Downloads |
 Feedback
|
Table Of Contents
Prerequisites for Stateful Failover for IPsec
Restrictions for Stateful Failover for IPsec
Information About Stateful Failover for IPsec
Supported Deployment Scenarios: Stateful Failover for IPsec
IPsec Stateful Failover for Remote Access Connections
Dead Peer Detection with IPsec High Availability
How to Use Stateful Failover for IPsec
Enabling HSRP: IP Redundancy and a Virtual IP Address
Prerequisites for Spanning Tree Protocol and HSRP Stability
SSO: Interacting with IPsec and IKE
Configuring Reverse Route Injection on a Crypto Map
Configuring RRI on Dynamic Crypto Map
Configuring RRI on a Static Crypto Map
Enabling Stateful Failover for IKE and IPsec
Enabling Stateful Failover for IKE
Enabling Stateful Failover for IPsec
Enabling Stateful Failover for Tunnel Protection
Managing and Verifying High Availability Information
Managing Anti-Replay Intervals
Managing and Verifying HA Configurations
Configuration Examples for Stateful Failover
Configuring IPsec Stateful Failover: Example
Configuring IPsec Stateful Failover for an Easy VPN Server: Example
Feature Information for Stateful Failover for IPsec
Stateful Failover for IPsec
First Published: September 20, 2004Last Updated: March 28, 2011Stateful failover for IP Security (IPsec) enables a router to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This process is transparent to the user and does not require adjustment or reconfiguration of any remote peer.
Stateful failover for IPsec is designed to work in conjunction with stateful switchover (SSO) and Hot Standby Routing Protocol (HSRP). HSRP provides network redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from failures in network edge devices or access circuits. That is, HSRP monitors both the inside and outside interfaces so that if either interface goes down, the whole router is deemed to be down and ownership of Internet Key Exchange (IKE) and IPsec security associations (SAs) is passed to the standby router (which transitions to the HSRP active state). SSO allows the active and standby routers to share IKE and IPsec state information so that each router has enough information to become the active router at any time. To configure stateful failover for IPsec, a network administrator should enable HSRP, assign a virtual IP address, and enable the SSO protocol.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Stateful Failover for IPsec" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Stateful Failover for IPSec, page 2
•
•
•
•
•
•
Prerequisites for Stateful Failover for IPsec
Complete, Duplicate IPsec and IKE Configuration on the Active and Standby Devices
This document assumes that you have a complete IKE and IPsec configuration. (This document describes only how to add stateful failover to a working IPsec configuration.)
The IKE and IPsec configuration that is set up on the active device must be duplicated on the standby device. That is, the crypto configuration must be identical with respect to Internet Security Association and Key Management Protocol (ISAKMP) policy, ISAKMP keys (preshared), IPsec profiles, IPsec transform sets, all crypto map sets that are used for stateful failover, all access control lists (ACLs) that are used in match address statements on the crypto map sets, all AAA configurations used for crypto, client configuration groups, ip local pools used for crypto, and ISAKMP profiles.
Note
Device Requirements
•
•
Restrictions for Stateful Failover for IPsec
When configuring redundancy for a virtual private network (VPN), the following restrictions exist:
•
•
–
–
–
–
–
•
•
•
•
•
•
•
•
•
Information About Stateful Failover for IPsec
To configure stateful failover for VPNs, you should understand the following concepts:
•
•
•
Supported Deployment Scenarios: Stateful Failover for IPsec
It is recommended that you implement IPsec stateful failover in one of the following recommended deployment scenarios—a single interface scenario or a dual interface scenario.
In a single interface scenario, the VPN gateways use one LAN connection for both encrypted traffic arriving from remote peers and decrypted traffic flowing to inside hosts (see Figure 1). The single interface design allows customers to save money on router ports and subnets. This design is typically used if all traffic flowing in and out of the organization does not traverse the VPN routers.
