HSA6: Ethernet over VPN Bonding

In our previous topics, we discussed about Ethernet over VPN, which extends layer 2 networks across any layer 3 WAN; and we also shared the 3 major methods for bonding VPN tunnel, so that we can aggregate multiple WAN links for VPN connections while maintaining auto failover between links.

In this demo, we will combine both technologies, to fully utilize best of both worlds - bond multiple WAN links (particularly dual LTE sim) and extend layer 2 (LAN) networks across layer 3 WAN (eg. mobile network).

Watch it on youtube.

Below senario shows a typical remote site with dual SIM/LTE connections, and on the HQ site we have a CMG gateway.

  1. Run a VPN tunnel across each LTE connection, eg. dual tunnels for dual SIM
  2. Bond (aggregate) bandwidth of both LTE/tunnel using LACP (more on interface bonding). LACP Bonding technology will take care of load balancing and failover between two tunnels (two LTE connections).
  3. Bridge bonding interface to LAN interface at both CMG and HSA (more on interface bridging), so extend remote LAN to HQ LAN across the dual tunnels.

A few things to take note:

  1. On both CMG and HSA, tunnel must use tap mode (layer 2 tunnel).
  2. On HSA, we use PBR to map each tunnel (which uses different port no.) to respective LTE/SIM connection, so that we can be absolutely sure the tunnels are going through its intended LTE connection
  3. Bonding is point-to-point, so each remote HSA must terminate both tunnels on the same CMG (with different port no. for each tunnel instance), then we bond both tunnels (at both HSA and CMG) into a logical bonding interface. Therefore each remote HSA also requires a dedicated bonding interface on CMG, for a dedicated pair of tap tunnels.
  4. In summary, each peer (CMG-HSA) requires a dedicated set of resources: one bond interface, two tap interface (on CMG it means two instances of SSLVPN services), one bridge interface.
  5. If there're multiple remote sites (multiple HSA), then on CMG we need multiple dedicated sets of resources (as in #4).

Sample config on CMG:

!hostname VPN-HUB!interface eth0 description "Connection to WAN" enable ip address 10.65.19.51/24!!bridge LAN and bond0 together (for extending Ethernet network)interface eth1 enable bridge-group 0!interface bond 0 enable bridge-group 0!interface bridge 0 enable ip address 30.1.1.2/24!interface loopback enable ip address 2.1.2.1/32!ip name-server 8.8.8.8 8.8.4.4!ip ntp-server 203.211.159.1 62.201.225.9!ip default-gateway 10.65.19.78!!Create a dedicated pair of VPN instance for each peer. Allocate tap into bond0security sslvpn-server 1 server address 129.126.169.124 1443 server tap-mode tap bond-group 0 client test-client1 start!security sslvpn-server 2 server address 129.126.169.124 2443 server tap-mode tap bond-group 0 client test-client2 start!firewall-input 10 permit all tcp dport 1443 remark vpn-1firewall-input 11 permit all tcp dport 2443 remark vpn-2firewall-input 12 permit all tcp dport 22 remark SSHfirewall-input 99 permit all!firewall-access 99 permit all!

Sample CLI Config on HSA (please remove any MWAN config)

!!hostname mbox!!bridge LAN and bond0 together (for extending Ethernet network)interface bond0 enable bridge-group br-lan bond-mode 8023ad!!Add VPN client instance and import respective profiles. Allocate tap into bond0security sslvpn-client 1 tap bond-group 0 track-iface lte0 <--this brings down tap1 and remove from bond0 immediately when lte0 fails start!security sslvpn-client 2 tap bond-group 0 track-iface lte1 <--this brings down tap2 and remove from bond0 immediately when lte1 fails start!!map each tap to respective LTE connection using PBRfirewall-set 10 mark 1443 output tcp dport 1443 remark "map to tap1"firewall-set 11 mark 2443 output tcp dport 2443 remark "map to tap2"!ip pbr policy 10 fwmark 1443ip pbr policy 11 fwmark 2443!ip pbr route 10 0.0.0.0/0 nexthop interface 3g-lte0 <--this makes sure tap1 goes through lte0ip pbr route 11 0.0.0.0/0 nexthop interface 3g-lte1 <--this makes sure tap2 goes through lte1!

NOTE: if you're using physical WAN interfaces instead of LTE interface, you need to add the nexthop IP of the interface, eg.

ip pbr route 11 0.0.0.0/0 nexthop 20.20.20.1 interface eth0ip pbr route 11 0.0.0.0/0 nexthop 10.10.10.1 interface eth1.10