Stateful Failover for IPsec
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Contents
Stateful Failover for IPsecLast Updated: September 5, 2012
Stateful failover for IP Security (IPsec) enables a router to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This failover process is transparent to users and does not require adjustment or reconfiguration of any remote peer. Stateful failover for IPsec is designed to work in conjunction with stateful switchover (SSO) and Hot Standby Routing Protocol (HSRP). HSRP provides network redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from failures in network edge devices or access circuits. That is, HSRP monitors both the inside and outside interfaces so that if either interface goes down, the whole router is deemed to be down and the ownership of Internet Key Exchange (IKE) and IPsec security associations (SAs) is passed to the standby router (which transitions to the HSRP active state). SSO allows the active and standby routers to share IKE and IPsec state information so both routers have enough information to become the active router at any time. To configure stateful failover for IPsec, a network administrator must enable HSRP, assign a virtual IP address (VIP), and enable SSO.
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for Stateful Failover for IPsecComplete, Duplicate IPsec and IKE Configuration on the Active and Standby DevicesThis document assumes that you have a complete IKE and IPsec configuration. (This document describes only how to add stateful failover to a working IPsec configuration.) The IKE and IPsec configuration that is set up on the active device must be duplicated on the standby device. That is, the crypto configuration must be identical with respect to Internet Security Association and Key Management Protocol (ISAKMP) policy, ISAKMP keys (preshared), IPsec profiles, IPsec transform sets, all crypto map sets that are used for stateful failover, all access control lists (ACLs) that are used in match address statements on the crypto map sets, all AAA configurations used for crypto, client configuration groups, ip local pools used for crypto, and ISAKMP profiles. Device Requirements
Restrictions for Stateful Failover for IPsecWhen configuring redundancy for a virtual private network (VPN), the following restrictions exist:
Information About Stateful Failover for IPsec
Supported Deployment Scenarios Stateful Failover for IPsecIt is recommended that you implement IPsec stateful failover in one of the following recommended deployment scenarios--a single interface scenario or a dual interface scenario. In a single interface scenario, the VPN gateways use one LAN connection for both encrypted traffic arriving from remote peers and decrypted traffic flowing to inside hosts (see the figure below). The single interface design allows customers to save money on router ports and subnets. This design is typically used if all traffic flowing in and out of the organization does not traverse the VPN routers. In a dual interface scenario, a VPN gateway has more than one interface, enabling traffic to flow in and out of the router via separate interfaces (see the figure below ). This scenario is typically used if traffic flowing in and out of a site must traverse the routers, so the VPN routers will provide the default route out of the network. The table below lists the functionality available in both a single interface scenario and a dual interfaces scenario.
IPsec Stateful Failover for Remote Access ConnectionsThe main difference between a remote access and a LAN-to-LAN connection is the use of Xauth and mode-config. IKE Xauth is often used to authenticate the user. IKE mode-config is often used to push security policy from the hub (concentrator) router to the user's IPsec implementation. Mode-config is also typically used to assign an internal company network IP address to a user. In addition to the differences between a remote access configuration and a LAN-to-LAN configuration, you should note the following remote-access-server-specific functions:
To enable accounting on the HA pair, you should issue the following commands on both Active and Standby devices: aaa accounting network radius-accounting start-stop group radius then apply radius-accounting either to the crypto isakmp profile or the crypto map set.
For additional information on how to configure IPsec stateful failover for a remote access connection, see the section " Configuring IPSec Stateful Failover for an Easy VPN Server: Example " in this document. Dead Peer Detection with IPsec High AvailabilityTo configure Dead Peer Detection (DPD) with IPsec High Availability (HA), it is recommended that you use a value other than the default (2 seconds). A keepalive time of 10 seconds with 5 retries seems to work well with HA because of the time it takes for the router to get into active mode. To configure DPD with IPsec HA, use the crypto isakmp keepalive command. How to Use Stateful Failover for IPsecThis section contains the following procedures:
Enabling HSRP IP Redundancy and a Virtual IP AddressHSRP provides two services--IP redundancy and a VIP address. Each HSRP group may provide either or both of these services. IPsec stateful failover uses the IP redundancy services from only one HSRP standby group. It can use the VIP address from one or more HSRP groups. Use the following task to configure HSRP on the outside and inside interfaces of the router.
