Cisco Cisco Packet Data Interworking Function (PDIF) Guía Para Resolver Problemas
IP Security
Redundant IPSec Tunnel Fail-over Configuration ▀
Cisco ASR 5000 Series Enhanced Feature Configuration Guide ▄
OL-22983-01
Redundant IPSec Tunnel Fail-over Configuration
This section provides information and instructions for configuring the Redundant IPSec Tunnel Fail-over feature. These
instructions assume that the system was previously configured to support subscriber data sessions either as a core
service or an HA.
instructions assume that the system was previously configured to support subscriber data sessions either as a core
service or an HA.
Important:
Parameters configured using this procedure must be configured in the same context on the system.
Important:
The system supports a maximum of 32 crypto groups per context. However, configuring crypto
groups to use the same loopback interface for secondary IPSec tunnels is not recommended and may compromise
redundancy on the chassis.
redundancy on the chassis.
Important:
This section provides the minimum instruction set for configuring crypto groups on the system. For
more information on commands that configure additional parameters and options, refer Command Line Interface
Reference.
Reference.
To configure the Crypto group to support IPSec:
Step 1
Configure a crypto group by following the steps in the
Step 2
Configure one or more ISAKMP policies according to the instructions provided in the
section of this chapter.
Step 3
Configure IPSec DPD settings using the instructions provided in the
of this chapter.
Step 4
Configure an ISAKMP crypto map for the primary and secondary tunnel according to the instructions provided in the
Step 5
Step 6
Verify your Crypto Group configuration by following the steps in the
section.
Step 7
Save your configuration as described in the Verifying and Saving Your Configuration chapter.
Configuring Crypto Group
Use the following example to configure a crypto group on your system for redundant IPSec tunnel fail-over support: