During normal operation, the routes from main office to individual branch offices run via the switching nodes. These routes must be adapted for backup situations. For this adaptation to be performed automatically, "Simplified RAS with certificates" is enabled in the VPN gateways at the main office. This allows a shared configuration to apply for all incoming connections (using default settings) if the certificates of the remote sites have been signed with the root certificate of the VPN gateways in the main office. This also allows remote sites to select the remote network. The routers at the branch offices can then suggest a network (during IKE negotiations in phase 2) to be used for the connection.
The routing information at the switching nodes must also be adapted in backup situations. The switching nodes are normally accessed directly from the branch offices. In backup situations, the switching nodes must be able to receive the data from the branch offices via the main office detour. This is made possible with a route that transmits the entire combined network (10.x.0.0/255.255.0.0 in the example or, if communication with other nodes is to be possible: 10.0.0.0/255.0.0.0) to the main office.
In order for the routes to be switched automatically, “Allow remote site to select the remote network“ must also be activated at the switching nodes.
This results in the following sequence of events when establishing VPN connections:
- The switching node establishes the connection to the main office and requests all network relationships to the branch offices (i.e. it requests the 10.x.0.0/255.255.0.0 network).
- The branch office establishes the connection to the switching node and requests its network (10.x.y.0/255.255.255.0). Data can now be transferred from the branch office to the main office via the switching node.
The following happens if the VPN connection between branch office and main office now fails:
- The switching node detects the loss by polling (DPD) and removes the route to the branch office.
- At some point the branch office establishes the backup connection to the main office and requests its network (10.x.y.0/255.255.255.0). Data can now be transferred from the branch office to the main office. If the networks have been combined and the switching nodes always route the combined network (as in the example, network 10.x.0.0/255.255.0.0 or 10.0.0.0/255.0.0.0) to the main office, data can be transmitted from the branch office to the switching node via the main office.
Once the backup event is over, the branch office reestablishes the primary connection to the switching node:
- The branch office tears down the backup connection and the main office deletes the route to the branch office.
- The branch office again requests its network (10.x.y.0/255.255.255.0) from the switching node. Smooth communication between branch office and switching node now exists again.
Because the branch office network is a sub-network of the network in the switching node, immediate communication between branch office and main office via the switching node is also possible again. The main office no longer has its own route to the branch office and therefore resumes transfers data for the branch office via the switching node again.
Important: If network addresses cannot be structured as described above, the route to the branch office must be configured statically at the main office and point to the switching node. If the branch office then establishes the backup connection, the statically registered route is overwritten by the dynamically registered route. If the backup connection is torn down again, the dynamic route is deleted and the static route re-enabled. If, in this case, communication between branch offices and switching node is to be guaranteed for backup as well, the routes to the branch offices must also be configured statically in the switching nodes.