Before You Begin
SUMMARY STEPS
If a switch connects the active and standby routers, you must perform one of the following steps to ensure that the correct settings are configured on that switch:
For more information on HSRP instability, see the "Avoiding HSRP Instability in a Switching Environment with Various Router Platforms" technical note. DETAILED STEPS Troubleshooting TipsTo help troubleshoot possible HSRP-related configuration problems, issue any of the following HSRP-related debug commands--debug standby errors, debug standby events, and debug standby packets [terse]. Enabling SSOUse this task to enable SSO, which is used to transfer IKE and IPsec state information between two routers. SSO Interacting with IPsec and IKESSO is a method of providing redundancy and synchronization for many Cisco IOS applications and features. SSO is necessary for IPsec and IKE to learn about the redundancy state of the network and to synchronize their internal application state with their redundant peers. Before You Begin
SUMMARY STEPS
DETAILED STEPS
Troubleshooting TipsTo help troubleshoot possible SSO-related configuration problems, issue the debug redundancy command. Configuring Reverse Route Injection on a Crypto MapYou should configure RRI on all existing crypto maps that you want to use with stateful failover. RRI is used with stateful failover so routers on the inside network can learn about the correct path to the current active device. When failover occurs, the new active device injects the RRI routes into its IP routing table and sends out routing updates to its routing peers. Use one of the following tasks to configure RRI on a dynamic or static crypto map.
Configuring RRI on Dynamic Crypto MapDynamic crypto map entries, like regular static crypto map entries, are grouped into sets. A set is a group of dynamic crypto map entries all with the same dynamic map name but each with a different dynamic sequence number. Each member of the set may be configured for RRI. DETAILED STEPS
Configuring RRI on a Static Crypto MapStatic crypto map entries are grouped into sets. A set is a group of static crypto map entries all with the same static map name but each with a different sequence number. Each static crypto map in the map set can be configured for RRI. Use this task to configure RRI on a static crypto map. DETAILED STEPS
ExamplesThe following example shows how to configure RRI on the static crypto map "to-peer-outside": crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000 crypto map to-peer-outside 10 ipsec-isakmp set peer 209.165.200.225 set transform-set trans1 match address peer-outside reverse-route Enabling Stateful Failover for IKE and IPsecUse the following tasks to configure stateful failover for IPsec, IKE, and tunnel protection:
Enabling Stateful Failover for IKEThere is no specific command-line interface (CLI) necessary to enable stateful failover for IKE. It is enabled for a particular VIP address when a stateful failover crypto map is applied to an interface. Enabling Stateful Failover for IPsecUse this task to enable stateful failover for IPsec. All IPsec state information is transferred from the active router to the standby router via the SSO redundancy channel that was specified in the task " Enabling SSO ." DETAILED STEPS
Troubleshooting TipsTo help troubleshoot possible IPsec HA-related problems, issue the debug crypto ipsec ha [detail] [update] command. ExamplesThe following example shows how to configure IPsec stateful failover on the crypto map "to-peer-outside": interface Ethernet0/0 ip address 209.165.201.1 255.255.255.224 standby 1 ip 209.165.201.3 standby 1 preempt standby 1 name HA-out standby 1 track Ethernet1/0 crypto map to-peer-outside redundancy HA-out stateful Enabling Stateful Failover for Tunnel ProtectionUse an existing IPsec profile to configure stateful failover for tunnels using IPsec. (You do not configure the tunnel interface as you would with a crypto map configuration.)
DETAILED STEPS
ExamplesThe following example shows how to configure stateful failover for tunnel protection: crypto ipsec profile peer-profile redundancy HA-out stateful interface Tunnel1 ip unnumbered Loopback0 tunnel source 209.165.201.3 tunnel destination 10.0.0.5 tunnel protection ipsec profile peer-profile ! interface Ethernet0/0 ip address 209.165.201.1 255.255.255.224 standby 1 ip 209.165.201.3 standby 1 name HA-out Protecting SSO TrafficUse this task to secure a redundancy group via an IPsec profile. To configure SSO traffic protection, the active and standby devices must be directly connected to each other via Ethernet networks. The crypto maps that are automatically generated when protecting SSO traffic are applied to each interface, which corresponds to an IP address that was specified via the local-ip command. Traffic destined for an IP address that was specified via the remote-ip command is forced out of the crypto-map-configured interface via an automatically created static host route.
