Table Of Contents
Stateful Failover for IPSec
Contents
Prerequisites for Stateful Failover for IPSec
Restrictions for Stateful Failover for IPSec
Information About Stateful Failover for IPSec
Supported Deployment Scenarios: Stateful Failover for IPSec
IPSec Stateful Failover for Remote Access Connections
How to Use Stateful Failover for IPSec
Enabling HSRP: IP Redundancy and a Virtual IP Address
Prerequisites for Spanning Tree Protocol and HSRP Stability
Restrictions
Troubleshooting Tips
Examples
What to Do Next
Enabling SSO
SSO: Interacting with IPSec and IKE
Prerequisites
Troubleshooting Tips
Examples
What to Do Next
Configuring Reverse Route Injection on a Crypto Map
Configuring RRI on Dynamic Crypto Map
Configuring RRI on a Static Crypto Map
Examples
What to Do Next
Enabling Stateful Failover for IKE and IPSec
Enabling Stateful Failover for IKE
Enabling Stateful Failover for IPSec
Enabling Stateful Failover for Tunnel Protection
What to Do Next
Protecting SSO Traffic
Examples
Managing and Verifying High Availability Information
Managing Anti-Replay Intervals
Examples
Managing and Verifying HA Configurations
Examples
Configuration Examples for Stateful Failover
Configuring IPSec Stateful Failover: Example
Configuring IPSec Stateful Failover for an Easy VPN Server: Example
Additional References
Related Documents
Standards
MIBs
RFCs
Technical Assistance
Command Reference
clear crypto isakmp
clear crypto sa
clear crypto session
crypto map (interface IPSec)
crypto map redundancy replay-interval
debug crypto ha
debug crypto ipsec ha
debug crypto isakmp ha
local-ip (IPC transport-SCTP local)
local-port
redundancy inter-device
redundancy stateful
remote-ip (IPC transport-SCTP remote)
remote-port
scheme
security ipsec
show crypto ha
show crypto ipsec sa
show crypto isakmp sa
show crypto session
show redundancy
Stateful Failover for IPSec
Stateful failover for IP Security (IPSec) enables a router to continue processing and forwarding IPSec packets after a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This process is transparent to the user and does not require adjustment or reconfiguration of any remote peer.
Stateful failover for IPSec is designed to work in conjunction with stateful switchover (SSO) and Hot Standby Routing Protocol (HSRP). HSRP provides network redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from failures in network edge devices or access circuits. That is, HSRP monitors both the inside and outside interfaces so that if either interface goes down, the whole router is deemed to be down and ownership of Internet Key Exchange (IKE) and IPSec security associations (SAs) is passed to the standby router (which transitions to the HSRP active state). SSO allows the active and standby routers to share IKE and IPSec state information so that each router has enough information to become the active router at any time. To configure stateful failover for IPSec, a network administrator should enable HSRP, assign a virtual IP address, and enable the SSO protocol.
Feature History for Stateful Failover for IPSec
Release
|
Modification
|
12.3(11)T
|
This feature was introduced.
|
12.3(14)T
|
The following enhancements were added for use with stateful failover:
• Improved scalability on the Cisco 7200 platforms, which can now support up to 2000 tunnels
•Support for public key infrastructure (PKI) and Easy VPN (EzVPN)
|
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•Prerequisites for Stateful Failover for IPSec
•Restrictions for Stateful Failover for IPSec
•Information About Stateful Failover for IPSec
•How to Use Stateful Failover for IPSec
•Configuration Examples for Stateful Failover
•Additional References
•Command Reference
Prerequisites for Stateful Failover for IPSec
Complete, Duplicate IPSec and IKE Configuration on the Active and Standby Devices
This document assumes that you have a complete IKE and IPSec configuration. (This document describes only how to add stateful failover to a working IPSec configuration.)
