Configuring Duplicate Hardware Configurations and IPSec Failover Using the IPSec VPN SPA

Table Of Contents

Configuring Duplicate Hardware Configurations and IPSec Failover Using the IPSec VPN SPA

Overview of Duplicate Hardware Configurations and IPSec Failover

Duplicate Hardware Configurations

IPSec Failover

Configuring Multiple IPSec VPN SPAs in a Chassis

Multiple IPSec VPN SPAs in a Chassis Configuration Guidelines

Configuring IPSec Stateless Failover Using HSRP

IPSec Stateless Failover Configuration Guidelines and Restrictions

Configuring IPSec Stateless Failover in VRF Mode

Configuring IPSec Stateful Failover Using HSRP and SSP

IPSec Stateful Failover Configuration Guidelines and Restrictions

Verifying HSRP Configurations

Displaying SSP Information

Configuring IPSec Stateful Failover Using a Blade Failure Group

IPSec Stateful Failover Using a BFG Configuration Guidelines

Verifying the IPSec Stateful Failover Using a BFG Configuration

Configuration Examples

Multiple IPSec VPN SPAs in a Chassis Configuration Example

IPSec Stateless Failover Using HSRP Configuration Examples

IPSec Stateless Failover in VRF Mode Configuration Example

IPSec Stateful Failover Using HSRP and SSP Examples

IPSec Stateful Failover Using a Blade Failure Group Configuration Example


Configuring Duplicate Hardware Configurations and IPSec Failover Using the IPSec VPN SPA


This chapter provides information about configuring duplicate hardware configurations and IPSec failover using the IPSec VPN SPA on the Cisco 7600 series router. It includes the following sections:

Overview of Duplicate Hardware Configurations and IPSec Failover

Configuring Multiple IPSec VPN SPAs in a Chassis

Configuring IPSec Stateless Failover Using HSRP

Configuring IPSec Stateless Failover in VRF Mode

Configuring IPSec Stateful Failover Using HSRP and SSP

Configuring IPSec Stateful Failover Using a Blade Failure Group

Configuration Examples

For detailed information on Cisco IOS IPSec cryptographic operations and policies, refer to the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference.

For information about managing your system images and configuration files, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals Command Reference publications.

For more information about the commands used in this chapter, see first Chapter 40, "SIP, SSC, and SPA Commands," and then the Cisco 7600 Series Cisco IOS Command Reference publication. Also refer to the related Cisco IOS software command reference and master index publications. For more information about accessing these publications, see the "Related Documentation" section on page xlviii.


Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the configuration summaries and guidelines before you perform any configuration tasks.


Overview of Duplicate Hardware Configurations and IPSec Failover

This chapter provides information about configuring duplicate hardware configurations and IPSec failover using the IPSec VPN SPA.

Duplicate Hardware Configurations

You can deploy up to ten IPSec VPN SPAs in a single chassis in crypto-connect mode or up to six IPSec VPN SPAs in a chassis in VRF mode, with the restriction that no more than one IPSec VPN SPA can be used to perform IPSec services for any given interface VLAN.

IPSec Failover

IPSec failover is a feature that increases the total uptime (or availability) of a customer's IPSec network. Traditionally, this is accomplished by employing a redundant (standby) router in addition to the original (active) router. If the active router becomes unavailable for any reason, the standby router takes over the processing of IKE and IPSec. IPSec failover falls into two categories: stateless failover and stateful failover.

IPSec stateless failover uses protocols such as the Hot Standby Router Protocol (HSRP) to provide primary to secondary cutover and also allows the active and standby VPN gateways to share a common virtual IP address. The drawback to this solution is that it requires the remote endpoints to detect that the gateway has gone down (using IKE keepalives or dead peer detection) and to completely re-establish IKE and IPSec sessions with the standby gateway. Although stateless failover meets some customers' needs, it does not accomplish transparent cutover to the backup device and typically results in lost application layer sessions due to the amount of time taken to re-establish sessions.

In contrast, IPSec stateful failover allows the active and standby routers to share IKE and IPSec state information so that each router has enough information to become the active router at any time. If the active router becomes unavailable for any reason, the standby router takes over the processing.

For Cisco IOS Release 12.2(33)SRA, the IPSec VPN SPA only supports IPSec stateful failover using a Blade Failure Group. A Blade Failure Group (BFG) allows two IPSec VPN SPAs to be installed in a chassis, with each IPSec VPN SPA serving as a backup for the other IPSec VPN SPA. A BFG is an active/active configuration. Both SPAs replicate data to each other so that either one can take over in the event of a failure.

Previous releases (that is, Cisco IOS Releases 12.2(18)SX) also support IPSec stateful failover using HSRP and State Synchronization Protocol (SSP) (also known as VPN High Availability). This feature enables a router to continue processing and forwarding packets after a planned or unplanned outage by employing a backup (standby) router that automatically takes over the primary (active) router's tasks in the event of an active router failure. The process is transparent to users and to remote IPSec peers. The time that it takes for the standby router to take over depends on HSRP timers.

Configuring Multiple IPSec VPN SPAs in a Chassis

You can deploy up to ten IPSec VPN SPAs in a single chassis in crypto-connect mode or up to six IPSec VPN SPAs in a chassis in VRF mode, with the restriction that no more than one IPSec VPN SPA can be used to perform IPSec services for any given interface VLAN.

Multiple IPSec VPN SPAs in a Chassis Configuration Guidelines

Follow these guidelines when configuring multiple IPSec VPN SPAs in a chassis:

Note that using the no switchport command followed by the switchport command re-adds all VLANs to a trunk port (this situation occurs when you are first switching to a routed port and then back to a switch port). For detailed information on configuring trunk ports, see the "Configuring a Trunk Port" section on page 29-16.

As with single IPSec VPN SPA deployments, you must properly configure each IPSec VPN SPA's inside and outside port. You can add an interface VLAN only to the inside port of one IPSec VPN SPA. Do not add the same interface VLAN to the inside port of more than one IPSec VPN SPA.

Assigning interface VLANs to the inside ports of the IPSec VPN SPAs allows you to decide which IPSec VPN SPA can be used to provide IPSec services for a particular interface VLAN.


Note It is not necessary to explicitly add interface VLANs to the inside trunk ports of the IPSec VPN SPAs. The crypto engine slot command achieves the same results.



Note There is no support for using more than one IPSec VPN SPA to do IPSec processing for a single interface VLAN.


SA-based load balancing is not supported.

The crypto map local address command does not cause SA databases to be shared among multiple IPSec VPN SPAs.

For a multiple IPSec VPN SPAs in a chassis configuration example, see the "Multiple IPSec VPN SPAs in a Chassis Configuration Example" section.

Configuring IPSec Stateless Failover Using HSRP

The Hot Standby Routing Protocol (HSRP) is commonly used to provide failover between routers. HSRP tracks the state of router interfaces and provides a failover mechanism between primary and secondary devices. This functionality can be exploited to provide IPSec redundancy. HSRP has been coupled with RRI and IPSec to track state changes and provide a stateless IPSec failover mechanism. The Reverse Route Injection (RRI) feature is used to allow dynamic routing information updates during the HSRP and IPSec failover.

IPSec Stateless Failover Configuration Guidelines and Restrictions

Follow these guidelines and restrictions when configuring IPSec stateless failover

Do not use IPSec stateless failover with tunnel protection in crypto-connect mode.

To configure IPSec stateless failover using HSRP, perform the following steps beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# crypto isakmp policy priority

...

Router(config-isakmp) # exit

Defines an ISAKMP policy and enters ISAKMP policy configuration mode.

priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest.

For details on configuring an ISAKMP policy, see the Cisco IOS Security Configuration Guide.

Step 2 

Router(config)# crypto isakmp key keystring address peer-address

Configures a preshared authentication key.

keystring—Preshared key.

peer-address—IP address of the remote peer.

For details on configuring a preshared key, see the Cisco IOS Security Configuration Guide.

Step 3 

Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]]

...