DETAILED STEPS
ExamplesThe following example shows how to configure SSO traffic protection: crypto isakmp key abc123 address 0.0.0.0 0.0.0.0 no-xauth ! crypto ipsec transform-set trans2 ah-sha-hmac esp-aes ! crypto ipsec profile sso-secure set transform-set trans2 ! redundancy inter-device scheme standby HA-out security ipsec sso-secure Managing and Verifying High Availability InformationUse any of the following optional tasks to secure and manage your high availability configurations:
Managing Anti-Replay IntervalsUse this optional task to modify the interval in which an IP redundancy-enabled crypto map forwards anti-replay updates from the active router to the standby router. DETAILED STEPS
ExamplesThe following example shows how to modify replay counter intervals between the active and standby devices on the crypto map "to-peer-outside": crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000 crypto map to-peer-outside 10 ipsec-isakmp set peer 209.165.200.225 set transform-set trans1 match address peer-outside Managing and Verifying HA ConfigurationsUse any of the steps within this optional task to display and verify the high availability configurations. DETAILED STEPS
ExamplesVerifying the Active DeviceRouter# show redundancy states my state = 13 -ACTIVE peer state = 8 -STANDBY HOT Mode = Duplex Unit ID = 0 Split Mode = Disabled Manual Swact = Enabled Communications = Up client count = 7 client_notification_TMR = 30000 milliseconds keep_alive TMR = 4000 milliseconds keep_alive count = 0 keep_alive threshold = 7 RF debug mask = 0x0 Router# show crypto isakmp sa active dst src state conn-id slot status 209.165.201.3 209.165.200.225 QM_IDLE 5 0 ACTIVE Router# show crypto ipsec sa active interface:Ethernet0/0 Crypto map tag:to-peer-outside, local addr 209.165.201.3 protected vrf:(none) local ident (addr/mask/prot/port):(192.168.0.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port):(172.16.0.1/255.255.255.255/0/0) current_peer 209.165.200.225 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps:3, #pkts encrypt:3, #pkts digest:3 #pkts decaps:4, #pkts decrypt:4, #pkts verify:4 #pkts compressed:0, #pkts decompressed:0 #pkts not compressed:0, #pkts compr. failed:0 #pkts not decompressed:0, #pkts decompress failed:0 #send errors 0, #recv errors 0 local crypto endpt.:209.165.201.3, remote crypto endpt.:209.165.200.225 path mtu 1500, media mtu 1500 current outbound spi:0xD42904F0(3559458032) inbound esp sas: spi:0xD3E9ABD0(3555306448) transform:esp-aes , in use settings ={Tunnel, } conn id:2006, flow_id:6, crypto map:to-peer-outside sa timing:remaining key lifetime (k/sec):(4586265/3542) HA last key lifetime sent(k):(4586267) ike_cookies:9263635C CA4B4E99 C14E908E 8EE2D79C IV size:16 bytes replay detection support:Y Status:ACTIVE inbound ah sas: spi: 0xF3EE3620(4092474912) transform: ah-sha-hmac , in use settings ={Tunnel, } conn id: 2006, flow_id: 6, crypto map: to-peer-outside sa timing: remaining key lifetime (k/sec): (4586265/3542) HA last key lifetime sent(k): (4586267) ike_cookies: 9263635C CA4B4E99 C14E908E 8EE2D79C replay detection support: Y Status: ACTIVE inbound pcp sas: outbound esp sas: spi: 0xD42904F0(3559458032) transform: esp-aes , in use settings ={Tunnel, } conn id: 2009, flow_id: 9, crypto map: to-peer-outside sa timing: remaining key lifetime (k/sec): (4586266/3542) HA last key lifetime sent(k): (4586267) ike_cookies: 9263635C CA4B4E99 C14E908E 8EE2D79C IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: spi: 0x75251086(1965363334) transform: ah-sha-hmac , in use settings ={Tunnel, } conn id: 2009, flow_id: 9, crypto map: to-peer-outside sa timing: remaining key lifetime (k/sec): (4586266/3542) HA last key lifetime sent(k): (4586267) ike_cookies: 9263635C CA4B4E99 C14E908E 8EE2D79C replay detection support: Y Status: ACTIVE outbound pcp sas:
Router# show crypto session active
Crypto session current status
Interface: Ethernet0/0