Figure 1 Single Interface Network Topology
In a dual interface scenario, a VPN gateway has more than one interface, enabling traffic to flow in and out of the router via separate interfaces (see Figure 2). This scenario is typically used if traffic flowing in and out of a site must traverse the routers, so the VPN routers will provide the default route out of the network.Figure 2 Dual Interface Network Topology
Table 1 lists the functionality available in both a single interface scenario and a dual interfaces scenario.
IPsec Stateful Failover for Remote Access Connections
The main difference between a remote access and a LAN-to-LAN connection is the use of Xauth and mode-config. IKE Xauth is often used to authenticate the user. IKE mode-config is often used to push security policy from the hub (concentrator) router to the user's IPsec implementation. Mode-config is also typically used to assign an internal company network IP address to a user.
In addition to the differences between a remote access configuration and a LAN-to-LAN configuration, you should note the following remote-access-server-specific functions:
•
–
–
To enable accounting on the HA pair, you should issue the following commands on both Active and Standby devices: aaa accounting network radius-accounting start-stop group radius then apply radius-accounting either to the crypto isakmp profile or the crypto map set.
•
For additional information on how to configure IPsec stateful failover for a remote access connection, see the section "Configuring IPSec Stateful Failover for an Easy VPN Server: Example" in this document.
Dead Peer Detection with IPsec High Availability
To configure Dead Peer Detection (DPD) with IPsec High Availability (HA), it is recommended that you use a value other than the default (2 seconds). A keepalive time of 10 seconds with 5 retries seems to work well with HA because of the time it takes for the router to get into active mode.
To configure DPD with IPsec HA, use the crypto isakmp keepalive command.
How to Use Stateful Failover for IPsec
This section contains the following procedures:
•
•
•
•
•
•
Enabling HSRP: IP Redundancy and a Virtual IP Address
HSRP provides two services—IP redundancy and a VIP address. Each HSRP group may provide either or both of these services. IPsec stateful failover uses the IP redundancy services from only one HSRP standby group. It can use the VIP address from one or more HSRP groups. Use the following task to configure HSRP on the outside and inside interfaces of the router.
Note
Note
Note
Prerequisites for Spanning Tree Protocol and HSRP Stability
If a switch connects the active and standby routers, you must perform one of the following steps to ensure that the correct settings are configured on that switch:
•
•
•
For more information on HSRP instability, see the Avoiding HSRP Instability in a Switching Environment with Various Router Platforms technical note.
Restrictions
•
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Troubleshooting Tips
To help troubleshoot possible HSRP-related configuration problems, issue any of the following HSRP-related debug commands—debug standby errors, debug standby events, and debug standby packets [terse].
Examples
The following example shows how to configure HSRP on a router:
interface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0standby delay reload 120What to Do Next
After you have successfully configured HSRP on both the inside and outside interfaces, you should enable SSO as described the in the section "Enabling SSO" section."
Enabling SSO
Use this task to enable SSO, which is used to transfer IKE and IPsec state information between two routers.
SSO: Interacting with IPsec and IKE
SSO is a method of providing redundancy and synchronization for many Cisco IOS applications and features. SSO is necessary for IPsec and IKE to learn about the redundancy state of the network and to synchronize their internal application state with their redundant peers.
Prerequisites
•
•
–
–
–
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
DETAILED STEPS
Troubleshooting Tips
To help troubleshoot possible SSO-related configuration problems, issue the debug redundancy command.
Examples
The following example shows how to enable SSO:
!redundancy inter-devicescheme standby HA-out!!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.1retransmit-timeout 300 10000path-retransmit 10assoc-retransmit 10remote-port 5000remote-ip 10.0.0.2!What to Do Next
After you have enabled SSO, you should configure reverse route injection (RRI) on a crypto map as shown in the following section.
Configuring Reverse Route Injection on a Crypto Map
You should configure RRI on all existing crypto maps that you want to use with stateful failover. RRI is used with stateful failover so routers on the inside network can learn about the correct path to the current active device. When failover occurs, the new active device injects the RRI routes into its IP routing table and sends out routing updates to its routing peers.
Use one of the following tasks to configure RRI on a dynamic or static crypto map.