The IKE and IPSec configuration that is set up on the active device must be duplicated on the standby device. That is, the crypto configuration must be identical with respect to Internet Security Association and Key Management Protocol (ISAKMP) policy, ISAKMP keys (preshared), IPSec profiles, IPSec transform sets, all crypto map sets that are used for stateful failover, all access control lists (ACLs) that are used in match address statements on the crypto map sets, all AAA configurations used for crypto, client configuration groups, ip local pools used for crypto, and ISAKMP profiles.
Note None of the configuration information between the active and standby device is automatically transferred; the user is responsible for ensuring that the crypto configurations match on both devices. If the crypto configurations on both devices do not match, failover from the active device to the standby device will not be successful.
Device Requirements
•Stateful failover for IPSec requires that your network contains two identical routers that are available to be either the primary or secondary device. Both routers should be the same type of device, have the same CPU and memory, and have either no encryption accelerator or identical encryption accelerators.
•This feature is currently supported only on a limited number of platforms. To check the latest platform support, go to Cisco Feature Navigator at http://www.cisco.com/go/fn.
Restrictions for Stateful Failover for IPSec
When configuring redundancy for a virtual private network (VPN), the following restrictions exist:
•Both the active and standby devices must run the identical version of the Cisco IOS software, and both the active and standby devices must be connected via hub or switch.
•Only the VPN Acceleration Module (VAM), VAM2, and AIM-VPN/HPII+ hardware encryption accelerators are supported in a Cisco 3845 router, and the AIM-VPN/EPII+ hardware encryption accelerators are supported in a Cisco 3825 router.
•Only "box-to-box" failover is supported; that is, intrachassis failover is currently not supported.
•WAN interfaces between the active (primary) router and the standby (secondary) router are not supported. (HSRP requires inside interfaces and outside interfaces to be connected via LANs.)
•Load balancing is not supported; that is, no more than one device in a redundancy group can be active at any given time.
•Stateful failover of IPSec with Layer 2 Tunneling Protocol (L2TP) is not supported.
•IKE keepalives are not supported. (Enabling this functionality will cause the connection to be torn down after the standby router assumes ownership control.) However, dead peer detection (DPD) and periodic DPD are supported.
•IPSec idle timers are not supported when used with stateful failover.
•A stateful failover crypto map applied to an interface in a virtual route forwarding (VRF) instance is not supported. However, VRF-aware IPSec features are supported when a stateful failover crypto map is applied to an interface in the global VRF.
•Stateful failover is not compatible or interoperable with the State Synchronization Protocol (SSP) version of stateful failover (which is available in Cisco IOS Release 12.2YX1 and Cisco IOS Release 12.2SU).
Information About Stateful Failover for IPSec
To configure stateful failover for VPNs, you should understand the following concepts:
•Supported Deployment Scenarios: Stateful Failover for IPSec
•IPSec Stateful Failover for Remote Access Connections
Supported Deployment Scenarios: Stateful Failover for IPSec
It is recommended that you implement IPSec stateful failover in one of the following recommended deployment scenarios—a single interface scenario or a dual interface scenario.
In a single interface scenario, the VPN gateways use one LAN connection for both encrypted traffic arriving from remote peers and decrypted traffic flowing to inside hosts (see Figure 1). The single interface design allows customers to save money on router ports and subnets. This design is typically used if all traffic flowing in and out of the organization does not traverse the VPN routers.
Figure 1 Single Interface Network Topology
In a dual interface scenario, a VPN gateway has more than one interface, enabling traffic to flow in and out of the router via separate interfaces (see Figure 2). This scenario is typically used if traffic flowing in and out of a site must traverse the routers, so the VPN routers will provide the default route out of the network.
Figure 2 Dual Interface Network Topology
Table 1 lists the functionality available in both a single interface scenario and a dual interfaces scenario.