Router(config-crypto-tran)# exit

Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode.

transform-set-name—Name of the transform set.

transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms.

For accepted transformx values, and more details on configuring transform sets, see the Cisco IOS Security Command Reference.

Step 4 

Router(config)# access list access-list-number {deny | permit} ip source source-wildcard destination destination-wildcard

Defines an extended IP access list.

access-list-number—Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.

{deny | permit}—Denies or permits access if the conditions are met.

source—Address of the host from which the packet is being sent.

source-wildcard—Wildcard bits to be applied to the source address.

destination—Address of the host to which the packet is being sent.

destination-wildcard—Wildcard bits to be applied to the destination address.

For details on configuring an access list, see the Cisco IOS Security Configuration Guide.

Step 5 

Router(config)# crypto map map-name seq-number ipsec-isakmp

...

Router(config-crypto-map)# exit

Creates or modifies a crypto map entry and enters the crypto map configuration mode.

map-name—Name that identifies the crypto map set.

seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority.

ipsec-isakmp—Indicates that IKE will be used to establish the IPSec security associations.

For details on configuring a crypto map, see the Cisco IOS Security Configuration Guide.

Step 6 

Router(config-if)# interface gigabitethernet slot/subslot/port

Enters interface configuration mode for the specified Gigabit Ethernet interface.

slot—Specifies the chassis slot number where the SIP is installed.

subslot—Specifies the secondary slot number on a SIP where a SPA is installed.

port—Specifies the number of the interface port on the SPA.

Step 7 

Router(config-if)# ip address ip-address mask

Specifies the IP address and subnet mask for the interface.

ip-addressIP address.

maskSubnet mask.

Step 8 

Router(config-if)# standby [group-number] ip ip-address

Enables the HSRP.

group-number—(Optional) Group number on the interface for which HSRP is being activated. The default is 0. The group number range is from 0 to 255 for HSRP version 1 and from 0 to 4095 for HSRP version 2.

ip-address—(Optional) IP address of the standby router interface.

Step 9 

Router(config-if)# standby [group-number] timers [msec] hellotime [msec] holdtime

Configures the time between hello packets and the hold time before other routers declare the active router to be down.

group-number—(Optional) Group number to which the timers apply.

msec(Optional) Interval in milliseconds. Millisecond timers allow for faster failover.

hellotime—Hello interval (in seconds). This is an integer from 1 to 254. The default is 3 seconds. If the msec option is specified, hellotime is in milliseconds. This is an integer from 15 to 999.

holdtime—Time (in seconds) before the active or standby router is declared to be down. This is an integer from x to 255. The default is 10 seconds. If the msec option is specified, holdtime is in milliseconds. This is an integer from y to 3000.

Step 10 

Router(config-if)# standby [group-number] [priority priority] preempt [delay [minimum | sync] seconds]

Sets the standby priority used in choosing the active router.

group-number—(Optionbal) Group number to which the priority applies.

priority—(Optional) The priority value range is from 1 to 255, where 1 denotes the lowest priority and 255 denotes the highest priority. Specify that, if the local router has priority over the current active router, the local router should attempt to take its place as the active router.

delay—(Optional) Specifies a preemption delay, after which the Hot Standby router preempts and becomes the active router.

minimum—(Optional) Specifies the minimum delay period in seconds.

sync—(Optional) Specifies the maximum synchronization period for IP redundancy clients in seconds.

seconds—(Optional) Causes the local router to postpone taking over the active role for a minimum number of seconds since that router was last restarted. The range is from 0 to 3600 seconds (1 hour). The default is 0 seconds (no delay).

Step 11 

Router(config-if)# standby [group-number] track type number [interface-priority]

Configures the interface to track other interfaces, so that if one of the other interfaces goes down, the device's Hot Standby priority is lowered.

group-number—(Optional) Group number on the interface for which HSRP is being activated.

type—Interface type (combined with interface number) that will be tracked.

number—Interface number (combined with interface type) that will be tracked.

interface-priority—(Optional) Amount by which the Hot Standby priority for the router is decremented (or incremented) when the interface goes down (or comes back up). Range is from 0 to 255. Default is 10.

Step 12 

Router(config-if)# standby [group-number] name group-name

Configures the standby group name for the interface.

group-number—(Optional) Group number to which the name is being applied.

name group-name—Name of the standby group.

Step 13 

Router(config-if)# interface gigabitethernet slot/subslot/port

Enters interface configuration mode for the specified Gigabit Ethernet interface.

slot—Specifies the chassis slot number where the SIP is installed.

subslot—Specifies the secondary slot number on a SIP where a SPA is installed.

port—Specifies the number of the interface port on the SPA.

Step 14 

Router(config-if)# ip address ip-address mask

Specifies the IP address and subnet mask for the interface.

ip-addressIP address.

maskSubnet mask.

Step 15 

Router(config-if)# standby [group-number] ip ip-address

Enables the HSRP.

group-number—(Optional) Group number on the interface for which HSRP is being activated. The default is 0. The group number range is from 0 to 255 for HSRP version 1 and from 0 to 4095 for HSRP version 2.

ip-address—(Optional) IP address of the standby router interface.

Step 16 

Router(config-if)# standby [group-number] timers [msec] hellotime [msec] holdtime

Configures the time between hello packets and the hold time before other routers declare the active router to be down.

group-number—(Optional) Group number to which the timers apply.

msec(Optional) Interval in milliseconds. Millisecond timers allow for faster failover.

hellotime—Hello interval (in seconds). This is an integer from 1 to 254. The default is 3 seconds. If the msec option is specified, hellotime is in milliseconds. This is an integer from 15 to 999.

holdtime—Time (in seconds) before the active or standby router is declared to be down. This is an integer from x to 255. The default is 10 seconds. If the msec option is specified, holdtime is in milliseconds. This is an integer from y to 3000.

Step 17 

Router(config-if)# standby [group-number] [priority priority] preempt [delay [minimum | sync] seconds]

Sets the standby priority used in choosing the active router.

group-number—(Optional) Group number to which the priority applies.

priority—(Optional) The priority value range is from 1 to 255, where 1 denotes the lowest priority and 255 denotes the highest priority. Specify that, if the local router has priority over the current active router, the local router should attempt to take its place as the active router.

delay—(Optional) Specifies a preemption delay, after which the Hot Standby router preempts and becomes the active router.

minimum—(Optional) Specifies the minimum delay period in seconds.

sync—(Optional) Specifies the maximum synchronization period for IP redundancy clients in seconds.

seconds—(Optional) Causes the local router to postpone taking over the active role for a minimum number of seconds since that router was last restarted. The range is from 0 to 3600 seconds (1 hour). The default is 0 seconds (no delay).

Step 18 

Router(config-if)# standby [group-number] track type number [interface-priority]

Configures the interface to track other interfaces, so that if one of the other interfaces goes down, the device's Hot Standby priority is lowered.

group-number—(Optional) Group number on the interface for which HSRP is being activated.

type—Interface type (combined with interface number) that will be tracked.

number—Interface number (combined with interface type) that will be tracked.

interface-priority—(Optional) Amount by which the Hot Standby priority for the router is decremented (or incremented) when the interface goes down (or comes back up). Range is from 0 to 255. Default is 10.

Step 19 

Router(config-if)# standby [group-number] name group-name

Configures the standby group name for the interface.

group-number—(Optional) Group number to which the name is being applied.

name group-name—Name of the standby group.

Step 20 

Router(config-if)# crypto map name redundancy standby-group-name

Defines a backup IP Security (IPSec) peer. Both routers in the standby group are defined by the redundancy standby name and share the same virtual IP address.

name—Name that identifies the crypto map.

standby-group-name—Name of the standby group.

For examples of IPSec stateless failover configurations using HSRP, see "IPSec Stateless Failover Using HSRP Configuration Examples" section.

Configuring IPSec Stateless Failover in VRF Mode

Stateless failover is supported in VRF mode, but it is configured differently than in crypto-connect mode. In VRF mode, the HSRP configuration goes on the physical interface, but the crypto map is added to the interface VLAN. In crypto-connect mode, both the HSRP configuration and the crypto map are on the same interface.

