Cisco Cisco IOS Software Releases 12.2 MC Livre blanc
IPSec Stateful Failover (VPN High Availability)
Feature Overview
3
Cisco IOS Release 12.2(11)YX, 12.2(11)YX1, 12.2(14)SU, 12.2(14)SU1, and 12.2(14)SU2
shows a sample topology for site-to-site configuration of IPSec Stateful Failover with generic
routing encapsulation (GRE), a tunnel interface not tied to specific “passenger” or “transport” protocols.
GRE supports multicast traffic, critical for V3PN applications.
GRE supports multicast traffic, critical for V3PN applications.
Figure 1
Site-to-Site VPN Configuration
There are four possible configurations for the Cisco 7200 series routers using Cisco IOS
Release 12.2(14)SU, 12.2(14)SU1, or 12.2(14)SU2:
Release 12.2(14)SU, 12.2(14)SU1, or 12.2(14)SU2:
•
non-GRE High Availability (HA) with a virtual IP (VIP), or redundancy groups, on the outside and
a VIP on the inside (see
a VIP on the inside (see
•
non-GRE HA with only VIPs on the outside. The route to the outside is provided by Reverse Route
Injection (RRI) (see
Injection (RRI) (see
•
GRE HA, with VIPs on the outside and tested inside faces (see
•
GRE HA, with only a VIP on the outside, using RRI to inject routes (see
Figure 2
HSRP VIP on Inside and Outside
Remote Peer 1
Internet
Headquarters
(Private Network)
Remote Peer N
97371
Standby
Head-End
Router
Head-End
Router
VIP
(shared IP
address)
GRE Tunnel 1
GRE Tunnel N
114186
Head-End
A
S
Outside
VIP
Inside
VIP
Remote LAN
Peer
Private LAN
Inside VIP configured as default gateway
for route from private LAN to remote LAN