Cisco Cisco IOS Software Releases 12.2 MC White Paper
IPSec Stateful Failover (VPN High Availability)
Feature Overview
2
Cisco IOS Release 12.2(11)YX, 12.2(11)YX1, 12.2(14)SU, 12.2(14)SU1, and 12.2(14)SU2
IPSec Stateful Failover (VPN High Availability) is designed to work in conjunction with Reverse Route
Injection (RRI) and Hot Standby Router Protocol (HSRP) with IPSec. When used together, RRI and
HSRP provide a more reliable network design for VPNs and reduce configuration complexity on remote
peers.
Injection (RRI) and Hot Standby Router Protocol (HSRP) with IPSec. When used together, RRI and
HSRP provide a more reliable network design for VPNs and reduce configuration complexity on remote
peers.
RRI and HSRP are supported together with the restriction that the HSRP configuration on the outside
interface uses equal priorities on both routers. As an option, when not using RRI, you can use an HSRP
configuration on the LAN side of the network (equal HSRP priority restriction still applies).
interface uses equal priorities on both routers. As an option, when not using RRI, you can use an HSRP
configuration on the LAN side of the network (equal HSRP priority restriction still applies).
Reverse Route Injection (RRI)
RRI is a feature designed to simplify network design for VPNs which require redundancy and routing.
RRI works with both dynamic and static crypto maps. When routes are created, they are injected into
any dynamic routing protocol and distributed to surrounding devices. This causes traffic flows requiring
IPSec to be directed to the appropriate head-end VPN router for transport across the correct security
associations (SAs) to avoid IPSec policy mismatches and possible packet loss.
RRI works with both dynamic and static crypto maps. When routes are created, they are injected into
any dynamic routing protocol and distributed to surrounding devices. This causes traffic flows requiring
IPSec to be directed to the appropriate head-end VPN router for transport across the correct security
associations (SAs) to avoid IPSec policy mismatches and possible packet loss.
Hot Standby Router Protocol (HSRP)
HSRP is designed to provide high network availability by routing IP traffic from hosts on Ethernet
networks without relying on the availability of any single router. By providing network redundancy for
IP networks, user traffic immediately and transparently recovers from first hop failures in network edge
devices or access circuits.
networks without relying on the availability of any single router. By providing network redundancy for
IP networks, user traffic immediately and transparently recovers from first hop failures in network edge
devices or access circuits.
A network administrator enables HSRP, assigns a virtual IP address, and enables IPSec Stateful Failover
(VPN High Availability). After enabling both HSRP and IPSec Stateful Failover, the network
administrator uses the show ssp, show crypto ipsec, and show crypto isakmp commands to verify that
all processes are running properly. In the event of failover, the standby device takes over ownership of
the standby IP address and begins to service remote VPN peers.
(VPN High Availability). After enabling both HSRP and IPSec Stateful Failover, the network
administrator uses the show ssp, show crypto ipsec, and show crypto isakmp commands to verify that
all processes are running properly. In the event of failover, the standby device takes over ownership of
the standby IP address and begins to service remote VPN peers.
The information that the active router transmits to the standby router includes:
•
IKE cookies stamp
•
Session keys
•
Cisco Service Assurance (SA) Agent attributes
•
Sequence number counter and window state
•
Kilobyte (KB) lifetime expirations
•
Dead peer detection (DPD) sequence number updates