For a configuration example of VRF mode stateless failover, see the "IPSec Stateless Failover in VRF Mode Configuration Example" section.

Configuring IPSec Stateful Failover Using HSRP and SSP

The IPSec Stateful Failover (VPN High Availability) feature enables a router to continue processing and forwarding packets after a planned or unplanned outage by employing a backup (standby) router that automatically takes over the primary (active) router's tasks in the event of an active router failure. The process is transparent to users and to remote IPSec peers. The time that it takes for the standby router to take over depends on HSRP timers.


Note IPSec Stateful Failover Using HSRP and SSP is not supported in Cisco IOS Release 12.2(33)SRA.


IPSec Stateful Failover (VPN High Availability) is designed to work in conjunction with the Hot Standby Router Protocol (HSRP), Reverse Route Injection (RRI) and the State Synchronization Protocol (SSP). When used together, HSRP, RRI, and SSP provide a more reliable network design for VPNs and reduce configuration complexity on remote peers.

IPSec Stateful Failover Configuration Guidelines and Restrictions

Follow these guidelines and restrictions when configuring IPSec stateful failover:

When configuring IPSec stateful failover with the IPSec VPN SPA, note that all IPSec VPN SPA configuration rules apply. You must apply crypto maps to interface VLANs, and you must attach interface VLANs to the IPSec VPN SPA inside port.

When configuring IPSec stateful failover with an IPSec VPN SPA in two chassis, note that the hardware configurations of both chassis must be exactly the same. For example, in one chassis if the IPSec VPN SPA that is in slot 2 is used to protect interface VLAN 100 and the IPSec VPN SPA that is in slot 3 is used to protect interface VLAN 101, the exact same configuration must be reflected in the second chassis. An example of a misconfiguration would be if the IPSec VPN SPA in slot 3 of the second chassis is used to protect interface VLAN 100.

Do not use IPSec stateful failover with Easy VPN clients or IKE keepalives. IPSec stateful failover can be used with peers when DPD is used.

Do not add nonexistent or inadequately configured HSRP standby groups to the State Synchronization Protocol (SSP) configuration because this action disables high-availability features until the configuration is corrected.

Do not use the standby use-bia command. Always use a virtual HSRP MAC address for the router's MAC address.

Do not use IPSec stateful failover with DMVPN or tunnel protection.

The recommended HSRP timer values are one second for hello timers and three seconds for hold timers. These values should prevent an undesirable failover that is caused by temporary network congestion or transient, high CPU loads.

These timer values can be adjusted upward if you are running high loads or have a large number of HSRP groups. Temporary failures and load-related system stability can be positively affected by raising the timer values as needed. The hello timer value should be approximately a third of the hold timer value.

Use the HSRP "delay" timers to allow a device to finish booting, initializing, and synchronizing before participating as a high-availability pair. Set the "minimum" delay at 30 seconds or more to help prevent active/standby flapping and set the "reload" delay at some value greater than the minimum. You can use the delay timers to reflect the complexity and size of a particular configuration on various hardware. The delay timers tend to vary from platform to platform.

Sequence number updates from active to standby have a 20-second minimum interval per SA.

Due to dependence on HSRP, IPSec stateful failover does not work for secured WAN ports (IPSec over FlexWAN module port adapters).

Use the Reverse Route Injection (RRI) feature (reverse-route command) to allow dynamic routing information updates during the HSRP and IPSec failover.

After enabling both HSRP and IPSec stateful failover, use the show ssp, show crypto ipsec, and show crypto isakmp commands to verify that all processes are running properly.

To configure IP stateful failover using HSRP and SSP, perform the following steps beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# ssp group group

Indicates channel used to communicate High Availability (HA) information and enters SSP configuration mode.

group—Integer between 1 and 100.

Step 2 

Router(config-ssp)# redundancy name

Identifies the HSRP group.

name—Valid IP redundancy group name.

Step 3 

Router(config-ssp)# remote ip-address

Identifies peer that will receive High Availability (HA) transmissions.

ip-address—IP address of the standby router.

Step 4 

Router(config)# crypto isakmp policy priority

...

Router(config-isakmp) # exit

Defines an ISAKMP policy and enters ISAKMP policy configuration mode.

priority—Identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10000, with 1 being the highest priority and 10000 the lowest.

For details on configuring an ISAKMP policy, see the Cisco IOS Security Configuration Guide.

Step 5 

Router(config)# crypto isakmp key keystring address peer-address

Configures a preshared authentication key.

keystring—Preshared key.

peer-address—IP address of the remote peer.

For details on configuring a preshared key, see the Cisco IOS Security Configuration Guide.

Step 6 

Router(config)# crypto isakmp ssp id

Enables ISAKMP state to be transferred by the SSP channel described by the ID. If this feature is disabled, all dormant SA entries bound to that ID on the standby router will be removed and any new state entries will not be added.

id—Channel used to transfer SA entries.

Step 7 

Router(config)# crypto ipsec transform-set transform-set-name transform1[transform2[transform3]]

...

Router(config-crypto-tran)# exit

Defines a transform set (an acceptable combination of security protocols and algorithms) and enters crypto transform configuration mode.

transform-set-name—Name of the transform set.

transform1[transform2[transform3]]—Defines IPSec security protocols and algorithms.

For accepted transformx values, and more details on configuring transform sets, see the Cisco IOS Security Command Reference.

Step 8 

Router(config)# crypto map name ha replay-interval inbound inbound-interval outbound outbound-interval

Specifies the intervals at which the active router should update the standby router with anti-replay sequence numbers.

name—Tag name of the crypto map described in the configuration.

inbound-interval—The interval at which the active router sends packet sequence updates for incoming packets. Integer between 0 and 10000.

outbound-interval—The interval at which the active router sends packet sequence updates for outgoing packets. Integer between 1 and 10 (in millions of packets).

Step 9 

Router(config)# access list access-list-number {deny | permit} ip source source-wildcard destination destination-wildcard

Defines an extended IP access list.

access-list-number—Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.

{deny | permit}—Denies or permits access if the conditions are met.

source—Address of the host from which the packet is being sent.

source-wildcard—Wildcard bits to be applied to the source address.

destination—Address of the host to which the packet is being sent.

destination-wildcard—Wildcard bits to be applied to the destination address.

For details on configuring an access list, see the Cisco IOS Security Configuration Guide.

Step 10 

Router(config)# crypto map map-name seq-number ipsec-isakmp

...

Router(config-crypto-map)# exit

Creates or modifies a crypto map entry and enters the crypto map configuration mode.

map-name—Name that identifies the crypto map set.

seq-number—Sequence number you assign to the crypto map entry. Lower values have higher priority.

ipsec-isakmp—Indicates that IKE will be used to establish the IPSec security associations.

For details on configuring a crypto map, see the Cisco IOS Security Configuration Guide.

Step 11 

Router(config-if)# interface gigabitethernet slot/subslot/port

Enters interface configuration mode for the specified Gigabit Ethernet interface.

slot—Specifies the chassis slot number where the SIP is installed.

subslot—Specifies the secondary slot number on a SIP where a SPA is installed.

port—Specifies the number of the interface port on the SPA.

Step 12 

Router(config-if)# ip address ip-address mask

Specifies the IP address and subnet mask for the interface.

ip-addressIP address.

maskSubnet mask.

Step 13 

Router(config-if)# standby [group-number] ip ip-address

Enables the HSRP.

group-number—(Optional) Group number on the interface for which HSRP is being activated. The default is 0. The group number range is from 0 to 255 for HSRP version 1 and from 0 to 4095 for HSRP version 2.

ip-address—(Optional) IP address of the standby router interface.

