Cisco Cisco Packet Data Interworking Function (PDIF)
Redundant IPSec Tunnel Fail-over
▀ Redundant IPSec Tunnel Fail-over (IKEv1)
▄ IPSec Reference, StarOS Release 17
104
Configuring a Crypto Group
Use the following example to configure a crypto group on your system for redundant IPSec tunnel fail-over support:
configure
context ctxt_name
ikev1 keepalive dpd interval dur timeout dur num-retry retries
crypto-group group_name
match address acl_name [ preference ]
switchover auto [ do-not-revert ]
end
Notes:
ctxt_name is the destination context where the Crypto Group is to be configured.
group_name is name of the Crypto group you want to configure for IPSec tunnel failover support.
acl_name is name of the pre-configured crypto ACL. It is used for configurations not implementing the IPSec
Tunnel Failover feature and match the crypto map to a previously defined crypto ACL. For more information
on crypto ACL, refer to the Access Control chapter of this guide.
on crypto ACL, refer to the Access Control chapter of this guide.
Modifying a ISAKMP Crypto Map Configuration to Match a Crypto Group
Use the following example to match the crypto group with ISAKMP crypto map:
configure
context ctxt_name
crypto map map_name1 ipsec-isakmp
match crypto-group group_name primary
end
configure
context ctxt_name
crypto map map_name2 ipsec-isakmp
match crypto-group group_name seondary
end