Session status: UP-ACTIVE
Peer: 209.165.200.225 port 500
IKE SA: local 209.165.201.3/500 remote 209.165.200.225/500 Active
IKE SA: local 209.165.201.3/500 remote 209.165.200.225/500 Active
IPSEC FLOW: permit ip host 192.168.0.1 host 172.16.0.1
Active SAs: 4, origin: crypto map
Router# show crypto ha
IKE VIP: 209.165.201.3
stamp: 74 BA 70 27 9C 4F 7F 81 3A 70 13 C9 65 22 E7 76
IPSec VIP: 209.165.201.3
IPSec VIP: 255.255.255.253
IPSec VIP: 255.255.255.254
Verifying the Standby DeviceRouter# show redundancy states my state = 8 -STANDBY HOT peer state = 13 -ACTIVE Mode = Duplex Unit ID = 0 Split Mode = Disabled Manual Swact = Enabled Communications = Up client count = 7 client_notification_TMR = 30000 milliseconds keep_alive TMR = 4000 milliseconds keep_alive count = 1 keep_alive threshold = 7 RF debug mask = 0x0 Router# show crypto isakmp sa standby dst src state conn-id slot status 209.165.201.3 209.165.200.225 QM_IDLE 5 0 STDBY Router# show crypto ipsec sa standby interface:Ethernet0/0 Crypto map tag:to-peer-outside, local addr 209.165.201.3 protected vrf:(none) local ident (addr/mask/prot/port):(192.168.0.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port):(172.16.0.1/255.255.255.255/0/0) current_peer 209.165.200.225 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps:0, #pkts encrypt:0, #pkts digest:0 #pkts decaps:0, #pkts decrypt:0, #pkts verify:0 #pkts compressed:0, #pkts decompressed:0 #pkts not compressed:0, #pkts compr. failed:0 #pkts not decompressed:0, #pkts decompress failed:0 #send errors 0, #recv errors 0 local crypto endpt.:209.165.201.3, remote crypto endpt.:209.165.200.225 path mtu 1500, media mtu 1500 current outbound spi:0xD42904F0(3559458032) inbound esp sas: spi:0xD3E9ABD0(3555306448) transform:esp-aes , in use settings ={Tunnel, } conn id:2012, flow_id:12, crypto map:to-peer-outside sa timing:remaining key lifetime (k/sec):(4441561/3486) HA last key lifetime sent(k):(4441561) ike_cookies:00000000 00000000 00000000 00000000 IV size:16 bytes replay detection support:Y Status:STANDBY inbound ah sas: spi:0xF3EE3620(4092474912) transform:ah-sha-hmac , in use settings ={Tunnel, } conn id:2012, flow_id:12, crypto map:to-peer-outside sa timing:remaining key lifetime (k/sec):(4441561/3486) HA last key lifetime sent(k):(4441561) ike_cookies:00000000 00000000 00000000 00000000 replay detection support:Y Status:STANDBY inbound pcp sas: outbound esp sas: spi:0xD42904F0(3559458032) transform:esp-aes , in use settings ={Tunnel, } conn id:2011, flow_id:11, crypto map:to-peer-outside sa timing:remaining key lifetime (k/sec):(4441561/3485) HA last key lifetime sent(k):(4441561) ike_cookies:00000000 00000000 00000000 00000000 IV size:16 bytes replay detection support:Y Status:STANDBY outbound ah sas: spi:0x75251086(1965363334) transform:ah-sha-hmac , in use settings ={Tunnel, } conn id:2011, flow_id:11, crypto map:to-peer-outside sa timing:remaining key lifetime (k/sec):(4441561/3485) HA last key lifetime sent(k):(4441561) ike_cookies:00000000 00000000 00000000 00000000 replay detection support:Y Status:STANDBY outbound pcp sas: Router# show crypto session standby Crypto session current status Interface:Ethernet0/0 Session status:UP-STANDBY Peer:209.165.200.225 port 500 IKE SA:local 209.165.201.3/500 remote 209.165.200.225/500 Active IPSEC FLOW:permit ip host 192.168.0.1 host 172.16.0.1 Active SAs:4, origin:crypto map Router# show crypto ha IKE VIP:209.165.201.3 stamp:74 BA 70 27 9C 4F 7F 81 3A 70 13 C9 65 22 E7 76 IPSec VIP:209.165.201.3 IPSec VIP:255.255.255.253 IPSec VIP:255.255.255.254 ha-R2# Configuration Examples for Stateful Failover
Example: Configuring Stateful Failover for IPsecThe figure below and the following sample outputs from the show running-config command illustrate how to configure stateful failover on two devices--Ha-R1 and Ha-R2. Stateful Failover Configuration on Ha-R1
Ha-R1# show running-config
Building configuration...
