-
Cisco IOS Security Configuration Guide: Secure Connectivity, Release 12.4T
-
Overview: Secure Connectivity
-
Internet Key Exchange for IPsec VPNs
-
Configuring Internet Key Exchange for IPsec VPNs
-
Call Admission Control for IKE
-
Certificate to ISAKMP Profile Mapping
-
Encrypted Preshared Key
-
Fragmentation of IKE Packets
-
IKE Responder-Only Mode
-
Distinguished Name Based Crypto Maps
-
IPsec and Quality of Service
-
VRF-Aware IPsec
-
IKE: Initiate Aggressive Mode (12.2(8)T FM)
-
-
Security for VPNs with IPsec
-
Configuring Security for VPNs with IPsec
-
IPsec Virtual Tunnel Interface
-
L2TP—IPsec Support for NAT and PAT Windows Clients
-
SafeNet IPsec VPN Client Support
-
Ability to Disable Extended Authentication for Static IPsec Peers
-
Sharing IPsec with Tunnel Protection
-
Crypto Conditional Debug Support
-
VPN Acceleration Module (VAM)
-
Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
-
- VPN Availability
-
IPsec Data Plane
-
IPsec Anti-Replay Window: Expanding and Disabling
-
Pre-Fragmentation for IPsec VPNs
-
Invalid Security Parameter Index Recovery
-
IPsec Dead Peer Detection Periodic Message Option
-
IPsec NAT Transparency
-
DF Bit Override Functionality with IPsec Tunnels
-
Crypto Access Check on Clear-Text Packets
-
IPsec Security Association Idle Timers
-
Low Latency Queueing (LLQ) for IPsec Encryption Engines
-
- IPsec Management Plane
-
Public Key Infrastructure (PKI)
-
Implementing and Managing PKI Features Roadmap
-
Cisco IOS PKI Overview: Understanding and Planning a PKI
-
Deploying RSA Keys Within a PKI
-
Configuring Authorization and Revocation of Certificates in a PKI
-
Configuring Certificate Enrollment for a PKI
-
Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI
-
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment
-
Storing PKI Credentials
-
Source Interface Selection for Outgoing Traffic with Certificate Authority (CA)
-
- Dynamic Multipoint VPN (DMVPN)
- Easy VPN
-
Cisco Group Encrypted Transport VPN
- SSL VPN
-
Table Of Contents
IPsec VPN High Availability Enhancements
Hot Standby Router Protocol and IPsec
Supported Standards, MIBs, and RFCs
Configuring Reverse Route Injection on a Dynamic Crypto Map
Configuring Reverse Route Injection on a Static Crypto Map
Verifying VPN IPsec Crypto Configuration
Reverse Route Injection on a Dynamic Crypto Map Example
Reverse Route Injection on a Static Crypto Map Example
IPsec VPN High Availability Enhancements
Feature History
This feature module describes the IPsec VPN High Availability Enhancements. It includes the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
The IPsec VPN High Availability Enhancements feature consists of two new features—Reverse Route Injection (RRI) and Hot Standby Router Protocol and IPsec (HSRP)—that work together to provide users with a simplified network design for VPNs, and reduced configuration complexity on remote peers with respect to defining gateway lists. When used together, RRI and HSRP provide a more reliable network design for VPNs and reduce configuration complexity on remote peers.
Reverse Route Injection
Reverse Route Injection (RRI) is a feature designed to simplify network design for Virtual Private Networks (VPNs) in which there is a requirement for redundancy or load balancing. RRI works with both dynamic and static crypto maps.
In the dynamic case, as remote peers establish IPsec security associations (SAs) with an RRI-enabled router, a static route is created for each subnet or host protected by that remote peer. For static crypto maps, a static route is created for each destination of an extended access list rule. When RRI is used on a static crypto map with an access control list (ACL), routes will always exist, even without the negotiation of IPsec SAs.
Note
When routes are created, they are injected into any dynamic routing protocol and distributed to surrounding devices. This traffic flows, requiring IPsec to be directed to the appropriate RRI router for transport across the correct SAs to avoid IPsec policy mismatches and possible packet loss.
Figure 87 shows a RRI configuration functionality topology. Remote A is being serviced by Router A and Remote B connected to Router B, providing load balancing across VPN gateways at the central site. RRI on the central site devices will ensure that the other router on the inside of the network can automatically make the correct forwarding decision. RRI also eliminates the need to administer static routes on the inside router.
Figure 87 Topology Showing Reverse Route Injection Configuration Functionality
Hot Standby Router Protocol and IPsec
Hot Standby Router Protocol (HSRP) is designed to provide high network availability by routing IP traffic from hosts on Ethernet networks without relying on the availability of any single router. HSRP is particularly useful for hosts that do not support a router discovery protocol, such as ICMP Router Discovery Protocol (IRDP), and do not have the functionality to switch to a new router when their selected router reloads or loses power. Without this functionality, a router that loses its default gateway because of a router failure is unable to communicate with the network.
HSRP is configurable on LAN interfaces using standby command-line interface (CLI) commands. It is now possible to use the standby IP address from an interface as the local IPsec identity, or local tunnel endpoint.
By using the standby IP address as the tunnel endpoint, failover can be applied to VPN routers by using HSRP. Remote VPN gateways connect to the local VPN router via the standby address that belongs to the active device in the HSRP group. In the event of failover, the standby device takes over ownership of the standby IP address and begins to service remote VPN gateways.
Figure 88 shows the enhanced HSRP functionality topology. Traffic is serviced by the active Router P, the active device in the standby group. In the event of failover, traffic is diverted to Router S, the original standby device. Router S assumes the role of the new active router and takes ownership of the standby IP address.
