Ethernet over VPN Bonding (LACP)

In our previous topics, we discussed about Ethernet over VPN, which extends layer 2 networks across any layer 3 WAN; and we also shared the 3 major methods for bonding VPN tunnel, so that we can aggregate multiple WAN links for VPN connections while maintaining auto failover between links.

In this demo, we will combine both technologies, to fully utilize best of both worlds - bond multiple WAN links (particularly dual LTE sim) and extend layer 2 (LAN) networks across layer 3 WAN (eg. mobile network).

Watch it on youtube.

Below senario shows a typical remote site with dual SIM/LTE connections, and on the HQ site we have a CMG gateway.

A few things to take note:

Sample config on CMG:

!hostname VPN-HUB!interface eth0 description "Connection to WAN" enable ip address 10.65.19.51/24!!bridge LAN and bond0 together (for extending Ethernet network)interface eth1 enable bridge-group 0!interface bond 0 enable bridge-group 0 mode 8023ad!interface bridge 0 enable ip address 30.1.1.2/24!interface loopback enable ip address 2.1.2.1/32!ip name-server 8.8.8.8 8.8.4.4!ip ntp-server 203.211.159.1 62.201.225.9!ip default-gateway 10.65.19.78!!Create a dedicated pair of VPN instance for each peer. Allocate tap into bond0security sslvpn-server 1 server address 129.126.169.124 1443 server tap-mode tap bond-group 0 client test-client1 start!security sslvpn-server 2 server address 129.126.169.124 2443 server tap-mode tap bond-group 0 client test-client2 start!firewall-input 10 permit all tcp dport 1443 remark vpn-1firewall-input 11 permit all tcp dport 2443 remark vpn-2firewall-input 12 permit all tcp dport 22 remark SSHfirewall-input 99 permit all!firewall-access 99 permit all!

Sample CLI Config on HSA (please remove any MWAN config)

!!hostname mbox!!bridge LAN and bond0 together (for extending Ethernet network)interface bond0 enable bridge-group br-lan bond-mode 8023ad!!Add VPN client instance and import respective profiles. Allocate tap into bond0security sslvpn-client 1 tap bond-group 0 track-iface lte0   <--this brings down tap1 and remove from bond0 immediately when lte0 fails start!security sslvpn-client 2 tap bond-group 0 track-iface lte1   <--this brings down tap2 and remove from bond0 immediately when lte1 fails start!!map each tap to respective LTE connection using PBRfirewall-set 10 mark 1443 output tcp dport 1443 remark "map to tap1"firewall-set 11 mark 2443 output tcp dport 2443 remark "map to tap2"!ip pbr policy 10 fwmark 1443ip pbr policy 11 fwmark 2443!ip pbr route 10 0.0.0.0/0 nexthop interface 3g-lte0   <--this makes sure tap1 goes through lte0ip pbr route 11 0.0.0.0/0 nexthop interface 3g-lte1   <--this makes sure tap2 goes through lte1!

NOTE: if you're using physical WAN interfaces instead of LTE interface for PBR, you need to add the nexthop IP and the interface, eg. 

!ip pbr route 11 0.0.0.0/0 nexthop 20.20.20.1 interface eth0ip pbr route 11 0.0.0.0/0 nexthop 10.10.10.1 interface eth1.10