Downloads |
Table Of Contents
Prerequisites for IPsec Preferred Peer
Restrictions for IPsec Preferred Peer
Information About IPsec Preferred Peer
IPsec Idle-Timer Usage with Default Peer
How to Configure IPsec Preferred Peer
Configuration Examples for IPsec Preferred Peer
Configuring a Default Peer: Example
Configuring the IPsec Idle Timer: Example
set security-association idle-time
Feature Information for IPsec Preferred Peer
IPsec Preferred Peer
First Published: March 28, 2005Last Updated: August 21, 2007The IP Security (IPsec) Preferred Peer feature allows you to control the circumstances by which multiple peers on a crypto map are tried in a failover scenario.
This feature includes the following capabilities:
•
Default peer configuration
•
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for IPsec Preferred Peer" section.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
•
•
•
•
•
Prerequisites for IPsec Preferred Peer
•
Restrictions for IPsec Preferred Peer
Default peer:
•
•
•
IPsec idle-timer usage with default peer:
•
•
Information About IPsec Preferred Peer
To configure IPsec Preferred Peer, you need to understand the following concepts:
•
IPsec
IPsec is a framework of open standards developed by the Internet Engineering Task Force (IETF). IPsec provides security for transmission of sensitive information over unprotected networks such as the Internet. IPsec acts at the network layer, protecting and authenticating Internet Protocol (IP) packets between participating IPsec devices (peers), such as Cisco routers.
IPsec provides the following network security services. These services are optional. In general, local security policy dictates the use of one or more of these services:
•
•
•
•
With IPsec, data can be transmitted across a public network without fear of observation, modification, or spoofing. This enables applications such as Virtual Private Networks (VPNs), including intranets, extranets, and remote user access.
IPsec provides secure tunnels between two peers, such as two routers. You define which packets are considered sensitive and should be sent through these secure tunnels, and you define the parameters that should be used to protect these sensitive packets, by specifying characteristics of these tunnels. When the IPsec peer sees such a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer.
Dead Peer Detection
The VPN Client uses a keepalive mechanism called Dead Peer Detection (DPD) to check the availability of the VPN device on the other side of an IPsec tunnel. If the network is unusually busy or unreliable, you can increase the number of seconds that the VPN Client will wait before deciding whether the peer is no longer active.
Keepalive packets are not sent if traffic is received. This lowers the overhead associated with DPD, because on a heavily loaded network very few keepalive packets will be sent because traffic is being received on the tunnels. In addition, DPD sends keepalive packets only if there is user traffic to send (and no user traffic is received).
You can configure Internet Key Exchange (IKE) DPD so that DPD sends the keepalive packets whether or not there is outbound user data. That is, as long as there is no inbound user data, the keepalive packets are sent at the configured keepalive interval.
Default Peer Configuration
If a connection timeout occurs, the connection to the current peer is closed. The set peer command allows you to configure the first peer as the default peer. If there is a default peer, the next time a connection is initiated, the connection is directed to the default peer instead of to the next peer in the peer list. If the default peer is unresponsive, the next peer in the peer list becomes the current peer and future connections through the crypto map try that peer.
This capability is useful when traffic on a physical link stops due to the failure of a remote peer. DPD indicates that the remote peer is unavailable, but that peer remains the current peer.
A default peer facilitates the failover to a preferred peer that was previously unavailable, but has returned to service. Users can give preference to certain peers in the event of a failover. This is useful if the original failure was due to a network connectivity problem rather than failure of the remote peer.
Idle Timers
When a router running Cisco IOS software creates an IPsec security association (SA) for a peer, resources must be allocated to maintain the SA. The SA requires both memory and several managed timers. For idle peers, these resources are wasted. If enough resources are wasted by idle peers, the router could be prevented from creating new SAs with other peers.
IPsec SA idle timers increase the availability of resources by deleting SAs associated with idle peers. Because IPsec SA idle timers prevent the wasting of resources by idle peers, more resources are available to create new SAs when required.
If IPsec SA idle timers are not configured, only the global lifetimes for IPsec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity.
IPsec Idle-Timer Usage with Default Peer
If all connections to the current peer time out, the next time a connection is initiated it is directed to the default peer configured in the set peer command. If a default peer is not configured and there is a connection timeout, the current peer remains the one that timed out.
This enhancement helps facilitate a failover to a preferred peer that was previously unavailable but is in service now.
Peers on Crypto Maps
A crypto map set can contain multiple entries, each with a different access list. The router searches the crypto map entries in order, and attempts to match the packet to the access list specified in that entry.
When a packet matches a permit entry in a particular access list, and the corresponding crypto map entry is tagged as Cisco, connections are established with the remote peer as specified in the set peer statements within the crypto map.
How to Configure IPsec Preferred Peer
This section contains the following procedures:
•
•
Configuring a Default Peer
To configure a default peer, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring the Idle Timer
To configure the idle timer, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuration Examples for IPsec Preferred Peer
•
•
Configuring a Default Peer: Example
The following example shows that the first peer, at IP address 10.1.1.1, is the default peer:
crypto map tohub 1 ipsec-isakmpset peer 10.1.1.1 defaultset peer 10.2.2.2Configuring the IPsec Idle Timer: Example
In the following example, if the current peer is idle for 120 seconds, the default peer 10.1.1.1 (which was specified in the set peer command) is used for the next attempted connection:
crypto map tohub 1 ipsec-isakmpset peer 10.1.1.1 defaultset peer 10.2.2.2set security-association idletime 120 defaultAdditional References
The following sections provide references related to IPsec Preferred Peer.