Step 14 

Router(config-if)# standby [group-number] timers [msec] hellotime [msec] holdtime

Configures the time between hello packets and the hold time before other routers declare the active router to be down.

group-number—(Optional) Group number to which the timers apply.

msec(Optional) Interval in milliseconds. Millisecond timers allow for faster failover.

hellotime—Hello interval (in seconds). This is an integer from 1 to 254. The default is 3 seconds. If the msec option is specified, hellotime is in milliseconds. This is an integer from 15 to 999.

holdtime—Time (in seconds) before the active or standby router is declared to be down. This is an integer from x to 255. The default is 10 seconds. If the msec option is specified, holdtime is in milliseconds. This is an integer from y to 3000.

Step 15 

Router(config-if)# standby [group-number] [priority priority] preempt [delay [minimum | sync] seconds]

Sets the standby priority used in choosing the active router.

group-number—(Optional) Group number to which the priority applies.

priority—(Optional) The priority value range is from 1 to 255, where 1 denotes the lowest priority and 255 denotes the highest priority. Specify that, if the local router has priority over the current active router, the local router should attempt to take its place as the active router.

delay—(Optional) Specifies a preemption delay, after which the Hot Standby router preempts and becomes the active router.

minimum—(Optional) Specifies the minimum delay period in seconds.

sync—(Optional) Specifies the maximum synchronization period for IP redundancy clients in seconds.

seconds—(Optional) Causes the local router to postpone taking over the active role for a minimum number of seconds since that router was last restarted. The range is from 0 to 3600 seconds (1 hour). The default is 0 seconds (no delay).

Step 16 

Router(config-if)# standby [group-number] track type number [interface-priority]

Configures the interface to track other interfaces, so that if one of the other interfaces goes down, the device's Hot Standby priority is lowered.

group-number—(Optional) Group number on the interface for which HSRP is being activated.

type—Interface type (combined with interface number) that will be tracked.

number—Interface number (combined with interface type) that will be tracked.

interface-priority—(Optional) Amount by which the Hot Standby priority for the router is decremented (or incremented) when the interface goes down (or comes back up). Range is from 0 to 255. Default is 10.

Step 17 

Router(config-if)# standby [group-number] name group-name

Configures the standby group name for the interface.

group-number—(Optional) Group number to which the name is being applied.

name group-name—Name of the standby group.

Step 18 

Router(config-if)# interface gigabitethernet slot/subslot/port

Enters interface configuration mode for the specified Gigabit Ethernet interface.

slot—Specifies the chassis slot number where the SIP is installed.

subslot—Specifies the secondary slot number on a SIP where a SPA is installed.

port—Specifies the number of the interface port on the SPA.

Step 19 

Router(config-if)# ip address ip-address mask

Specifies the IP address and subnet mask for the interface.

ip-addressIP address.

maskSubnet mask.

Step 20 

Router(config-if)# standby [group-number] ip ip-address

Enables the HSRP.

group-number—(Optional) Group number on the interface for which HSRP is being activated. The default is 0. The group number range is from 0 to 255 for HSRP version 1 and from 0 to 4095 for HSRP version 2.

ip-address—(Optional) IP address of the standby router interface.

Step 21 

Router(config-if)# standby [group-number] timers [msec] hellotime [msec] holdtime

Configures the time between hello packets and the hold time before other routers declare the active router to be down.

group-number—(Optional) Group number to which the timers apply.

msec(Optional) Interval in milliseconds. Millisecond timers allow for faster failover.

hellotime—Hello interval (in seconds). This is an integer from 1 to 254. The default is 3 seconds. If the msec option is specified, hellotime is in milliseconds. This is an integer from 15 to 999.

holdtime—Time (in seconds) before the active or standby router is declared to be down. This is an integer from x to 255. The default is 10 seconds. If the msec option is specified, holdtime is in milliseconds. This is an integer from y to 3000.

Step 22 

Router(config-if)# standby [group-number] [priority priority] preempt [delay [minimum | sync] seconds]

Sets the standby priority used in choosing the active router.

group-number—(Optional) Group number to which the priority applies.

priority—(Optional) The priority value range is from 1 to 255, where 1 denotes the lowest priority and 255 denotes the highest priority. Specify that, if the local router has priority over the current active router, the local router should attempt to take its place as the active router.

delay—(Optional) Specifies a preemption delay, after which the Hot Standby router preempts and becomes the active router.

minimum—(Optional) Specifies the minimum delay period in seconds.

sync—(Optional) Specifies the maximum synchronization period for IP redundancy clients in seconds.

seconds—(Optional) Causes the local router to postpone taking over the active role for a minimum number of seconds since that router was last restarted. The range is from 0 to 3600 seconds (1 hour). The default is 0 seconds (no delay).

Step 23 

Router(config-if)# standby [group-number] track type number [interface-priority]

Configures the interface to track other interfaces, so that if one of the other interfaces goes down, the device's Hot Standby priority is lowered.

group-number—(Optional) Group number on the interface for which HSRP is being activated.

type—Interface type (combined with interface number) that will be tracked.

number—Interface number (combined with interface type) that will be tracked.

interface-priority—(Optional) Amount by which the Hot Standby priority for the router is decremented (or incremented) when the interface goes down (or comes back up). Range is from 0 to 255. Default is 10.

Step 24 

Router(config-if)# standby [group-number] name group-name

Configures the standby group name for the interface.

group-number—(Optional) Group number to which the name is being applied.

name group-name—Name of the standby group.

Step 25 

Router(config-if)# crypto map name ssp id

Enables IPSec state to be transferred by the SSP channel described by the ID. If this feature is disabled, all standby entries bound to that interface will be removed.

id—Channel used to transfer SA entries.

Verifying HSRP Configurations

To verify the IPSec stateful failover HSRP configuration, enter the show crypto isakmp ha standby, show crypto ipsec ha, show crypto ipsec sa, and show crypto ipsec sa standby commands.

Enter the show crypto isakmp ha standby command to view your ISAKMP standby or active SAs:

Router# show crypto isakmp ha standby
dst             src             state       I-Cookie           R-Cookie
172.16.31.100   20.3.113.1      QM_IDLE     796885F3 62C3295E  FFAFBACD EED41AFF
172.16.31.100   20.2.148.1      QM_IDLE     5B78D70F 3D80ED01  FFA03C6D 09FC50BE
172.16.31.100   20.4.124.1      QM_IDLE     B077D0A1 0C8EB3A0  FF5B152C D233A1E0
172.16.31.100   20.3.88.1       QM_IDLE     55A9F85E 48CC14DE  FF20F9AE DE37B913
172.16.31.100   20.1.95.1       QM_IDLE     3881DE75 3CF384AE  FF192CAB 795019AB

Enter the show crypto ipsec ha command to view your IPSec HA Manager state:

Router# show crypto ipsec ha
Interface	VIP	SAs	IPSec Ha State

GigabitEthernet5/0/1	172.16.31.100	1800	Active since 13:00:16 EDT Tue Oct 1 2002

Enter the show crypto ipsec sa command to view HA status of the IPSec SA (standby or active):

Router# show crypto ipsec sa
interface: GigabitEthernet5/0/1
	Crypto map tag: mymap, local addr. 172.168.3.100
	local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
	remote ident (addr/mask/prot/port): (5.6.0.0/255.255.0.0/0/0)
	current_peer: 172.168.3.1
	PERMIT, flags={}
	#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
	#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
	#pkts compressed: 0, #pkts decompressed: 0
	#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
	#send errors 0, #recv errors 0
	local crypto endpt.: 172.168.3.100, remote crypto endpt.: 172.168.3.1
	path mtu 1500, media mtu 1500
	current outbound spi: 132ED6AB
	inbound esp sas:
	spi: 0xD8C8635F(3637011295)
	transform: esp-des esp-md5-hmac ,
	in use settings ={Tunnel, }
	slot: 0, conn id: 2006, flow_id: 3, crypto map: mymap
	sa timing: remaining key lifetime (k/sec): (4499/59957)
	IV size: 8 bytes
	replay detection support: Y
	HA Status: STANDBY
	inbound ah sas:
	spi: 0xAAF10A60(2867923552)
	transform: ah-sha-hmac ,
	in use settings ={Tunnel, }
	slot: 0, conn id: 2004, flow_id: 3, crypto map: mymap
	sa timing: remaining key lifetime (k/sec): (4499/59957)
	replay detection support: Y
	HA Status: STANDBY
	inbound pcp sas:
	outbound esp sas:
	spi: 0x132ED6AB(321836715)
	transform: esp-des esp-md5-hmac ,
	in use settings ={Tunnel, }
	slot: 0, conn id: 2007, flow_id: 4, crypto map: mymap
	sa timing: remaining key lifetime (k/sec): (4499/59957)
	IV size: 8 bytes
	replay detection support: Y
	HA Status: STANDBY
	outbound ah sas:
	spi: 0x1951D78(26549624)
	transform: ah-sha-hmac ,
	in use settings ={Tunnel, }
	slot: 0, conn id: 2005, flow_id: 4, crypto map: mymap
	ssa timing: remaining key lifetime (k/sec): (4499/59957)
	replay detection support: Y
	HA Status: STANDBY
	outbound pcp sas:

Enter the show crypto ipsec sa standby command to view your standby SAs:

Router# show crypto ipsec sa standby
interface: GigabitEthernet5/0/1
	Crypto map tag: mymap, local addr. 172.168.3.100
	local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
	remote ident (addr/mask/prot/port): (5.6.0.0/255.255.0.0/0/0)
	current_peer: 172.168.3.1
	PERMIT, flags={}
	#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
	#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
	#pkts compressed: 0, #pkts decompressed: 0
	#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
	#send errors 0, #recv errors 0
	local crypto endpt.: 172.168.3.100, remote crypto endpt.: 172.168.3.1
	path mtu 1500, media mtu 1500
	current outbound spi: 132ED6AB
	inbound esp sas:
	spi: 0xD8C8635F(3637011295)
	transform: esp-des esp-md5-hmac ,
	in use settings ={Tunnel, }
	slot: 0, conn id: 2006, flow_id: 3, crypto map: mymap
	sa timing: remaining key lifetime (k/sec): (4499/59957)
	IV size: 8 bytes
	replay detection support: Y
	HA Status: STANDBY
	inbound ah sas:
	spi: 0xAAF10A60(2867923552)
	transform: ah-sha-hmac ,
	in use settings ={Tunnel, }
	slot: 0, conn id: 2004, flow_id: 3, crypto map: mymap
	sa timing: remaining key lifetime (k/sec): (4499/59957)
	replay detection support: Y
	HA Status: STANDBY
	inbound pcp sas:
	outbound esp sas:
	spi: 0x132ED6AB(321836715)
	transform: esp-des esp-md5-hmac ,
	in use settings ={Tunnel, }
	slot: 0, conn id: 2007, flow_id: 4, crypto map: mymap
	sa timing: remaining key lifetime (k/sec): (4499/59957)
	IV size: 8 bytes
	replay detection support: Y
	HA Status: STANDBY
	outbound ah sas:
	spi: 0x1951D78(26549624)
	transform: ah-sha-hmac ,
	in use settings ={Tunnel, }
	slot: 0, conn id: 2005, flow_id: 4, crypto map: mymap
	sa timing: remaining key lifetime (k/sec): (4499/59957)
	replay detection support: Y
	HA Status: STANDBY
	outbound pcp sas:

Displaying SSP Information

To verify the IPSec stateful failover SSP configuration, enter the show ssp client, show ssp packet, show ssp peers, and show ssp redundancy commands.

Enter the show ssp client command to view SSP client information:

Router# show ssp client
SSP Client Information
    DOI   Client Name                       Version   Running Ver
      1   IPSec HA Manager                   1.0       1.0
      2   IKE HA Manager                     1.0       1.0

Enter the show ssp packet command to view SSP packet information:

Router# show ssp packet
SSP packet Information
    Socket creation time: 01:01:06
    Local port: 3249      Server port: 3249
    Packets Sent = 38559, Bytes Sent = 2285020
    Packets Received = 910, Bytes Received = 61472

Enter the show ssp peers command to view SSP peer information:

Router# show ssp peers
SSP Peer Information
    IP Address      Connection State   Local Interface
    40.0.0.1        Connected          FastEthernet0/1

Enter the show ssp redundancy command to view redundancy information:

Router# show ssp redundancy
SSP Redundancy Information
  Device has been ACTIVE for 02:55:34
    Virtual IP      Redundancy Name             Interface
    172.16.31.100   KNIGHTSOFNI                 GigabitEthernet5/0/1GigabitEthernet0/0 

For complete configuration information for Cisco IOS IPSec stateful failover support, refer to this URL:

/en/US/docs/ios/12_2/12_2y/12_2yx11/feature/guide/ft_vpnha.html#wp1092482

For IPSec stateful failover configuration examples, see the "IPSec Stateful Failover Using HSRP and SSP Examples" section.

Configuring IPSec Stateful Failover Using a Blade Failure Group

This section describes how to configure IPSec stateful failover using a Blade Failure Group (BFG).

When two IPSec VPN SPAs are installed in a chassis, they are referred to as a Blade Failure Group (BFG). Each IPSec VPN SPA serves as a backup for the other IPSec VPN SPA. A BFG is an active/active configuration.

When an IPSec VPN SPA is joining a BFG or booting to come online, all of its IPSec and IKE data structures are synchronized with its peer. For each IPSec tunnel or IKE SA, and based on the per-interface crypto engine assignment, only one IPSec VPN SPA can be designated as active. For IKE SAs, an active SPA is the one that is accelerating cryptographic computations. For IPSec tunnels, the active SPA is the one that the traffic is passing through. For each IKE SA or IPSec tunnel, there is an active IPSec VPN SPA and its backup. For example, in a system that supports 1000 tunnels with two IPSec VPN SPAs, 500 of the tunnels may be active on one SPA and the remaining 500 may be active on the second SPA. Both SPAs then replicate data to each other so that either one can take over in the event of a failure. Each IPSec VPN SPA can have only one partner for all of the IKE and IPSec SAs that it protects.

IPSec Stateful Failover Using a BFG Configuration Guidelines

Follow these guidelines when configuring IPSec stateful failover using a BFG:

Do not use IPSec stateful failover using a BFG in crypto-connect mode with tunnel protection.

You can install or remove one of the IPSec VPN SPAs comprising a BFG without disrupting any of the tunnels on the other IPSec VPN SPA.

To configure IPSec stateful failover using a BFG, perform the following steps beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# redundancy

Enters redundancy configuration mode.

Step 2 

Router(config-red)# linecard-group group-number feature card

Identifies the line card group ID for a Blade Failure Group and enters redundancy line card configuration mode.

group-number—Specifies a group ID for the BFG.

Step 3 

Router(config-r-lc)# subslot slot/subslot

Adds the first SPA to the group.

slot—Specifies the chassis slot number where the SIP is installed.

subslot—Specifies the secondary slot number on a SIP where a SPA is installed.

Step 4 

Router(config-r-lc)# subslot slot/subslot

Adds the second SPA to the group.

slot—Specifies the chassis slot number where the SIP is installed.

subslot—Specifies the secondary slot number on a SIP where a SPA is installed.

For an IPSec stateful failover using a BFG configuration example, see the "IPSec Stateful Failover Using a Blade Failure Group Configuration Example" section.

Verifying the IPSec Stateful Failover Using a BFG Configuration

To verify the IPSec stateful failover using a BFG configuration, enter the show redundancy linecard-group and show crypto ace redundancy commands.