Table 1 IPSec StateFul Failover: Single and Dual Interface Functionality Overview
Single Interface
|
Dual Interface
|
Route Injection
|
Routes must be injected to provide the devices that are behind the VPN gateways with a next hop for traffic that requires encryption. Stateful failover for IPSec typically requires routes to be injected for this network topology.
|
If the VPN gateways are not the logical next hop for devices inside the network, the routes must be created and injected into the routing process. Thus, traffic that is returning from inside the network can be sent back to the VPN routers for IPSec services before it is sent out. A virtual IP (VIP) address cannot be used as the advertiser of routing updates, so flows must be synchronized via the injected routes.
If the VPN gateways are the next hop (default route) for all devices inside the network, the VIP address that is used on the inside interfaces can be used as the next hop. Thus, injection of the VPN routes is not required. However, static routes on inside hosts must be used to direct the routes to the next hop VIP address.
|
HSRP Configuration
|
The role of HSRP is simplified in a single interface design because if the only interface is disabled, the entire device is deemed unavailable. This functionality helps to avoid some of the routing considerations to be discussed in the next scenario.
|
Because each interface pair functions independently, you should configure HSRP so that multiple pairs of interfaces can be tracked. (That is, HSRP should not be configured on only one pair of interfaces or on both pairs of interfaces without each pair mutually tracking each other.) Mutual tracking means that if the outside interface does fail, the inside interface on the same router will also be deemed down, allowing for complete router failover to the secondary router.
|
Secure State Information
|
If secured-state information is passed between routers, the information is passed over the same interface as all other traffic.
|
The router has a separate inside and outside interface; thus, the inside interface can be used as a more secure channel for the exchange of state information.
|
Firewall Configuration
|
The VPN gateways can sit in front of the firewall or behind the firewall.
|
VPN gateways may sit behind or in front of a firewall, a firewall can be installed in parallel to the VPN gateways.
|
IPSec Stateful Failover for Remote Access Connections
The main difference between a remote access and a LAN-to-LAN connection is the use of Xauth and mode-config. IKE Xauth is often used to authenticate the user. IKE mode-config is often used to push security policy from the hub (concentrator) router to the user's IPSec implementation. Mode-config is also typically used to assign an internal company network IP address to a user.
In addition to the differences between a remote access configuration and a LAN-to-LAN configuration, you should note the following remote-access-server-specific functions:
•Assigned IP address—The IP address can be assigned to the client via one of the following options:
–Local IP pools. For local IP pools, the administrator must first configure identical local IP address pools on each router in the high availability (HA) pair (via the ip local pool client-address-pool command). This pool name can be applied in one of two places—in a group policy via the crypto isakmp client configuration group group-name (and the submode command pool pool-name) or in a client configuration via the crypto isakmp client configuration address-pool local local-pool command.
–RADIUS-assigned address. If you are using RADIUS authentication and the RADIUS server returns the Framed-IP-Address attribute, the concentrator will always assign that address to the client. It is recommended that you refer to your RADIUS server vendor's documentation, especially for vendors that allow you to configure address pools on the RADIUS server. Typically those servers require crypto accounting to work properly.
To enable accounting on the HA pair, you should issue the following commands on both Active and Standby devices: aaa accounting network radius-accounting start-stop group radius then apply radius-accounting either to the crypto isakmp profile or the crypto map set.
•RADIUS NAS-IP address—The HA pair should appear as a single device to the RADIUS server. Thus, both HA routers must communicate with the RADIUS server using the same IP address. However, when communicating with the RADIUS server, the router must use a physical IP address, not a virtual IP (VIP) address as the NAS-IP address of the router. To configure the RADIUS NAS-IP address for the HA pair, you must configure the same loopback address in the HA pair via interface loopback ip address command; thereafter, you must issue the ip radius source-interface loopback command in the HA pair. Finally, add the new loopback IP address to the RADIUS servers configuration so the RADIUS server can process requests from the HA pair.
For additional information on how to configure IPSec stateful failover for a remote access connection, see the section "Configuring IPSec Stateful Failover for an Easy VPN Server: Example" in this document.
