". In future release we may support NHRP protocol to allow all peers dynamically learn each other's IP.
  3. Load balance traffic across all ISP links using OSPF load balancing features (if have multiple connections per site). Use "ip ospf cost xx" to tweak cost for each tunnel if you want to run active/standby taps, otherwise both tunnels will have ospf cost of 10 and load sharing (load balance) traffic across both tunnels. NOTE: If you are changing "ip ospf cost xx", please do it on both ends, both HQ and Remote, for the same tunnel instance, to avoid asymmetric routing problems.
  4. Make sure HQ is always in DR state, set "ip ospf priority 255" on HQ tunnel interfaces, and "ip ospf priority 0" on remote tunnel interfaces.
  5. In this sample senario, we have only one link for HQ side and 2 links at remote site. You can have different combination of links at each end, as long as the tunnel peers can reach each other. Especially if you have multiple links, you may need to configure PBR or static route to map each tunnel to its respective physical/exit link.


CLI CONFIG ON HQ CMG (VPN Server)

-------------------------------------------------


<to be continued>