In this post we will describe high-availability for site-to-site IPSec VPN networks, Hot Standby Router Protocol (HSRP) is often used to track routers’ interface status to achieve failover between routers.
Here we define ISAKMP policy and IKE pre-shared key for IKE authentication, Note that 10.1.234.234 is the HSRP virtual IP address of the remote HSRP routers.
The trick here is with the IKE keepalive to detect the IPSec liveness of the remote VPN router. When HSRP failover happens, IKE keepalive will detect the HSRP router switchover.
Now on R3/R4 we can configure the following:
in here, we define HSRP under the interface. HSRP will track the internal interface. Now an HSRP group name must be and will be used for IPSec configuration. The “redundancy” keyword in the crypto map command specifies the HSRP group to which IPSec will be configured.
if we test this configuration:
we get on R4 the following
Lets do R3 configuration now:
Now in This example we are going to demonstrate how HSRP and IPSec failover work together using the above setup and configuration, now in normal operation,
and here we see that R3 is the Active router for HSRP.
now,
When failover occurs on the R3 the primary HSRP router, becomes a standby router. Existing ISAKMP and IPSec SAs are torn down. The R4 becomes active and establishes new IPSec SAs with R1.
really interesting one.
Yeap indeed!
thanks for your comment.
You demonstrated the old world way of doing this. On higher end platforms such as 3800 and 7200s, you would enable SSO between the two chassis to pass all the SPI information.
See here:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/white_paper_c11_472859_ps5855_Products_White_Paper.html
BenG thanks for your comment and link
nice info
Pingback: ip sla for tunnel tracking