How to Use Stateful Failover for IPSec
This section contains the following the procedures:
•Enabling HSRP: IP Redundancy and a Virtual IP Address (required)
•Enabling SSO (required)
•Configuring Reverse Route Injection on a Crypto Map (required)
•Enabling Stateful Failover for IKE and IPSec (required)
•Protecting SSO Traffic (optional)
•Managing and Verifying High Availability Information (optional)
Enabling HSRP: IP Redundancy and a Virtual IP Address
HSRP provides two services—IP redundancy and a VIP address. Each HSRP group may provide either or both of these services. IPSec stateful failover uses the IP redundancy services from only one HSRP standby group. It can use the VIP address from one or more HSRP groups. Use the following task to configure HSRP on the outside and inside interfaces of the router.
Note Perform this task on both routers (active and standby) and of both interfaces on each router.
Prerequisites for Spanning Tree Protocol and HSRP Stability
If a switch connects the active and standby routers, you must perform one of the following steps to ensure that the correct settings are configured on that switch:
•Enable the spanning-tree portfast command on every switch port that connects to a HSRP-enabled router interface.
•Disable the Spanning Tree Protocol (STP) on the switch only if your switch does not connect to other switches. Disabling spanning tree in a multi-switch environment may cause network instability.
•Enable the standby delay minimum [min-delay] reload [reload-delay] command if you do not have access to the switch. The reload-delay argument should be set to a value of at least 120 seconds. This command must be applied to all HSRP interfaces on both routers.
For more information on HSRP instability, see the document Avoiding HSRP Instability in a Switching Environment with Various Router Platforms.
Note You must perform at least one of these steps for correct HSRP operation.
Restrictions
•Both the inside (private) interface and the outside (public) interface must belong to separate HSRP groups, but the HSRP group number can be the same.
•The state of the inside interface and the outside interface must be the same—both interfaces must be in the active state or standby state; otherwise, the packets will not have a route out of the private network.
•Standby priorities should be equal on both active and standby routers. If the priorities are not equal, the higher priority router will unnecessarily take over as the active router, negatively affecting uptime.
•The IP addresses on the HSRP-tracked interfaces of the standby and active routers should both be either lower or higher on one router than the other. In the case of equal priorities (an HA requirement), HSRP will assign the active state on the basis of the IP address. If an addressing scheme exists so that the public IP address of Router A is lower than the public IP address of Router B, but the opposite is true for their private interfaces, an active/standby-standby/active split condition could exist which will break connectivity.
Note Each time an active device relinquishes control to become the standby device, the active device will reload. This functionality ensures that the state of the new standby device synchronizes correctly with the new active device.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. standby standby-group-number name standby-group-name
5. standby standby-group-number ip ip-address
6. standby standby-group-number track interface-name
7. standby [group-number] preempt
8. standby [group-number] timers [msec] hellotime [msec] holdtime
9. standby delay minimum [min-delay] reload [reload-delay]
10. Repeat.
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface type number
Example:
Router(config)# interface Ethernet 0/0
|
Configures an interface type for the router and enters interface configuration mode.
|
Step 4
|
standby standby-group-number name
standby-group-name
Example:
Router(config-if)# standby 1 name HA-out
|
Assigns a user-defined group name to the HSRP redundancy group.
Note The standby-group-number argument should be the same for both routers that are on directly connected interfaces. However, the standby-group-name argument should be different between two (or more) groups on the same router.
The standby-group-number argument can be the same on the other pair of interfaces as well.
|
Step 5
|
standby standby-group-number ip ip-address
Example:
Router(config-if)# standby 1 ip 209.165.201.1
|
Assigns an IP address that is to be "shared" among the members of the HSRP group and owned by the primary IP address.
Note The virtual IP address must be configured identically on both routers (active and standby) that are on directly connected interfaces.
|
Step 6
|
standby standby-group-number track
interface-name
Example:
Router(config-if)# standby 1 track
Ethernet1/0
|
Configures HSRP to monitor the second interface so that if either of the two interfaces goes down, HSRP causes failover to the standby device.