•
•
Configuring RRI on Dynamic Crypto Map
Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. A set is a group of dynamic crypto map entries all with the same dynamic map name but each with a different dynamic sequence number. Each member of the set may be configured for RRI.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring RRI on a Static Crypto Map
Static crypto map entries are grouped into sets. A set is a group of static crypto map entries all with the same static map name but each with a different sequence number. Each static crypto map in the map set can be configured for RRI. Use this task to configure RRI on a static crypto map.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Examples
The following example shows how to configure RRI on the static crypto map "to-peer-outside":
crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000crypto map to-peer-outside 10 ipsec-isakmpset peer 209.165.200.225set transform-set trans1match address peer-outsidereverse-routeWhat to Do Next
After you have configured RRI, you can enable stateful failover for IPsec and IKE.
Enabling Stateful Failover for IKE and IPsec
Use the following tasks to configure stateful failover for IPsec, IKE, and tunnel protection:
•
•
•
Enabling Stateful Failover for IKE
There is no specific command-line interface (CLI) necessary to enable stateful failover for IKE. It is enabled for a particular VIP address when a stateful failover crypto map is applied to an interface.
Enabling Stateful Failover for IPsec
Use this task to enable stateful failover for IPsec. All IPsec state information is transferred from the active router to the standby router via the SSO redundancy channel that was specified in the task "Enabling SSO."
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Troubleshooting Tips
To help troubleshoot possible IPsec HA-related problems, issue the debug crypto ipsec ha [detail] [update] command.
Examples
The following example shows how to configure IPsec stateful failover on the crypto map "to-peer-outside":
interface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0crypto map to-peer-outside redundancy HA-out statefulEnabling Stateful Failover for Tunnel Protection
Use an existing IPsec profile to configure stateful failover for tunnels using IPsec. (You do not configure the tunnel interface as you would with a crypto map configuration.)
Restrictions
The tunnel source address must be a VIP address, and it must not be an interface name.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Examples
The following example shows how to configure stateful failover for tunnel protection:
crypto ipsec profile peer-profileredundancy HA-out statefulinterface Tunnel1ip unnumbered Loopback0tunnel source 209.165.201.3tunnel destination 10.0.0.5tunnel protection ipsec profile peer-profile!interface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 name HA-outWhat to Do Next
After you have configured stateful failover, you can use the CLI to protect, verify, and manage your configurations. For more information on completing these tasks, see the sections "Protecting SSO Traffic" and "Managing and Verifying High Availability Information."
Protecting SSO Traffic
Use this task to secure a redundancy group via an IPsec profile. To configure SSO traffic protection, the active and standby devices must be directly connected to each other via Ethernet networks.
The crypto maps that are automatically generated when protecting SSO traffic are applied to each interface, which corresponds to an IP address that was specified via the local-ip command. Traffic that is destined for an IP address that was specified via the remote-ip command is forced out of the crypto-map-configured interface via an automatically created static host route.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Examples
The following example shows how to configure SSO traffic protection:
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth!crypto ipsec transform-set trans2 ah-md5-hmac esp-aes!crypto ipsec profile sso-secureset transform-set trans2!redundancy inter-devicescheme standby HA-outsecurity ipsec sso-secureManaging and Verifying High Availability Information
Use any of the following optional tasks to secure and manage your high availability configurations:
•
•
Managing Anti-Replay Intervals
Use this optional task to modify the interval in which an IP redundancy-enabled crypto map forwards anti-replay updates from the active router to the standby router.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Examples
The following example shows how to modify replay counter intervals between the active and standby devices on the crypto map "to-peer-outside":
crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000crypto map to-peer-outside 10 ipsec-isakmpset peer 209.165.200.225set transform-set trans1match address peer-outsideManaging and Verifying HA Configurations
Use any of the steps within this optional task to display and verify the high availability configurations.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Examples
Verifying the Active Device:Examples
Router# show redundancy statesmy state = 13 -ACTIVEpeer state = 8 -STANDBY HOTMode = DuplexUnit ID = 0Split Mode = DisabledManual Swact = EnabledCommunications = Upclient count = 7client_notification_TMR = 30000 millisecondskeep_alive TMR = 4000 millisecondskeep_alive count = 0keep_alive threshold = 7RF debug mask = 0x0Router# show crypto isakmp sa activedst src state conn-id slot status209.165.201.3 209.165.200.225 QM_IDLE 5 0 ACTIVERouter# show crypto ipsec sa activeinterface:Ethernet0/0Crypto map tag:to-peer-outside, local addr 209.165.201.3protected vrf:(none)local ident (addr/mask/prot/port):(192.168.0.1/255.255.255.255/0/0)remote ident (addr/mask/prot/port):(172.16.0.1/255.255.255.255/0/0)current_peer 209.165.200.225 port 500PERMIT, flags={origin_is_acl,}#pkts encaps:3, #pkts encrypt:3, #pkts digest:3#pkts decaps:4, #pkts decrypt:4, #pkts verify:4#pkts compressed:0, #pkts decompressed:0#pkts not compressed:0, #pkts compr. failed:0#pkts not decompressed:0, #pkts decompress failed:0#send errors 0, #recv errors 0local crypto endpt.:209.165.201.3, remote crypto endpt.:209.165.200.225path mtu 1500, media mtu 1500current outbound spi:0xD42904F0(3559458032)inbound esp sas:spi:0xD3E9ABD0(3555306448)transform:esp-3des ,in use settings ={Tunnel, }conn id:2006, flow_id:6, crypto map:to-peer-outsidesa timing:remaining key lifetime (k/sec):(4586265/3542)HA last key lifetime sent(k):(4586267)ike_cookies:9263635C CA4B4E99 C14E908E 8EE2D79CIV size:8 bytesreplay detection support:YStatus:ACTIVEinbound ah sas:spi: 0xF3EE3620(4092474912)transform: ah-md5-hmac ,in use settings ={Tunnel, }conn id: 2006, flow_id: 6, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4586265/3542)HA last key lifetime sent(k): (4586267)ike_cookies: 9263635C CA4B4E99 C14E908E 8EE2D79Creplay detection support: YStatus: ACTIVEinbound pcp sas:outbound esp sas:spi: 0xD42904F0(3559458032)transform: esp-3des ,in use settings ={Tunnel, }conn id: 2009, flow_id: 9, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4586266/3542)HA last key lifetime sent(k): (4586267)ike_cookies: 9263635C CA4B4E99 C14E908E 8EE2D79CIV size: 8 bytesreplay detection support: YStatus: ACTIVEoutbound ah sas:spi: 0x75251086(1965363334)transform: ah-md5-hmac ,in use settings ={Tunnel, }conn id: 2009, flow_id: 9, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4586266/3542)HA last key lifetime sent(k): (4586267)ike_cookies: 9263635C CA4B4E99 C14E908E 8EE2D79Creplay detection support: YStatus: ACTIVEoutbound pcp sas:
Router# show crypto session activeCrypto session current statusInterface: Ethernet0/0Session status: UP-ACTIVEPeer: 209.165.200.225 port 500IKE SA: local 209.165.201.3/500 remote 209.165.200.225/500 ActiveIKE SA: local 209.165.201.3/500 remote 209.165.200.225/500 ActiveIPSEC FLOW: permit ip host 192.168.0.1 host 172.16.0.1Active SAs: 4, origin: crypto mapRouter# show crypto haIKE VIP: 209.165.201.3stamp: 74 BA 70 27 9C 4F 7F 81 3A 70 13 C9 65 22 E7 76IPSec VIP: 209.165.201.3IPSec VIP: 255.255.255.253IPSec VIP: 255.255.255.254Verifying the Standby Device: Examples
Router# show redundancy statesmy state = 8 -STANDBY HOTpeer state = 13 -ACTIVEMode = DuplexUnit ID = 0Split Mode = DisabledManual Swact = EnabledCommunications = Upclient count = 7client_notification_TMR = 30000 millisecondskeep_alive TMR = 4000 millisecondskeep_alive count = 1keep_alive threshold = 7RF debug mask = 0x0Router# show crypto isakmp sa standbydst src state conn-id slot status209.165.201.3 209.165.200.225 QM_IDLE 5 0 STDBYRouter# show crypto ipsec sa standbyinterface:Ethernet0/0Crypto map tag:to-peer-outside, local addr 209.165.201.3protected vrf:(none)local ident (addr/mask/prot/port):(192.168.0.1/255.255.255.255/0/0)remote ident (addr/mask/prot/port):(172.16.0.1/255.255.255.255/0/0)current_peer 209.165.200.225 port 500PERMIT, flags={origin_is_acl,}#pkts encaps:0, #pkts encrypt:0, #pkts digest:0#pkts decaps:0, #pkts decrypt:0, #pkts verify:0#pkts compressed:0, #pkts decompressed:0#pkts not compressed:0, #pkts compr. failed:0#pkts not decompressed:0, #pkts decompress failed:0#send errors 0, #recv errors 0local crypto endpt.:209.165.201.3, remote crypto endpt.:209.165.200.225path mtu 1500, media mtu 1500current outbound spi:0xD42904F0(3559458032)inbound esp sas:spi:0xD3E9ABD0(3555306448)transform:esp-3des ,in use settings ={Tunnel, }conn id:2012, flow_id:12, crypto map:to-peer-outsidesa timing:remaining key lifetime (k/sec):(4441561/3486)HA last key lifetime sent(k):(4441561)ike_cookies:00000000 00000000 00000000 00000000IV size:8 bytesreplay detection support:YStatus:STANDBYinbound ah sas:spi:0xF3EE3620(4092474912)transform:ah-md5-hmac ,in use settings ={Tunnel, }conn id:2012, flow_id:12, crypto map:to-peer-outsidesa timing:remaining key lifetime (k/sec):(4441561/3486)HA last key lifetime sent(k):(4441561)ike_cookies:00000000 00000000 00000000 00000000replay detection support:YStatus:STANDBYinbound pcp sas:outbound esp sas:spi:0xD42904F0(3559458032)transform:esp-3des ,in use settings ={Tunnel, }conn id:2011, flow_id:11, crypto map:to-peer-outsidesa timing:remaining key lifetime (k/sec):(4441561/3485)HA last key lifetime sent(k):(4441561)ike_cookies:00000000 00000000 00000000 00000000IV size:8 bytesreplay detection support:YStatus:STANDBYoutbound ah sas:spi:0x75251086(1965363334)transform:ah-md5-hmac ,in use settings ={Tunnel, }conn id:2011, flow_id:11, crypto map:to-peer-outsidesa timing:remaining key lifetime (k/sec):(4441561/3485)HA last key lifetime sent(k):(4441561)ike_cookies:00000000 00000000 00000000 00000000replay detection support:YStatus:STANDBYoutbound pcp sas:Router# show crypto session standbyCrypto session current statusInterface:Ethernet0/0Session status:UP-STANDBYPeer:209.165.200.225 port 500IKE SA:local 209.165.201.3/500 remote 209.165.200.225/500 ActiveIPSEC FLOW:permit ip host 192.168.0.1 host 172.16.0.1Active SAs:4, origin:crypto mapRouter# show crypto haIKE VIP:209.165.201.3stamp:74 BA 70 27 9C 4F 7F 81 3A 70 13 C9 65 22 E7 76IPSec VIP:209.165.201.3IPSec VIP:255.255.255.253IPSec VIP:255.255.255.254ha-R2#Verifying the Active and Standby SAs: Example
The following sample output shows SAs of both the active and standby devices:
Router# show crypto isakmp sadst src state conn-id slot status209.165.201.3 209.165.200.225 QM_IDLE 2 0 STDBY10.0.0.1 10.0.0.2 QM_IDLE 1 0 ACTIVEConfiguration Examples for Stateful Failover
This section contains the following comprehensive IPsec stateful failover configuration examples:
•
•
Configuring IPsec Stateful Failover: Example
Figure 3 and the following sample outputs from the show running-config command illustrate how to configure stateful failover on two devices—Ha-R1 and Ha-R2.