Related Documents
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
This section documents only commands that are new or modified.
•
set peer (IPsec)
To specify an IP Security (IPsec) peer in a crypto map entry, use the set peer command in crypto map configuration mode. To remove an IPsec peer from a crypto map entry, use the no form of this command.
set peer {host-name [dynamic] [default] | ip-address [default] }
no set peer {host-name [dynamic] [default] | ip-address [default] }
Syntax Description
Command Default
No peer is defined.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
Use this command to specify an IPsec peer for a crypto map.
This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used (because, in general, the peer is unknown).
For crypto map entries created with the crypto map map-name seq-num ipsec-isakmp command, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, Internet Key Exchange (IKE) tries the next peer on the crypto map list.
For crypto map entries created with the crypto map map-name seq-num ipsec-manual command, you can specify only one IPsec peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer.
You can specify the remote IPsec peer by its hostname only if the hostname is mapped to the peer's IP address in a DNS or if you manually map the hostname to the IP address with the ip host command.
The dynamic Keyword
When specifying the hostname of a remote IPsec peer via the set peer command, you can also issue the dynamic keyword, which defers DNS resolution of the hostname until right before the IPsec tunnel has been established. Deferring resolution enables the Cisco IOS software to detect whether the IP address of the remote IPsec peer has changed. Thus, the software can contact the peer at the new IP address.
If the dynamic keyword is not issued, the hostname is resolved immediately after it is specified. So, the Cisco IOS software cannot detect an IP address change and, therefore, attempts to connect to the IP address that it previously resolved.
The default Keyword
If there are multiple peers and you specify the default keyword, the first peer is designated as the default peer.
If dead peer detection (DPD) detects a failure, the default peer is retried before there is an attempt to connect to the next peer in the peer list.
If the default peer is unresponsive, the next peer in the peer list becomes the new current peer. Future connections through the crypto map will try that peer.
Examples
The following example shows a crypto map configuration when IKE will be used to establish the security associations (SAs). In this example, an SA could be set up to either the IPsec peer at 10.0.0.1 or the peer at 10.0.0.2.
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1set peer 10.0.0.2The following example shows how to configure a router to perform real-time Domain Name System (DNS) resolution with a remote IPsec peer; that is, the hostname of peer is resolved via a DNS lookup right before the router establishes a connection (an IPsec tunnel) with the peer.
crypto map secure_b 10 ipsec-isakmpmatch address 140set peer b.cisco.com dynamicset transform-set xsetinterface serial1ip address 10.30.0.1crypto map secure_baccess-list 140 permit ...The following example shows that the first peer, at IP address 10.1.1.1, is the default peer:
crypto map tohub 1 ipsec-isakmpset peer 10.1.1.1 defaultset peer 10.2.2.2The following example shows that the peer with the hostname user1 is the default peer.
crypto map tohub 2 ipsec-isakmpset peer user1 dynamic defaultset peer user2 dynamicRelated Commands
set security-association idle-time
To specify the maximum amount of time for which the current peer can be idle before the default peer is used, use the set security-association idle-time command in crypto map configuration mode. To disable this feature, use the no form of this command.
set security-association idle-time seconds [default]
no set security-association idle-time seconds [default]
Syntax Description
Command Default
The default peer is not used if the current peer times out.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command is optional. Use this command if you want the default peer to be used if the current peer times out. If there is a timeout to the current peer, the connection to that peer is closed. The next time a connection is initiated, it is directed to the default peer specified in the set peer command.
Examples
In the following example, if the current peer is idle for 120 seconds, the default peer 10.1.1.1 (which was specified in the set peer command) is used for the next attempted connection:
crypto map tohub 1 ipsec-isakmpset peer 10.1.1.1 defaultset peer 10.2.2.2set security-association idle-time 120 defaultRelated Commands
Feature Information for IPsec Preferred Peer
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Glossary
crypto access list—A list that defines which IP traffic will be protected by crypto and which traffic will not be protected by crypto.
crypto map—A map that specifies which traffic should be protected by IPsec, where IPsec-protected traffic should be sent, and what IPsec transform sets should be applied to this traffic.
dead peer detection—A feature that allows the router to detect an unresponsive peer.
keepalive message—A message sent by one network device to inform another network device that the virtual circuit between the two is still active.
peer—Router or other device that participates in IPsec and IKE. In IPsec, peers are devices or entities that communicate securely either through the exchange of keys or the exchange of digital certificates.
SA—security association. An instance of security policy and keying material applied to a data flow. Both IKE and IPsec use SAs, although SAs are independent of one another. IPsec SAs are unidirectional and are unique in each security protocol. An IKE SA is used by IKE only, and unlike the IPsec SA, it is bidirectional. IKE negotiates and establishes SAs on behalf of IPsec. A user also can establish IPsec SAs manually. A set of SAs are needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports Encapsulating Security Payload (ESP) between peers, one ESP SA is required for each direction. SAs are identified uniquely by destination (IPsec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI).
transform set—An acceptable combination of security protocols, algorithms, and other settings to apply to IPsec-protected traffic. During the IPsec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2005-2007 Cisco Systems, Inc. All rights reserved.