Note Although this command is not required, it is recommended for dual interface configurations.
|
Step 7
|
standby [group-number] preempt
Example:
Router(config-if)# standby 1 preempt
|
Enables the active device to relinquish control because of an interface tracking event.
|
Step 8
|
standby [group-number] timers [msec]
hellotime [msec] holdtime
Example:
Router(config-if)# standby 1 timers 1 5
|
(Optional) Configures the time between hello packets and the time before other routers declare the active Hot Standby or standby router to be down.
•holdtime—Amount of time the routers take to detect types of failure. A larger hold time means that failure detection will take longer.
For the best stability, it is recommended that you set the hold time between 5 and 10 times the hello interval time; otherwise, a failover could falsely occur when no actual failure has happened.
|
Step 9
|
standby delay minimum [min-delay] reload
[reload-delay]
Example:
Router(config-if)# standby delay minimum reload
120
|
Configures the delay period before the initialization of HSRP groups.
Note It is suggested that you enter 120 as the value for the reload-delay argument and leave the min-delay argument at the preconfigured default value.
|
Step 10
|
Repeat.
|
Repeat this task on both routers (active and standby) and on both interfaces of each router.
|
Troubleshooting Tips
To help troubleshoot possible HSRP-related configuration problems, issue any of the following HSRP-related debug commands—debug standby errors, debug standby events, and debug standby packets [terse].
Examples
The following example shows how to configure HSRP on a router:
ip address 209.165.201.1 255.255.255.224
standby 1 ip 209.165.201.3
standby 1 track Ethernet1/0
What to Do Next
After you have successfully configured HSRP on both the inside and outside interfaces, you should enable SSO as described the in the section "Enabling SSO."
Enabling SSO
Use this task to enable SSO, which is used to transfer IKE and IPSec state information between two routers.
SSO: Interacting with IPSec and IKE
SSO is a method of providing redundancy and synchronization for many Cisco IOS applications and features. SSO is necessary for IPSec and IKE to learn about the redundancy state of the network and to synchronize their internal application state with their redundant peers.
Prerequisites
•You should configure HSRP before enabling SSO.
•To avoid losing SCTP communication between peers, be sure to include the following commands to the local address section of the SCTP section of the IPC configuration:
–retransmit-timeout retran-min [msec] retra-max [msec]
–path-retransmit max-path-retries
–assoc-retransmit retries
SUMMARY STEPS
1. enable
2. configure terminal
3. redundancy inter-device
4. scheme standby standby-group-name
5. exit
6. ipc zone default
7. association 1
8. protocol sctp
9. local-port local-port-number
10. local-ip device-real-ip-address [device-real-ip-address2]
11. retransmit-timeout retran-min [msec] retra-max [msec]
12. path-retransmit max-path-retries
13. assoc-retransmit retries
14. exit
15. remote-port remote-port-number
16. remote-ip peer-real-ip-address [peer-real-ip-address2]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
redundancy inter-device
Example:
Router(config)# redundancy inter-device
|
Configures redundancy and enters inter-device configuration mode.
To exit inter-device configuration mode, use the exit command. To remove all inter-device configuration, use the no form of the command.
|
Step 4
|
scheme standby standby-group-name
Example:
Router(config-red-interdevice)# scheme standby
HA-out
|
Defines the redundancy scheme that is to be used. Currently, "standby" is the only supported scheme.
•standby-group-name—Must match the standby name specified in the standby name interface configuration command. Also, the standby name should be the same on both routers.
Note Only the active or standby state of the standby group is used for SSO. The VIP address of the standby group is not required or used by SSO. Also, the standby group does not have to be part of any crypto map configuration.
|
Step 5
|
exit
Example:
Router(config-red-interdevice)# exit
|
Exits inter-device configuration mode.
|
Step 6
|
ipc zone default
Example:
Router(config)# ipc zone default
|
Configures the inter-device communication protocol, Inter-Process Communication (IPC), and enters IPC zone configuration mode.