Enter the show redundancy linecard-group command to display the components of a Blade Failure Group:

Router# show redundancy linecard-group 1

Line Card Redundancy Group:1 Mode:feature-card
Class:load-sharing
Cards:
Slot:3 Sublot:0
Slot:5 Sublot:0

Enter the show crypto ace redundancy command to display information about a Blade Failure Group:

Router# show crypto ace redundancy

--------------------------------------
LC Redundancy Group ID            :1
Pending Configuration Transactions:0
Current State                     :OPERATIONAL
Number of blades in the group     :2
Slots
--------------------------------------
Slot:3 subslot:0
Slot state:0x36
Booted
Received partner config
Completed Bulk Synchronization
Crypto Engine in Service
Rebooted 22 times
Initialization Timer not running
Slot:5 subslot:0
Slot state:0x36
Booted
Received partner config
Completed Bulk Synchronization
Crypto Engine in Service
Rebooted 24 times
Initialization Timer not running

ACE B2B Group State:OPERATIONAL Event:BULK DONE
ACE B2B Group State:CREATED Event:CONFIG_DOWNLOAD_DONE
ACE B2B Group State:DELETED Event:CONFIG_DELETE
ACE B2B Group State:OPERATIONAL Event:BULK DONE
ACE B2B Group State:CREATED Event:CONFIG_DOWNLOAD_DONE
ACE B2B Group State:DELETED Event:CONFIG_DELETE
ACE B2B Group State:OPERATIONAL Event:CONFIG_DOWNLOAD_DONE
ACE B2B Group State:DELETED Event:CONFIG_ADD
ACE B2B Group State:CREATED Event:UNDEFINED B2B HA EVENT
ACE B2B Group State:CREATED Event:CONFIG_DOWNLOAD_DONE

Configuration Examples

This section provides examples of the following configurations:

Multiple IPSec VPN SPAs in a Chassis Configuration Example

IPSec Stateless Failover Using HSRP Configuration Examples

IPSec Stateless Failover in VRF Mode Configuration Example

IPSec Stateful Failover Using HSRP and SSP Examples

IPSec Stateful Failover Using a Blade Failure Group Configuration Example

Multiple IPSec VPN SPAs in a Chassis Configuration Example

This section provides an example of a configuration using multiple IPSec VPN SPAs in a chassis as shown in Figure 34-1. Note the following in these examples:

An IPSec VPN SPA is in slot 2, subslot 0 and slot 3, subslot 0 of router 1.

In the configuration example, three exclamation points (!!!) precede descriptive comments.

Figure 34-1 Multiple IPSec VPN SPAs in a Chassis Configuration Example


crypto isakmp policy 1 
 encr 3des 
 hash md5 
 authentication pre-share 
 group 2 
crypto isakmp key mykey address 10.8.1.1 
crypto isakmp key mykey address 10.13.1.1 
! 
crypto ipsec transform-set xform1 ah-md5-hmac esp-des esp-sha-hmac 
crypto ipsec transform-set xform2 esp-3des esp-sha-hmac 
! 
!!! crypto map applied to VLAN 12, which is 
!!! assigned to "inside" port of IPSec VPN SPA in slot 3 
crypto map cmap2 10 ipsec-isakmp 
 set peer 10.8.1.1 
 set transform-set xform1 
 match address 102 
! 
!!! crypto map applied to VLAN 20, which is 
!!! assigned to "inside" port of IPSec VPN SPA in slot 2/0 
crypto map cmap3 10 ipsec-isakmp 
 set peer 10.13.1.1 
 set transform-set xform2 
 match address 103 
! 
!!! "port" VLAN, crypto connected to VLAN 12 by IPSec VPN SPA on slot 3/0 
interface Vlan11 
 no ip address 
 crypto connect vlan 12 
! 
!!! "interface" VLAN, assigned to IPSec VPN SPA on slot 3/0 
interface Vlan12 
 ip address 10.8.1.2 255.255.0.0 
 crypto map cmap2 
 crypto engine slot 3/0 
! 
!!! "port" VLAN, crypto connected to VLAN 20 by IPSec VPN SPA on slot 2/0 
interface Vlan19 
 no ip address 
 crypto connect vlan 20 
! 
!!! "interface" VLAN, assigned to IPSec VPN SPA on slot 2/0 
interface Vlan20 
 ip address 10.13.1.2 255.255.0.0 
 crypto map cmap3 
 crypto engine slot 2/0
! 
!!! connected to Host 1 
interface FastEthernet6/1 
 ip address 10.9.1.2 255.255.255.0 
! 
!!! connected to Host 2 
interface FastEthernet6/2 
 ip address 10.9.2.2 255.255.255.0 
! 
!!! connected to Router 2 
interface GigabitEthernet5/3 
 switchport 
 switchport mode access 
 switchport access vlan 11 
! 
!!! connected to Router 2 
interface GigabitEthernet5/4 
 switchport 
 switchport mode access 
 switchport access vlan 19 
! 
interface GigabitEthernet2/0/1
 no ip address
 flowcontrol receive on
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 12,1002-1005
 switchport mode trunk
 cdp enable
!
interface GigabitEthernet2/0/2
 no ip address
 flowcontrol receive on
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 11,1002-1005
 switchport mode trunk
 cdp enable
!
interface GigabitEthernet3/0/1
 no ip address
 flowcontrol receive on
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 20,1002-1005
 switchport mode trunk
 cdp enable
!
interface GigabitEthernet3/0/2
 no ip address
 flowcontrol receive on
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 19,1002-1005
 switchport mode trunk
 cdp enable
!
ip classless 
! 
!!! packets from Host 1 to Host 3 are routed from FastEthernet6/1 
!!! to VLAN 12, encrypted with crypto map cmap2 
!!! using IPSec VPN SPA in slot 3/0, and forwarded to peer 10.8.1.1 
!!! through GigabitEthernet5/3 
ip route 10.6.1.4 255.255.255.255 10.8.1.1 
! 
!!! packets from Host 2 to Host 4 are routed from FastEthernet6/2 
!!! to VLAN 20, encrypted with crypto map cmap3 
!!! using IPSec VPN SPA in slot 2/0, and forwarded to peer 10.13.1.1 
!!! through GigabitEthernet5/4 
ip route 10.6.2.1 255.255.255.255 10.13.1.1 
! 
!!! ACL matching traffic between Host 1 and Host 3 
access-list 102 permit ip host 10.9.1.3 host 10.6.1.4 
! 
!!! ACL matching traffic between Host 2 and Host 4 

access-list 103 permit ip host 10.9.2.1 host 10.6.2.1

IPSec Stateless Failover Using HSRP Configuration Examples

This section provides the following configuration examples of IPSec stateless failover using HSRP:

IPSec Stateless Failover Using HSRP for the Active Chassis Configuration Example

IPSec Stateless Failover Using HSRP for the Standby Chassis Configuration Example

IPSec Stateless Failover Using HSRP for the Remote Router Configuration Example

IPSec Stateless Failover Using HSRP for the Active Chassis Configuration Example

The following example shows the configuration for an active chassis that is configured for IPSec stateless failover using HSRP:

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Active
!
redundancy
 main-cpu
  auto-sync standard
ip subnet-zero
!
no ip domain-lookup
!
no mls ip multicast aggregate
no mls ip multicast non-rpf cef
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key NEEWOMM address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS1 esp-3des esp-sha-hmac 
!
crypto map ha 10 ipsec-isakmp   
 set peer 172.16.31.3
 set transform-set TS1 
 match address 101
!
spanning-tree extend system-id
no spanning-tree vlan 4
!
interface GigabitEthernet1/1
 no ip address
 no ip redirects
 crypto connect vlan 4
!
interface GigabitEthernet1/2
 ip address 40.0.0.1 255.255.255.0
 no ip redirects
 standby delay minimum 35 reload 60
 standby ip 40.0.0.100
 standby timers 3 5
 standby preempt
 standby track GigabitEthernet1/1
standby track vlan 4
!
interface GigabitEthernet5/1/1
 mtu 4500
 no ip address
 snmp trap link-status
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,4,1002-1005
 switchport mode trunk
 flowcontrol receive on
 cdp enable
!
interface GigabitEthernet5/1/2
 mtu 4500
 no ip address
 snmp trap link-status
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 flowcontrol receive on
 cdp enable
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan4
 ip address 172.16.31.1 255.255.255.0
 standby delay minimum 35 reload 60
 standby ip 172.16.31.100
 standby timers 3 5
 standby preempt
 standby name KNIGHTSOFNI
 standby track GigabitEthernet1/1
 standby track GigabitEthernet1/2
 crypto map ha redundancy KNIGHTSOFNI
crypto engine slot 5/1
!
ip classless
ip route 10.11.1.1 255.255.255.255 172.16.31.3
no ip http server
ip pim bidir-enable
!
access-list 101 permit ip host 40.0.0.3 host 10.11.1.1
arp 127.0.0.12 0000.2100.0000 ARPA
!
line con 0
line vty 0 4
 login
 transport input lat pad mop telnet rlogin udptn nasi ssh
!         
end