Current configuration :2086 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Ha-R1
!
boot-start-marker
boot-end-marker
!
!
redundancy inter-device
scheme standby HA-out
security ipsec sso-secure
!
logging buffered 10000000 debugging
logging rate-limit console 10000
!
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 10.0.0.1
remote-port 5000
remote-ip 10.0.0.2
!
clock timezone PST 0
no aaa new-model
ip subnet-zero
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set trans1 ah-sha-hmac esp-aes
crypto ipsec transform-set trans2 ah-sha-hmac esp-aes 256
!
crypto ipsec profile sso-secure
set transform-set trans2
!
!
crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000
crypto map to-peer-outside 10 ipsec-isakmp
set peer 209.165.200.225
set transform-set trans1
match address peer-outside
!
!
!
interface Ethernet0/0
ip address 209.165.201.1 255.255.255.224
standby 1 ip 209.165.201.3
standby 1 preempt
standby 1 name HA-out
standby 1 track Ethernet1/0
standby delay reload 120
crypto map to-peer-outside redundancy HA-out stateful
!
interface Ethernet1/0
ip address 10.0.0.1 255.255.255.0
standby 2 ip 10.0.0.3
standby 2 preempt
standby 2 name HA-in
standby delay reload 120
standby 2 track Ethernet0/0
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/0
no ip address
shutdown
serial restart-delay 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 209.165.201.5
ip route 192.168.0.0 255.255.0.0
no ip http server
no ip http secure-server
!
!
!
ip access-list extended peer-outside
permit ip host 192.168.0.1 host 172.16.0.1
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
login
transport preferred all
transport input all
transport output all
!
end
Stateful Failover Configuration on Ha-R2
Ha-R2# show running-config
Building configuration...
Current configuration :2100 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Ha-R2
!
boot-start-marker
boot-end-marker
!
!
redundancy inter-device
scheme standby HA-out
security ipsec sso-secure
!
logging buffered 10000000 debugging
logging rate-limit console 10000
!
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 10.0.0.2
remote-port 5000
remote-ip 10.0.0.1
!
clock timezone PST 0
no aaa new-model
ip subnet-zero
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
lifetime 120
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set trans1 ah-sha-hmac esp-aes
crypto ipsec transform-set trans2 ah-sha-hmac esp-aes 256
!
crypto ipsec profile sso-secure
set transform-set trans2
!
!
crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000
crypto map to-peer-outside 10 ipsec-isakmp
set peer 209.165.200.225
set transform-set trans1
match address peer-outside
!
!
!
interface Ethernet0/0
ip address 209.165.201.2 255.255.255.224
standby 1 ip 209.165.201.3
standby 1 preempt
standby 1 name HA-out
standby 1 track Ethernet1/0
standby delay reload 120
crypto map to-peer-outside redundancy HA-out stateful
!
interface Ethernet1/0
ip address 10.0.0.2 255.255.255.0
standby 2 ip 10.0.0.3
standby 2 preempt
standby 2 name HA-in
standby delay reload 120
standby 2 track Ethernet0/0
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/0
no ip address
shutdown
serial restart-delay 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 209.165.201.5
ip route 192.168.0.0 255.255.0.0
no ip http server
no ip http secure-server
!