Use this command to initiate the communication link between the active router and standby router.
|
Step 7
|
association 1
Example:
Router(config-ipczone)# association 1
|
Configures an association between the two devices and enters IPC association configuration mode.
|
Step 8
|
protocol sctp
Example:
Router(config-ipczone-assoc)# protocol sctp
|
Configures Stream Control Transmission Protocol (SCTP) as the transport protocol and enters SCTP protocol configuration mode.
|
Step 9
|
local-port local-port-number
Example:
Router(config-ipc-protocol-sctp)# local-port 5000
|
Defines the local SCTP port number that is used to communicate with the redundant peer and puts you in IPC transport - SCTP local configuration mode.
•local-port-number—There is not a default value. This argument must be configured for the local port to enable inter-device redundancy. Valid port values: 1 to 65535.
The local port number should be the same as the remote port number on the peer router.
|
Step 10
|
local-ip device-real-ip-address
[device-real-ip-address2]
Example:
Router(config-ipc-local-sctp)# local-ip 10.0.0.1
|
Defines at least one local IP address that is used to communicate with the redundant peer.
The local IP addresses must match the remote IP addresses on the peer router. There can be either one or two IP addresses, which must be in the global VRF. A virtual IP address cannot be used.
|
Step 11
|
retransmit-timeout retran-min [msec]
retra-max [msec]
Example:
Router(config-ipc-local-sctp)# retransmit-timeout
300 10000
|
Configures the maximum amount of time, in milliseconds, that SCTP will wait before retransmitting data.
•retran-min: 300 to 60000; default: 300
•retran-max: 300 to 60000; default: 600
|
Step 12
|
path-retransmit max-path-retries
Example:
Router(config-ipc-local-sctp)# path-retransmit 10
|
Configures the number of consecutive retransmissions SCTP will perform before failing a path within an association.
•max-path-retries: 2 to 10; default: 4 retries
|
Step 13
|
assoc-retransmit retries
Example:
Router(config-ipc-local-sctp)# assoc-retransmit 10
|
Configures the number of consecutive retransmissions SCTP will perform before failing an association.
•retries: 2 to 10; default: 4 retries
|
Step 14
|
exit
Example:
Router(config-ipc-local-sctp)# exit
|
Exits IPC transport - SCTP local configuration mode.
|
Step 15
|
remote-port remote-port-number
Example:
Router(config-ipc-protocol-sctp)# remote-port 5000
|
Defines the remote SCTP port number that is used to communicate with the redundant peer and puts you in IPC transport - SCTP remote configuration mode.
Note remote-port-number—There is not a default value. This argument must be configured for the remote port to enable inter-device redundancy. Valid port values: 1 to 65535.
The remote port number should be the same as the local port number on the peer router.
|
Step 16
|
remote-ip peer-real-ip-address
[peer-real-ip-address2]
Example:
Router(config-ipc-remote-sctp)# remote-ip 10.0.0.2
|
Defines at least one remote IP address of the redundant peer that is used to communicate with the local device.
All remote IP addresses must refer to the same device.
A virtual IP address cannot be used.
|
Troubleshooting Tips
To help troubleshoot possible SSO-related configuration problems, issue the debug redundancy command.
Examples
The following example shows how to enable SSO:
retransmit-timeout 300 10000
What to Do Next
After you have enabled SSO, you should configure reverse route injection (RRI) on a crypto map as shown in the following section.
Configuring Reverse Route Injection on a Crypto Map
You should configure RRI on all existing crypto maps that you want to use with stateful failover. RRI is used with stateful failover so routers on the inside network can learn about the correct path to the current active device. When failover occurs, the new active device injects the RRI routes into its IP routing table and sends out routing updates to its routing peers.
Use one of the following tasks to configure RRI on a dynamic or static crypto map.
•Configuring RRI on Dynamic Crypto Map
•Configuring RRI on a Static Crypto Map
Configuring RRI on Dynamic Crypto Map
Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. A set is a group of dynamic crypto map entries all with the same dynamic map name but each with a different dynamic sequence number. Each member of the set may be configured for RRI.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto dynamic-map map-name seq-num
4. reverse-route
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
crypto dynamic-map map-name seq-num
Example:
Router(config)# crypto dynamic-map mymap 10
|
Creates a dynamic crypto map entry and enters crypto map configuration mode.
|
Step 4
|
reverse-route
Example:
Router(config-crypto-map)# reverse-route
|
Enables RRI for a dynamic crypto map.
|
Configuring RRI on a Static Crypto Map
Static crypto map entries are grouped into sets. A set is a group of static crypto map entries all with the same static map name but each with a different sequence number. Each static crypto map in the map set can be configured for RRI. Use this task to configure RRI on a static crypto map.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto map map-name seq-num ipsec-isakmp
4. reverse-route
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
crypto map map-name seq-num ipsec-isakmp
Example:
Router(config)# crypto map to-peer-outside 10
ipsec-isakmp
|
Enters crypto map configuration mode and creates or modifies a crypto map entry.
|
Step 4
|
reverse-route
Example:
Router(config-crypto-map)# reverse-route
|
Dynamically creates static routes based on crypto ACLs.
|
Examples
The following example shows how to configure RRI on the static crypto map "to-peer-outside":
crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000
crypto map to-peer-outside 10 ipsec-isakmp
match address peer-outside
What to Do Next
After you have configured RRI, you can enable stateful failover for IPSec and IKE.
Enabling Stateful Failover for IKE and IPSec
Use the following tasks to configure stateful failover for IPSec, IKE, and tunnel protection:
•Enabling Stateful Failover for IKE
•Enabling Stateful Failover for IPSec
•Enabling Stateful Failover for Tunnel Protection
Enabling Stateful Failover for IKE
There is no specific command-line interface (CLI) necessary to enable stateful failover for IKE. It is enabled for a particular VIP address when a stateful failover crypto map is applied to an interface.
Enabling Stateful Failover for IPSec
Use this task to enable stateful failover for IPSec. All IPSec state information is transferred from the active router to the standby router via the SSO redundancy channel that was specified in the task "Enabling SSO."
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. crypto map map-name [redundancy standby-group-name [stateful]]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface type number
Example:
Router(config)# interface Ethernet 0/0
|
Defines an interface that has already been configured for redundancy and enters interface configuration mode.
|
Step 4
|
crypto map map-name [redundancy
standby-group-name [stateful]]
Example:
Router(config-if)# crypto map to-peer-outside
redundancy HA-out stateful
|
Binds the crypto map on the specified interface to the redundancy group.
Note Although the standby group does not have to be the same group that was used when enabling SSO, it does have to be the same group that was used with the standby ip command on this interface.
This crypto map will use the same VIP address for both IKE and IPSec to communicate with peers.
|
Troubleshooting Tips
To help troubleshoot possible IPSec HA-related problems, issue the debug crypto ipsec ha [detail] [update] command.
Examples
The following example shows how to configure IPSec stateful failover on the crypto map "to-peer-outside":
ip address 209.165.201.1 255.255.255.224
standby 1 ip 209.165.201.3
standby 1 track Ethernet1/0
crypto map to-peer-outside redundancy HA-out stateful
Enabling Stateful Failover for Tunnel Protection
Use an existing IPSec profile to configure stateful failover for tunnels using IPSec. (You do not configure the tunnel interface as you would with a crypto map configuration.)