IPSec Stateless Failover Using HSRP for the Standby Chassis Configuration Example

The following example shows the configuration for a standby chassis that is configured for IPSec stateless failover using HSRP:

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname StandBy
!
redundancy
 main-cpu
  auto-sync standard
ip subnet-zero
!
no ip domain-lookup
!
no mls ip multicast aggregate
no mls ip multicast non-rpf cef
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key NEEWOMM address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS1 esp-3des esp-sha-hmac 
!
crypto map ha 10 ipsec-isakmp   
 set peer 172.16.31.3
 set transform-set TS1 
 match address 101
!
spanning-tree extend system-id
no spanning-tree vlan 4
!
interface GigabitEthernet1/1
 no ip address
 no ip redirects
 crypto connect vlan 4
!
interface GigabitEthernet1/2
 ip address 40.0.0.2 255.255.255.0
 no ip redirects
 standby delay minimum 35 reload 60
 standby ip 40.0.0.100
 standby timers 3 5
 standby preempt
 standby track GigabitEthernet1/1
standby track vlan 4
!
interface GigabitEthernet5/1/1
 mtu 4500
 no ip address
 snmp trap link-status
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,4,1002-1005
 switchport mode trunk
 flowcontrol receive on
 cdp enable
!
interface GigabitEthernet5/1/2
 mtu 4500
 no ip address
 snmp trap link-status
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 flowcontrol receive on
 cdp enable
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan4
 ip address 172.16.31.2 255.255.255.0
 standby delay minimum 35 reload 60
 standby ip 172.16.31.100
 standby timers 1 3
 standby preempt
 standby name KNIGHTSOFNI
 standby track GigabitEthernet1/1
 standby track GigabitEthernet1/2
 crypto map ha redundancy KNIGHTSOFNI
crypto engine slot 5/1
!
ip classless
ip route 10.11.1.1 255.255.255.255 172.16.31.3
no ip http server
ip pim bidir-enable
!
access-list 101 permit ip host 40.0.0.3 host 10.11.1.1
arp 127.0.0.12 0000.2100.0000 ARPA
!
line con 0
line vty 0 4
 login
 transport input lat pad mop telnet rlogin udptn nasi ssh
!         
end

IPSec Stateless Failover Using HSRP for the Remote Router Configuration Example

The following example shows the configuration for a remote router that is configured for IPSec stateless failover using HSRP. Note that the router in this example is not using an IPSec VPN SPA.

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname RemotePeer
!
redundancy
 main-cpu
  auto-sync standard
ip subnet-zero
!
no ip domain-lookup
!
no mls ip multicast aggregate
no mls ip multicast non-rpf cef
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key NEEWOMM address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS1 esp-3des esp-sha-hmac 
!
crypto map ha 10 ipsec-isakmp   
 set peer 172.16.31.100
 set transform-set TS1 
 match address 101
!
spanning-tree extend system-id
!
interface Loopback1
 ip address 10.11.1.1 255.255.255.0
!
interface GigabitEthernet1/1
 no ip address
 shutdown 
!
interface GigabitEthernet1/2
 ip address 172.16.31.3 255.255.0.0
 crypto map ha
!
interface GigabitEthernet3/1
 mtu 4500
 no ip address
flowcontrol receive on
 cdp enable
!
interface GigabitEthernet3/2
 mtu 4500
 no ip address
flowcontrol receive on
 cdp enable
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 40.0.0.3 255.255.255.255 172.16.31.100
no ip http server
ip pim bidir-enable
!
access-list 101 permit ip host 10.11.1.1 host 40.0.0.3
arp 127.0.0.12 0000.2100.0000 ARPA
!
line con 0
line vty 0 4
 login
 transport input lat pad mop telnet rlogin udptn nasi ssh
!         
end

IPSec Stateless Failover in VRF Mode Configuration Example

The following example shows a VRF mode configuration with chassis-to-chassis IPSec stateless failover:

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service internal
service counters max age 10
!
hostname router-Charlie
!
logging snmp-authfail
logging buffered 100000 debugging
enable password lab
!
no aaa new-model
ip subnet-zero
!
no ip domain-lookup
ip host tftp 223.255.254.254
!
ip vrf coke
 rd 2000:1
 route-target export 2000:1
 route-target import 2000:1
!
ip vrf pepsi
 rd 1000:1
 route-target export 1000:1
 route-target import 1000:1
!
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
mls cef error action freeze
!
crypto keyring key0 
  pre-shared-key address 0.0.0.0 0.0.0.0 key NEEWOMM
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 7200
!
crypto isakmp profile prof1
   vrf coke
   keyring key0
   match identity address 1.1.1.2 255.255.255.255 
crypto isakmp profile prof2
   vrf pepsi
   keyring key0
   match identity address 1.1.1.2 255.255.255.255 
!
crypto ipsec transform-set TR esp-3des esp-md5-hmac 
!
crypto ipsec profile tunpro
 set transform-set TR 
 set isakmp-profile prof1
!
crypto map M10k local-address FastEthernet3/39
crypto map M10k 1 ipsec-isakmp 
 set peer 1.1.1.2
 set transform-set TR 
 set isakmp-profile prof1
 match address 110
!
crypto map M10k2 local-address FastEthernet3/39
crypto map M10k2 1 ipsec-isakmp 
 set peer 1.1.1.2
 set transform-set TR 
 set isakmp-profile prof2
 match address 111
!
crypto engine mode vrf
!
no power enable module 4
!
power redundancy-mode combined
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
redundancy
 mode rpr-plus
 linecard-group 1 feature-card
  class load-sharing
 main-cpu
  auto-sync running-config
  auto-sync standard
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
interface Tunnel39
 ip address 50.0.0.2 255.0.0.0
 shutdown
 tunnel source FastEthernet3/39
 tunnel destination 192.39.1.1
!
interface FastEthernet3/1
 description connected to pocono-lnx eth3
 no ip address
 switchport
 switchport access vlan 102
 switchport mode access
!
interface FastEthernet3/2
 description connected to pocono-lnx eth2
 no ip address
 shutdown
!
interface FastEthernet3/3
 no ip address
 shutdown
.
.
.
!
interface FastEthernet3/36
 no ip address
 shutdown
!
interface FastEthernet3/37
 no ip address
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,102,202,1002-1005
 switchport mode trunk
!
interface FastEthernet3/38
 no ip address
 shutdown
!
interface FastEthernet3/39
 ip address 1.1.1.12 255.255.255.0
 standby delay minimum 30 reload 90
 standby 1 ip 1.1.1.1
 standby 1 timers 1 4
 standby 1 preempt
 standby 1 name PUBLIC
 standby 1 track Vlan100
 standby 1 track Vlan102
 crypto engine slot 5/0
!
interface FastEthernet3/40
 no ip address
 shutdown
.
.
.
!
interface FastEthernet3/47
 no ip address
 shutdown
!
interface FastEthernet3/48
 ip address 17.16.16.2 255.255.0.0
!
interface GigabitEthernet4/1
 no ip address
 flowcontrol receive on
 flowcontrol send off
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 spanning-tree portfast trunk
!
interface GigabitEthernet4/2
 no ip address
 flowcontrol receive on
 flowcontrol send off
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 spanning-tree portfast trunk
!
interface GigabitEthernet5/0/1
 no ip address
 flowcontrol receive on
 flowcontrol send off
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,100,200,1002-1005
 switchport mode trunk
 spanning-tree portfast trunk
!
interface GigabitEthernet5/0/2
 no ip address
 flowcontrol receive on
 flowcontrol send off
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 spanning-tree portfast trunk
!
interface GigabitEthernet6/1
 no ip address
 shutdown
!
interface GigabitEthernet6/2
 no ip address
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan100
 ip vrf forwarding coke
 ip address 3.3.3.2 255.255.255.0
 crypto map M10k red PUBLIC
 crypto engine slot 5/0
!
interface Vlan102
 ip vrf forwarding coke
 ip address 10.83.3.5 255.255.255.0
 standby delay minimum 30 reload 90
 standby 2 ip 10.83.3.2
 standby 2 preempt
 standby 2 name VPNSM
 standby 2 track Vlan100
 standby 2 track Vlan102
!
interface Vlan200
 ip vrf forwarding pepsi
 ip address 3.3.3.2 255.255.255.0
 crypto map M10k2 red PUBLIC
 crypto engine slot 5/0
!
interface Vlan202
 ip vrf forwarding pepsi
 ip address 10.83.3.5 255.255.255.0
 standby delay minimum 30 reload 90
 standby 3 ip 10.83.3.2
 standby 3 preempt
 standby 3 name VPNSM1
 standby 3 track Vlan200
 standby 3 track Vlan202
!
ip classless
ip route 223.255.254.253 255.255.255.255 17.16.0.1
ip route 223.255.254.254 255.255.255.255 17.16.0.1
ip route vrf coke 4.4.4.0 255.255.255.0 Vlan100
ip route vrf coke 10.10.20.0 255.255.255.0 Vlan100
ip route vrf pepsi 4.4.4.0 255.255.255.0 Vlan200
no ip http server
!
access-list 110 permit ip any host 4.4.4.2
access-list 111 permit ip any host 4.4.4.3
access-list 120 permit ip host 10.83.3.1 host 10.10.20.1
!
dial-peer cor custom
!
alias exec ship show ip int br | incl
alias exec mlslook show mls cef lookup 
alias exec mlsentry show mls adj entry
alias exec reboot reload netboot  tftp://223.255.254.254/pradilla/s72033-pk9sv-mz
!
line con 0
 exec-timeout 0 0
line vty 0 4
 no login
!
scheduler runtime netinput 300
end