!
!
ip access-list extended peer-outside
permit ip host 192.168.0.1 host 172.16.0.1
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
login
transport preferred all
transport input all
transport output all
!
end
Example: Configuring Stateful Failover for IPsec for an Easy VPN ServerThe following sample outputs from the show running-config command show how to configure stateful failover for a remote access connection via an Easy VPN server: Stateful Failover for an Easy VPN Server Configuration on RAHA-R1
RAHA-R1# show running-config
Building configuration...
Current configuration :3829 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RAHA-R1
!
boot-start-marker
boot-end-marker
!
redundancy inter-device
scheme standby HA-out
!
username remote_user password 0 letmein
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 10.0.0.1
remote-port 5000
remote-ip 10.0.0.2
!
aaa new-model
!
!
! Enter the following command if you are doing Xauth locally.
aaa authentication login local_xauth local
!
! Enter the following command if you are doing Xauth remotely via RADIUS.
!aaa authentication login radius_xauth group radius
!
! Enter the following command if you are not doing Xauth
!aaa authentication login no_xauth none
!
! Enter the following command if you are doing local group authentication.
aaa authorization network local_auth local
!
! Enter the following command if you are doing group authentication remotely via RADIUS.
!aaa authorization network radius_auth group radius
!
!
! Enter the following command if you are doing Xauth remotely via RADIUS.
!
aaa accounting network radius_accounting start-stop group radius
aaa session-id common
ip subnet-zero
!
crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 14
!
!
! Enter the following command if you are doing group authentication locally.
crypto isakmp client configuration group unity
key abc123
domain abc.com
pool client-address-pool
!
!
crypto ipsec transform-set trans1 esp-aes esp-sha-hmac
!
crypto dynamic-map to-remote-client 10
set transform-set trans1
reverse-route remote-peer
!
! Use this map if you want to do local group authentication and Xauth.
crypto map to_peer_outside_local_xauth client authentication list local_xauth
crypto map to_peer_outside_local_xauth isakmp authorization list local_auth
crypto map to_peer_outside_local_xauth client configuration address respond
crypto map to_peer_outside_local_xauth 10 ipsec-isakmp dynamic to-remote-client
!
! Use this map if you want to use Radius for group authentication and Xauth.
!crypto map to_peer_outside_radius_xauth isakmp client authentication list radius_xauth
!crypto map to_peer_outside_radius_xauth client accounting list radius_accounting
!crypto map to_peer_outside_radius_xauth isakmp authorization list radius_auth
!crypto map to_peer_outside_radius_xauth isakmp client configuration address respond
!crypto map to_peer_outside_radius_xauth isakmp 10 ipsec-isakmp dynamic to-remote-client
!
! Use this map if you want to do local group authentication and no Xauth
!crypto map to_peer_outside_no_xauth isakmp authorization list local_auth
!crypto map to_peer_outside_no_xauth configuration address respond
!crypto map to_peer_outside_no_xauth 10 ipsec-isakmp dynamic to-remote-client
!
interface Ethernet0/0
ip address 209.165.201.1 255.255.255.224
standby 1 ip 209.165.201.3
standby 1 preempt
standby 1 name HA-out
standby 1 track Ethernet1/0
standby delay reload 120
crypto map to_peer_outside_local_xauth redundancy HA-out stateful
!
interface Ethernet1/0
ip address 10.0.0.1 255.255.255.0
standby 2 ip 10.0.0.3
standby 2 preempt
standby 2 name HA-in
standby 2 track Ethernet0/0
standby delay reload 120
!
! Enable loopback0 if you are using radius for Xauth, group auth, or accounting with ! crypto HA
!interface loopback0
! ip address 192.168.100.1 255.255.255.255
!
! Enable this command if you are using radius for Xauth, group auth, or accounting with ! crypto HA
!ip radius source-interface loopback0
!
ip local pool client-address-pool 50.0.0.1 50.0.0.254
ip classless
ip route 0.0.0.0 0.0.0.0 209.165.201.5
ip route 192.168.0.0 255.255.255.0 10.0.0.5
!
radius-server host 192.168.0.0 255.255.0.0 auth-port 1845 acct-port 1846
radius-server key radius123
!
control-plane
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
end
Stateful Failover for an Easy VPN Server Configuration on RAHA-R2
RAHA-R2# show running-config
Building configuration...
