The subject of backup connections is vital to the availability of business-critical applications, especially at distributed sites with several branch offices connected via VPN to the main office. The subject of backups is easy to resolve where routers at the branch offices relate directly to redundant routers at the main office: If a router at the main office can be not reached over the Internet, the branch office simply dials-in to another router at the main office. RIP ensures that the devices can communicate over the available routes.
However, in very large networks branch offices are rarely connected directly to the main office. Instead, several sites initially merge at switching nodes, and these in turn are connected to the main office. If the branch office temporarily loses contact to the switching node, the branch office could establish a direct backup connection to main office.
However, this only works via an ISDN or cellular connection, often an undesirable solution due to the costs and limited bandwidth. A parallel backup connection directly over VPN does not achieve the objective for the following reasons:
- Only the switching nodes are defined as VPN remote sites in the main office – all routes to the branch offices pass through these switching nodes. If a branch office attempts to establish a direct connection to the main office, the attempt is rejected. And even if this connection were successful, the routes to the branch offices via the switching nodes remain in place at the main office because the switching node is, from the viewpoint of the main office, still accessible.
- The switching node knows nothing about any potential direct connection from branch office to main office. It therefore cannot access the destinations in the network at the branch office by detouring via the main office.
- Both the network of the switching node and the network of the branch office are accessible from the main office via the standard VPN connection. However, a direct VPN connection of the branch office to the main office only provides access to the branch-office network. It is because of these different characteristics that the router at the main office cannot accept the direct connection as a backup for the standard connection.
- The branch office can no longer establish the standard connection to the switching node because the principle of unambiguousness in IPsec rules does not permit a second connection with the same set of rules. Along with the specifications on encryption, IPsec rules also contain "network relationships", i.e. the IP addresses of the networks at both ends of the connection. These network relationships may only appear once in the VPN rule set. For a backup, however, two rules would have to exist for the same network relationship – once for the backup connection and once for the newly established primary connection.