Figure 3 IPsec Stateful Failover Sample Topology
Stateful Failover Configuration on Ha-R1
Ha-R1# show running-configBuilding configuration...Current configuration :2086 bytes!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname ha-R1!boot-start-markerboot-end-marker!!redundancy inter-devicescheme standby HA-outsecurity ipsec sso-secure!logging buffered 10000000 debugginglogging rate-limit console 10000!!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.1remote-port 5000remote-ip 10.0.0.2!clock timezone PST 0no aaa new-modelip subnet-zero!crypto isakmp policy 1authentication pre-sharecrypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth!!crypto ipsec transform-set trans1 ah-md5-hmac esp-3descrypto ipsec transform-set trans2 ah-md5-hmac esp-aes!crypto ipsec profile sso-secureset transform-set trans2!!crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000crypto map to-peer-outside 10 ipsec-isakmpset peer 209.165.200.225set transform-set trans1match address peer-outside!!!interface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0standby delay reload 120crypto map to-peer-outside redundancy HA-out stateful!interface Ethernet1/0ip address 10.0.0.1 255.255.255.0standby 2 ip 10.0.0.3standby 2 preemptstandby 2 name HA-instandby delay reload 120standby 2 track Ethernet0/0!interface Serial2/0no ip addressshutdownserial restart-delay 0!interface Serial3/0no ip addressshutdownserial restart-delay 0!ip classlessip route 0.0.0.0 0.0.0.0 209.165.201.5ip route 192.168.0.0 255.255.0.0no ip http serverno ip http secure-server!!!ip access-list extended peer-outsidepermit ip host 192.168.0.1 host 172.16.0.1!!control-plane!!line con 0exec-timeout 0 0transport preferred alltransport output allline aux 0transport preferred alltransport output allline vty 0 4logintransport preferred alltransport input alltransport output all!endStateful Failover Configuration on Ha-R2
Ha-R2# show running-configBuilding configuration...Current configuration :2100 bytes!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname ha-R2!boot-start-markerboot-end-marker!!redundancy inter-devicescheme standby HA-outsecurity ipsec sso-secure!logging buffered 10000000 debugginglogging rate-limit console 10000!!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.2remote-port 5000remote-ip 10.0.0.1!clock timezone PST 0no aaa new-modelip subnet-zero!!crypto isakmp policy 1authentication pre-sharelifetime 120crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth!!crypto ipsec transform-set trans1 ah-md5-hmac esp-3descrypto ipsec transform-set trans2 ah-md5-hmac esp-aes!crypto ipsec profile sso-secureset transform-set trans2!!crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000crypto map to-peer-outside 10 ipsec-isakmpset peer 209.165.200.225set transform-set trans1match address peer-outside!!!interface Ethernet0/0ip address 209.165.201.2 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0standby delay reload 120crypto map to-peer-outside redundancy HA-out stateful!interface Ethernet1/0ip address 10.0.0.2 255.255.255.0standby 2 ip 10.0.0.3standby 2 preemptstandby 2 name HA-instandby delay reload 120standby 2 track Ethernet0/0!interface Serial2/0no ip addressshutdownserial restart-delay 0!interface Serial3/0no ip addressshutdownserial restart-delay 0!ip classlessip route 0.0.0.0 0.0.0.0 209.165.201.5ip route 192.168.0.0 255.255.0.0no ip http serverno ip http secure-server!!!ip access-list extended peer-outsidepermit ip host 192.168.0.1 host 172.16.0.1!!control-plane!!line con 0exec-timeout 0 0transport preferred alltransport output allline aux 0transport preferred alltransport output allline vty 0 4logintransport preferred alltransport input alltransport output all!endHa-R2#Configuring IPsec Stateful Failover for an Easy VPN Server: Example
The following sample outputs from the show running-config command show how to configure stateful failover for a remote access connection via an Easy VPN server:
Stateful Failover for an Easy VPN Server Configuration on RAHA-R1