Restrictions
The tunnel source address must be a VIP address, and it must not be an interface name.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto ipsec profile name
4. redundancy standby-group-name stateful
5. exit
6. interface tunnel number
7. tunnel protection ipsec profile name
8. tunnel source virtual-ip-address
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
crypto ipsec profile name
Example:
Router(config)# crypto ipsec profile
peer-profile
|
Defines the IPSec parameters that are to be used for IPSec encryption between two routers and enters crypto map configuration mode.
|
Step 4
|
redundancy standby-group-name stateful
Example:
Router(config-crypto-map)# redundancy HA-out
stateful
|
Configures stateful failover for tunnels using IPSec.
|
Step 5
|
exit
Example:
Router(config-crypto-map)# exit
|
Exits crypto map configuration mode.
|
Step 6
|
interface tunnel number
Example:
Router(config)# interface tunnel 5
|
Configures a tunnel interface and enters interface configuration mode
•number—Specifies the number of the interface that you want to create or configure. There is no limit on the number of tunnel interfaces you can create.
|
Step 7
|
tunnel protection ipsec profile name
Example:
Router(config-if)# tunnel protection ipsec
profile catprofile
|
Associates a tunnel interface with an IPSec profile.
name—Specifies the name of the IPSec profile; this value must match the name specified in the crypto ipsec profile name command.
|
Step 8
|
tunnel source virtual-ip-address
Example:
Router(config-if)# tunnel source 10.1.1.1
|
Sets source address for a tunnel interface.
•virtual-ip-address—Must be a VIP address.
Note Do not use the interface name as the tunnel source.
|
Examples
The following example shows how to configure stateful failover for tunnel protection:
crypto ipsec profile peer-profile
redundancy HA-out stateful
tunnel source 209.165.201.3
tunnel destination 10.0.0.5
tunnel protection ipsec profile peer-profile
ip address 209.165.201.1 255.255.255.224
standby 1 ip 209.165.201.3
What to Do Next
After you have configured stateful failover, you can use the CLI to protect, verify, and manage your configurations. For more information on completing these tasks, see the sections "Protecting SSO Traffic" and "Managing and Verifying High Availability Information."
Protecting SSO Traffic
Use this task to secure a redundancy group via an IPSec profile. To configure SSO traffic protection, the active and standby devices must be directly connected to each other via Ethernet networks.
The crypto maps that are automatically generated when protecting SSO traffic are applied to each interface, which corresponds to an IP address that was specified via the local-ip command. Traffic that is destined for an IP address that was specified via the remote-ip command is forced out of the crypto-map-configured interface via an automatically created static host route.
Note If you are certain that the SSO traffic between the redundancy group runs on a physically secure interface, you do not have to configure SSO traffic protection.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto isakmp key keystring address peer-address
4. crypto ipsec transform-set transform-set-name transform-set-list
5. crypto ipsec profile profile-name
6. set transform-set transform-set-name
7. exit
8. redundancy inter-device
9. security ipsec profile-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
crypto isakmp key keystring address
peer-address
Example:
Router(config)# crypto isakmp key cisco123
address 0.0.0.0 0.0.0.0
|
Configures a preshared authentication key.
•peer-address—The SCTP remote IP address.
|
Step 4
|
crypto ipsec transform-set transform-set-name
transform-set-list
Example:
Router(config)# crypto ipsec transform-set
trans2 ah-md5-hmac esp-aes
|
Configures a transform set that defines the packet format and cryptographic algorithms used for IPSec.
|
Step 5
|
crypto ipsec profile profile-name
Example:
Router(config)# crypto ipsec profile sso-secure
|
Defines an IPSec profile that describes how the traffic will be protected.
|
Step 6
|
set transform-set transform-set-name
Example:
Router(config-crypto-map)# set transform-set
trans2
|
Specifies which transform sets can be used with the IPSec profile.
|
Step 7
|
exit
Example:
Router(config-crypto-map)# exit
|
Exits crypto map configuration mode.
|
Step 8
|
redundancy inter-device
Example:
Router(config)# redundancy inter-device
|
Configures redundancy and enters inter-device configuration mode.
|
Step 9
|
security ipsec profile-name
Example:
Router(config-red-interdevice)# security ipsec
sso-secure
|
Applies the IPSec profile to the redundancy group communications, protecting all SSO traffic that is passed between the active and standby device.
|
Examples
The following example shows how to configure SSO traffic protection:
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth
crypto ipsec transform-set trans2 ah-md5-hmac esp-aes
crypto ipsec profile sso-secure
