This white paper provides detailed design and implementation information for deploying IP Security (IPsec) High Availability (HA) with Cisco® Virtual Office. Please refer to the Cisco Virtual Office overview (found at http://www.cisco.com/go/cvo) for further information about the solution, its architecture, and all of its components.
IPSec HA provides an infrastructure for reliable and secure networks, with the goal of providing transparent availability of VPN gateways (such as Cisco IOS
® Software based routers). This feature works well for all IPSec-based networks. In the Cisco Virtual Office solution, IPsec HA can be used to provide redundancy-for example, stateful failover and rollback of the gateways-to provide uninterrupted management connectivity to the spokes. For more details on deploying Cisco Virtual Office, please refer to the links provided in the references section.
In the Cisco Virtual Office deployment, IPsec HA can be incorporated into the management gateways. The topology for the deployment is given in the Cisco Virtual Office overview at
Redundant management gateways can be deployed using IPsec HA as shown in Figure 1.
Figure 1. Topology for Deploying Redundant Management Gateways Using IPsec HA
Note: Both active and standby gateway routers should be the same platform type and have the same encryption card.
The Hot Standby Router Protocol (HSRP) is used to achieve redundancy between the management gateways. The spoke views the virtual IP address of the HSRP as the IP address of the management gateway. This setup allows any failover on management gateways to be transparent to the spoke. Once an IPsec session is established with the active router (management gateway), the corresponding session's Internet Key Exchange (IKE) security associations (SAs) and IPsec SAs are sent to the standby router, using interprocess communication (IPC), and both the active and standby routers maintain the session information of the spoke. When the active management gateway goes down, the standby gateway takes over as active and handles the IPsec sessions transparently. This avoids the need to reestablish the session.
Figure 2 shows the short version of the topology to map the IP addressing with the configuration examples given in the sections that follow.
Figure 2. Topology for Configuration Examples
The configuration examples provided here use public key infrastructure (PKI) so spokes connected using PKI will failover automatically.
The same deployment scenarion will also work with pre-shared keys.
Configuration on Management Gateway 1
! Configures redundancy and enters inter-device configuration mode.
scheme standby ha-in
! The commands below configure interprocess communication (IPC) between the two gateways.
! "IPC zone default" initiates communication link between active and standby routers.
! The subcommand "association" sets up association between active and standby routers and
! uses the Stream Control Transmission Protocol (SCTP) as the transport protocol. The next few
! lines define the local and remote SCTP port and IP address. Note, though, that local port
! defined on this router should match the remote port configured on peer router. The local and
! remote IP address should NOT be virtual IP address. The path-retransmit defines number of
! SCTP retries before failing an association, and retransmit-timeot defines maximum amount of
• IPsec HA is supported only on limited platforms. The platform list includes the Cisco 7206 and 7301 Routers, the Cisco 3800 Integrated Services Router, and the Cisco 6500 Catalyst Switch.
• When a router is first configured for interdevice redundancy, the router has to be reloaded for the configuration to take effect.
• When one of the interfaces of an active router goes down, the standby takes over as active and handles all the operations. However, the previous active undergoes a reload and eventually stabilizes as standby (provided the priority of the router is at or below the current active router).
• It is mandatory that the routers be connected via a hub or a switch. In the event that routers are connected back to back, note that anytime the active router reloads, the standby also reloads. This defeats the purpose of IPsec HA.