RAHA-R1# show running-configBuilding configuration...Current configuration :3829 bytes!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname RAHA-R1!boot-start-markerboot-end-marker!redundancy inter-devicescheme standby HA-out!username remote_user password 0 letmein!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.1remote-port 5000remote-ip 10.0.0.2!aaa new-model!!! Enter the following command if you are doing Xauth locally.aaa authentication login local_xauth local!! Enter the following command if you are doing Xauth remotely via RADIUS.!aaa authentication login radius_xauth group radius!! Enter the following command if you are not doing Xauth!aaa authentication login no_xauth none!! Enter the following command if you are doing local group authentication.aaa authorization network local_auth local!! Enter the following command if you are doing group authentication remotely via RADIUS.!aaa authorization network radius_auth group radius!!! Enter the following command if you are doing Xauth remotely via RADIUS.!aaa accounting network radius_accounting start-stop group radiusaaa session-id commonip subnet-zero!crypto isakmp policy 1encr 3deshash md5authentication pre-sharegroup 2!!! Enter the following command if you are doing group authentication locally.crypto isakmp client configuration group unitykey cisco123domain cisco.compool client-address-pool!!crypto ipsec transform-set trans1 esp-3des esp-sha-hmac!crypto dynamic-map to-remote-client 10set transform-set trans1reverse-route remote-peer!! Use this map if you want to do local group authentication and Xauth.crypto map to_peer_outside_local_xauth client authentication list local_xauthcrypto map to_peer_outside_local_xauth isakmp authorization list local_authcrypto map to_peer_outside_local_xauth client configuration address respondcrypto map to_peer_outside_local_xauth 10 ipsec-isakmp dynamic to-remote-client!! Use this map if you want to use Radius for group authentication and Xauth.!crypto map to_peer_outside_radius_xauth isakmp client authentication list radius_xauth!crypto map to_peer_outside_radius_xauth client accounting list radius_accounting!crypto map to_peer_outside_radius_xauth isakmp authorization list radius_auth!crypto map to_peer_outside_radius_xauth isakmp client configuration address respond!crypto map to_peer_outside_radius_xauth isakmp 10 ipsec-isakmp dynamic to-remote-client!! Use this map if you want to do local group authentication and no Xauth!crypto map to_peer_outside_no_xauth isakmp authorization list local_auth!crypto map to_peer_outside_no_xauth configuration address respond!crypto map to_peer_outside_no_xauth 10 ipsec-isakmp dynamic to-remote-client!interface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0standby delay reload 120crypto map to_peer_outside_local_xauth redundancy HA-out stateful!interface Ethernet1/0ip address 10.0.0.1 255.255.255.0standby 2 ip 10.0.0.3standby 2 preemptstandby 2 name HA-instandby 2 track Ethernet0/0standby delay reload 120!! Enable loopback0 if you are using radius for Xauth, group auth, or accounting with ! crypto HA!interface loopback0! ip address 192.168.100.1 255.255.255.255!! Enable this command if you are using radius for Xauth, group auth, or accounting with ! crypto HA!ip radius source-interface loopback0!ip local pool client-address-pool 50.0.0.1 50.0.0.254ip classlessip route 0.0.0.0 0.0.0.0 209.165.201.5ip route 192.168.0.0 255.255.255.0 10.0.0.5!radius-server host 192.168.0.0 255.255.0.0 auth-port 1845 acct-port 1846radius-server key radius123!control-plane!!line con 0exec-timeout 0 0line aux 0line vty 0 4!endStateful Failover for an Easy VPN Server Configuration on RAHA-R2
