Cisco Cisco IOS Software Releases 12.2 MC White Paper
IPSec Stateful Failover (VPN High Availability)
Glossary
68
Cisco IOS Release 12.2(11)YX, 12.2(11)YX1, 12.2(14)SU, 12.2(14)SU1, and 12.2(14)SU2
Glossary
Active—Active IPSec High Availability router.
DPD—Dead peer detection. DPD allows two IPSec peers to determine if the other is still “alive” during
the lifetime of a VPN connection.
the lifetime of a VPN connection.
GRE—Generic Routing Encapsulation. Tunneling protocol developed by Cisco that can encapsulate a
wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco
routers at remote points over an IP internetwork.
wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco
routers at remote points over an IP internetwork.
HSRP—Hot Standby Routing Protocol. HSRP provides network redundancy for IP networks, ensuring
that user traffic immediately and transparently recovers from first hop failures in network edge devices
or access circuits.
that user traffic immediately and transparently recovers from first hop failures in network edge devices
or access circuits.
IKE—Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for
services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each
router/firewall/host must verify the identity of its peer. This can be done by manually entering pre-shared
keys into both hosts or by a CA service.
services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each
router/firewall/host must verify the identity of its peer. This can be done by manually entering pre-shared
keys into both hosts or by a CA service.
IPSec—IP Security. A framework of open standards that provides data confidentiality, data integrity, and
data authentication between participating peers. IPSec provides these security services at the IP layer.
IPSec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to
generate the encryption and authentication keys to be used by IPSec. IPSec can protect one or more data
flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a
host.
data authentication between participating peers. IPSec provides these security services at the IP layer.
IPSec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to
generate the encryption and authentication keys to be used by IPSec. IPSec can protect one or more data
flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a
host.
SA—security association. An instance of security policy and keying material applied to a data flow. Both
IKE and IPSec use SAs, although SAs are independent of one another. IPSec SAs are unidirectional and
they are unique in each security protocol.
IKE and IPSec use SAs, although SAs are independent of one another. IPSec SAs are unidirectional and
they are unique in each security protocol.
SSP—State Synchronization Protocol (SSP) is a protocol developed to transfer state information
between the active and standby routers.
between the active and standby routers.
Standby—Standby IPSec High Availability router.
Stateful Failover—Feature that enables a backup (standby) router to automatically take over the
primary (active) router’s tasks in the event of a active router failure with minimal or no loss of traffic.
The remote peer sees no difference between the two routers since it is connected to a virtual end point
(VEP), owned by either headend router that shares the same IPSec information.
primary (active) router’s tasks in the event of a active router failure with minimal or no loss of traffic.
The remote peer sees no difference between the two routers since it is connected to a virtual end point
(VEP), owned by either headend router that shares the same IPSec information.