Figure 88 Topology Showing Hot Standby Router Protocol Functionality
Note
Benefits
Reverse Route Injection
•
•
•
Hot Standby Router Protocol with IPsec
Failover can be applied to VPN routers through the use of HSRP. Remote VPN gateways connect to the local VPN router through the standby address that belongs to the active device in the HSRP group. This functionality reduces configuration complexity on remote peers with respect to defining gateway lists because only the HSRP standby address needs to be defined.
Related Documents
•
•
•
•
•
Supported Platforms
Cisco IOS Release 12.1(9)E and Cisco IOS Release 12.2(8)T
•
•
Cisco IOS Release 12.2(8)T Only
•
•
•
•
•
•
•
•
•
•
•
•
•
Cisco IOS Release 12.2(11)T Only
•
•
Cisco IOS Release 12.2(9)YE
•
Cisco IOS Release 12.2(14)S
•
•
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Supported Standards, MIBs, and RFCs
Standards
•
MIBs
•
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
•
Configuration Tasks
See the following sections for configuration tasks for the IPsec VPN High Availability Enhancements feature. Each task in the list is identified as either required or optional.
•
•
•
•
Configuring Reverse Route Injection on a Dynamic Crypto Map
Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. A set is a group of dynamic crypto map entries all with the same dynamic map name but each with a different dynamic sequence number. Each member of the set may be configured for RRI.
To create a dynamic crypto map entry and enable RRI, use the following commands beginning in global configuration mode:
Configuring Reverse Route Injection on a Static Crypto Map
Before configuring RRI on a static crypto map, please note the following items:
•
•
•
In cases where there are many RRI injected routes, adjacency tables may become quite large as an entry is created for each device from each of the subnets represented by the RRI route.
This issue is to be resolved in a future release.To add RRI to a static crypto map set, use the following commands beginning in global configuration mode:
Configuring HSRP with IPsec
When configuring HSRP with IPsec, the following conditions may apply:
•
•
•
•
•
Note
To apply a crypto map set to an interface, use the following commands beginning in global configuration mode:
Verifying VPN IPsec Crypto Configuration
To verify your VPN IPsec crypto configuration, use the following EXEC commands:
Configuration Examples
This section provides the following configuration examples:
•
•
Reverse Route Injection on a Dynamic Crypto Map Example
In the following example, using the reverse route crypto map subcommand in the definition of the dynamic crypto map template ensures that routes are created for any remote proxies (subnets or hosts), protected by the connecting remote IPsec peers.
crypto dynamic mydynmap 1set transform-set esp-3des-shareverse-routeThis template is then associated with a "parent" crypto map statement and then applied to an interface.
crypto map mymap 3 ipsec-isakmp dynamic mydynmapinterface FastEthernet 0/0crypto map mymapReverse Route Injection on a Static Crypto Map Example
RRI is a good solution for topologies that require encrypted traffic to be diverted to a VPN router and all other traffic to a different router.
In these scenarios, RRI eliminates the need to manually define static routes on devices.
RRI is not required if a single VPN router is used and all traffic passes through the VPN router during its path in and out of the network.
If the user chooses to manually define static routes on the VPN router for remote proxies, and have these routes permanently installed in the routing table, RRI should not be enabled on the crypto map instance that covers the same remote proxies. In this case, there is no possibility of user defined static routes being removed by RRI.
Routing convergence can affect the success of a failover based on the routing protocol used to advertise routes (link state versus periodic update). It is recommended that a link state routing protocol such as OSPF be used to help speed convergence time by ensuring that routing updates are sent as soon as a change in routing state is detected.
In the following example, RRI is enabled for mymap 1, but not for mymap 2. Upon the application of the crypto map to the interface, a route is created based on access-list 101 analogous to the following:
IP route 172.17.11.0 255.255.255.0 FastEthernet 0/0crypto map mymap 1 ipsec-isakmpset peer 172.17.11.1reverse-routeset transform-set esp-3des-shamatch address 101crypto map mymap 2 ipsec-isakmpset peer 10.1.1.1set transform-set esp-3des-shamatch address 102access-list 101 permit ip 192.168.1.0 0.0.0.255 172.17.11.0 0.0.0.255access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255interface FastEthernet 0/0crypto map mymapHSRP and IPsec Example
The following example shows how all remote VPN gateways connect to the router via 192.168.0.3. The crypto map on the interface binds this standby address as the local tunnel endpoint for all instances of mymap and at the same time ensures that HSRP failover is facilitated between an active and standby device belonging to the same standby group, group1.
Note that RRI is also enabled to provide the ability for only the active device in the HSRP group to be advertising itself to inside devices as the next hop VPN gateway to the remote proxies. If there is a failover, routes are deleted on the formerly active device and created on the newly active device.
crypto map mymap 1 ipsec-isakmpset peer 10.1.1.1reverse-routeset transform-set esp-3des-shamatch address 102Interface FastEthernet 0/0ip address 192.168.0.2 255.255.255.0standby name group1standby ip 192.168.0.3crypto map mymap redundancy group1access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255The standby name needs to be configured on all devices in the standby group and the standby address needs to configured on at least one member of the group. If the standby name is removed from the router, the IPsec SAs will be deleted. If the standby name is added again, regardless of whether the same name or a different name is used, the crypto map (using the redundancy option) will have to be reapplied to the interface.
Command Reference
The following commands are introduced or modified in the feature or features:
documented in this module:
•
•
For information about these commands, see the Cisco IOS Security Command Reference at
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.
For information about all Cisco IOS commands, see the Command Lookup Tool at
http://tools.cisco.com/Support/CLILookup or the Master Command List.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007-2009 Cisco Systems, Inc. All rights reserved.