RAHA-R2# show running-configBuilding configuration...Current configuration :3829 bytes!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname RAHA-R2!boot-start-markerboot-end-marker!redundancy inter-devicescheme standby HA-out!username remote_user password 0 letmein!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.2remote-port 5000remote-ip 10.0.0.1!aaa new-model!!! Enter the following command if you are doing Xauth locally.aaa authentication login local_xauth local!! Enter the following command if you are doing Xauth remotely via RADIUS.!aaa authentication login radius_xauth group radius!! Enter the following command if you are not doing Xauth.!aaa authentication login no_xauth none!! Enter the following command if you are doing local group authentication.aaa authorization network local_auth local!! Enter the following command if you are doing group authentication remotely via RADIUS.!aaa authorization network radius_auth group radius!!! Enter the following command if you are doing Xauth remotely via RADIUS.!aaa accounting network radius_accounting start-stop group radiusaaa session-id commonip subnet-zero!crypto isakmp policy 1encr 3deshash md5authentication pre-sharegroup 2!!! Enter the following commands if you are doing group authentication locally.crypto isakmp client configuration group unitykey cisco123domain cisco.compool client-address-pool!!crypto ipsec transform-set trans1 esp-3des esp-sha-hmac!crypto dynamic-map to-remote-client 10set transform-set trans1reverse-route remote-peer!!! Use this map if you want to dolocal group authentication and Xauth.crypto map to_peer_outside_local_xauth client authentication list local_xauthcrypto map to_peer_outside_local_xauth isakmp authorization list local_authcrypto map to_peer_outside_local_xauth client configuration address respondcrypto map to_peer_outside_local_xauth 10 ipsec-isakmp dynamic to-remote-client!! Use this map if you want to use Radius for group authentication and Xauth.!crypto map to_peer_outside_radius_xauth isakmp client authentication list radius_xauth!crypto map to_peer_outside_radius_xauth client accounting list radius_accounting!crypto map to_peer_outside_radius_xauth isakmp authorization list radius_auth!crypto map to_peer_outside_radius_xauth isakmp client configuration address respond!crypto map to_peer_outside_radius_xauth isakmp 10 ipsec-isakmp dynamic to-remote-client!!! Use this map if you want to do local authentication and no Xauth.!crypto map to_peer_outside_no_xauth isakmp authorization list local_auth!crypto map to_peer_outside_no_xauth configuration address respond!crypto map to_peer_outside_no_xauth 10 ipsec-isakmp dynamic to-remote-client!interface Ethernet0/0ip address 209.165.201.2 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0standby delay reloadcrypto map to_peer_outside_local_xauth redundancy HA-out stateful!interface Ethernet1/0ip address 10.0.0.2 255.255.255.0standby 2 ip 10.0.0.3standby 2 preemptstandby 2 name HA-instandby 2 track Ethernet0/0standby delay reload!! Enable loopback0 if you are using radius for Xauth, group auth, or accounting with ! crypto HA!interface loopback0! ip address 192.168.100.1 255.255.255.255!! Enable this command if you are using radius for Xauth, group auth, or accounting with ! crypto HA!ip radius source-interface loopback0!ip local pool client-address-pool 50.0.0.1 50.0.0.254ip classlessip route 0.0.0.0 0.0.0.0 209.165.201.5ip route 192.168.0.0 255.255.0.0!radius-server host 192.168.0.200 auth-port 1845 acct-port 1846radius-server key radius123!control-plane!!!line con 0exec-timeout 0 0line aux 0line vty 0 4!endAdditional References
Related Documents
Cisco IOS commands
Security commands
RRI
The section "IPSec VPN High Availability Enhancements" in the Cisco IOS Security Configuration Guide: Secure Connectivity.
HSRP
The section "Configuring the Hot Standby Router Protocol" in the Cisco IOS IP Configuration Guide: Secure Connectivity.
Easy VPN Server
The section"Cisco Easy VPN Remote" in the Cisco IOS Security Configuration Guide: Secure Connectivity.
IKE configuration
The section "Configuring Internet Key Exchange for IPsec VPNs" in the Cisco IOS Security Configuration Guide: Secure Connectivity.
IPsec configuration
The section "Configuring Security for VPNs with IPsec" in the Cisco IOS Security Configuration Guide.
IPsec and IKE commands
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Feature Information for Stateful Failover for IPsec
Table 2 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2004-2011 Cisco Systems, Inc. All rights reserved.