IPSec Stateful Failover Using HSRP and SSP Examples

The following two examples show IPSec stateful failover configurations using HSRP and SSP; one shows the configuration of the active chassis, the other the configuration of the standby chassis:

IPSec Stateful Failover Using HSRP and SSP for the Active Chassis Configuration Example

IPSec Stateful Failover Using HSRP and SSP for the Standby Chassis Configuration Example


Note The IPSec Stateful Failover Using HSRP and SSP feature is not supported in Cisco IOS Release 12.2(33)SRA.



Note These configuration examples do not protect the SSP traffic. To protect the SSP traffic, you will need to define a new crypto map and attach it to the SSP interface without the "ssp" tag. The ACL for this crypto map can be derived from the remote IP address and the TCP port that are defined in the SSP group.


IPSec Stateful Failover Using HSRP and SSP for the Active Chassis Configuration Example

The following example shows the configuration for an active chassis that is configured for an IPSec stateful failover using HSRP and SSP:

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Active
!
redundancy
 main-cpu
  auto-sync standard
ip subnet-zero
!
no ip domain-lookup
!
ssp group 100
 remote 40.0.0.2
 redundancy KNIGHTSOFNI
no mls ip multicast aggregate
no mls ip multicast non-rpf cef
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key NEEWOMM address 0.0.0.0 0.0.0.0
crypto isakmp ssp 100
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS1 esp-3des esp-sha-hmac 
!
crypto map ha ha replay-interval inbound 1000 outbound 1
crypto map ha 10 ipsec-isakmp   
 set peer 172.16.31.3
 set transform-set TS1 
 match address 101
!
spanning-tree extend system-id
no spanning-tree vlan 4
!
interface GigabitEthernet1/1
 no ip address
 no ip redirects
 crypto connect vlan 4
!
interface GigabitEthernet1/2
 ip address 40.0.0.1 255.255.255.0
 no ip redirects
 standby delay minimum 35 reload 60
 standby ip 40.0.0.100
 standby timers 3 5 
 standby preempt
 standby track GigabitEthernet1/1
standby track vlan 4
!
interface GigabitEthernet5/1/1
 mtu 4500
 no ip address
 snmp trap link-status
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,4,1002-1005
 switchport mode trunk
 flowcontrol receive on
 cdp enable
!
interface GigabitEthernet5/1/2
 mtu 4500
 no ip address
 snmp trap link-status
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 flowcontrol receive on
 cdp enable
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan4
 ip address 172.16.31.1 255.255.255.0
 standby delay minimum 35 reload 60
 standby ip 172.16.31.100
 standby timers 3 5
 standby preempt
 standby name KNIGHTSOFNI
 standby track GigabitEthernet1/1
 standby track GigabitEthernet1/2
 crypto map ha ssp 100
crypto engine subslot 5/1
!
ip classless
ip route 10.11.1.1 255.255.255.255 172.16.31.3
no ip http server
ip pim bidir-enable
!
access-list 101 permit ip host 40.0.0.3 host 10.11.1.1
arp 127.0.0.12 0000.2100.0000 ARPA
!
line con 0
line vty 0 4
 login
 transport input lat pad mop telnet rlogin udptn nasi ssh
!         
end

IPSec Stateful Failover Using HSRP and SSP for the Standby Chassis Configuration Example

The following example shows the configuration for a standby chassis that is configured for IPSec stateful failover using HSRP and SSP:

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname StandBy
!
redundancy
 main-cpu
  auto-sync standard
ip subnet-zero
!
no ip domain-lookup
!
ssp group 100
 remote 40.0.0.1
 redundancy KNIGHTSOFNI
no mls ip multicast aggregate
no mls ip multicast non-rpf cef
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key NEEWOMM address 0.0.0.0 0.0.0.0
crypto isakmp ssp 100
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS1 esp-3des esp-sha-hmac 
!
crypto map ha ha replay-interval inbound 1000 outbound 1
crypto map ha 10 ipsec-isakmp   
 set peer 172.16.31.3
 set transform-set TS1 
 match address 101
!
spanning-tree extend system-id
no spanning-tree vlan 4
!
interface GigabitEthernet1/1
 no ip address
 no ip redirects
 crypto connect vlan 4
!
interface GigabitEthernet1/2
 ip address 40.0.0.2 255.255.255.0
 no ip redirects
 standby delay minimum 35 reload 60
 standby ip 40.0.0.100
 standby timers 3 5
 standby preempt
 standby track GigabitEthernet1/1
standby track vlan 4
!
interface GigabitEthernet5/1/1
 mtu 4500
 no ip address
 snmp trap link-status
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,4,1002-1005
 switchport mode trunk
 flowcontrol receive on
 cdp enable
!
interface GigabitEthernet5/1/2
 mtu 4500
 no ip address
 snmp trap link-status
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 flowcontrol receive on
 cdp enable
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan4
 ip address 172.16.31.2 255.255.255.0
 standby delay minimum 35 reload 60
 standby ip 172.16.31.100
 standby timers 3 5
 standby preempt
 standby name KNIGHTSOFNI
 standby track GigabitEthernet1/1
 standby track GigabitEthernet1/2
 crypto map ha ssp 100
crypto engine sublot 5/1
!
ip classless
ip route 10.11.1.1 255.255.255.255 172.16.31.3
no ip http server
ip pim bidir-enable
!
access-list 101 permit ip host 40.0.0.3 host 10.11.1.1
arp 127.0.0.12 0000.2100.0000 ARPA
!
line con 0
line vty 0 4
 login
 transport input lat pad mop telnet rlogin udptn nasi ssh
!         

end

IPSec Stateful Failover Using a Blade Failure Group Configuration Example

The following example shows how to configure IPSec stateful failover using a Blade Failure Group (BFG):

Router(config)# redundancy 
Router(config-red)# line-card-group 1 feature-card
Router(config-r-lc)# subslot 3/1
Router(config-r-lc)# subslot 5/1