Current configuration :3829 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RAHA-R2
!
boot-start-marker
boot-end-marker
!
redundancy inter-device
scheme standby HA-out
!
username remote_user password 0 letmein
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 10.0.0.2
remote-port 5000
remote-ip 10.0.0.1
!
aaa new-model
!
!
! Enter the following command if you are doing Xauth locally.
aaa authentication login local_xauth local
!
! Enter the following command if you are doing Xauth remotely via RADIUS.
!aaa authentication login radius_xauth group radius
!
! Enter the following command if you are not doing Xauth.
!aaa authentication login no_xauth none
!
! Enter the following command if you are doing local group authentication.
aaa authorization network local_auth local
!
! Enter the following command if you are doing group authentication remotely via RADIUS.
!aaa authorization network radius_auth group radius
!
!
! Enter the following command if you are doing Xauth remotely via RADIUS.
!aaa accounting network radius_accounting start-stop group radius
aaa session-id common
ip subnet-zero
!
crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 14
!
!
! Enter the following commands if you are doing group authentication locally.
crypto isakmp client configuration group unity
key abc123
domain abc.com
pool client-address-pool
!
!
crypto ipsec transform-set trans1 esp-aes esp-sha-hmac
!
crypto dynamic-map to-remote-client 10
set transform-set trans1
reverse-route remote-peer
!
!
! Use this map if you want to dolocal group authentication and Xauth.
crypto map to_peer_outside_local_xauth client authentication list local_xauth
crypto map to_peer_outside_local_xauth isakmp authorization list local_auth
crypto map to_peer_outside_local_xauth client configuration address respond
crypto map to_peer_outside_local_xauth 10 ipsec-isakmp dynamic to-remote-client
!
! Use this map if you want to use Radius for group authentication and Xauth.
!crypto map to_peer_outside_radius_xauth isakmp client authentication list radius_xauth
!crypto map to_peer_outside_radius_xauth client accounting list radius_accounting
!crypto map to_peer_outside_radius_xauth isakmp authorization list radius_auth
!crypto map to_peer_outside_radius_xauth isakmp client configuration address respond
!crypto map to_peer_outside_radius_xauth isakmp 10 ipsec-isakmp dynamic to-remote-client
!
!
! Use this map if you want to do local authentication and no Xauth.
!crypto map to_peer_outside_no_xauth isakmp authorization list local_auth
!crypto map to_peer_outside_no_xauth configuration address respond
!crypto map to_peer_outside_no_xauth 10 ipsec-isakmp dynamic to-remote-client
!
interface Ethernet0/0
ip address 209.165.201.2 255.255.255.224
standby 1 ip 209.165.201.3
standby 1 preempt
standby 1 name HA-out
standby 1 track Ethernet1/0
standby delay reload
crypto map to_peer_outside_local_xauth redundancy HA-out stateful
!
interface Ethernet1/0
ip address 10.0.0.2 255.255.255.0
standby 2 ip 10.0.0.3
standby 2 preempt
standby 2 name HA-in
standby 2 track Ethernet0/0
standby delay reload
!
! Enable loopback0 if you are using radius for Xauth, group auth, or accounting with ! crypto HA
!interface loopback0
! ip address 192.168.100.1 255.255.255.255
!
! Enable this command if you are using radius for Xauth, group auth, or accounting with ! crypto HA
!ip radius source-interface loopback0
!
ip local pool client-address-pool 50.0.0.1 50.0.0.254
ip classless
ip route 0.0.0.0 0.0.0.0 209.165.201.5
ip route 192.168.0.0 255.255.0.0
!
radius-server host 192.168.0.200 auth-port 1845 acct-port 1846
radius-server key radius123
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
end
Additional ReferencesRelated Documents
Technical Assistance
Feature Information for Stateful Failover for IPsecThe following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. © 2012 Cisco Systems, Inc. All rights reserved.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||