cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1359
Views
0
Helpful
5
Replies
Beginner

Cisco IOS IPSec Failover | Route-Based-VPN with HSRP

I can find IPSec vpn redundancy using Policy-Based-VPN with HSRP.

Any document that provides route-based-vpn redundancy with HSRP?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Enthusiast

Ok, I understand the question

Ok, I understand the question now. Sorry, I don't have any document for this task. 

I can see, that in crypto ipsec profile, which you will use under Tunnel interface configuration to enable protection, you can configure redundancy:

cisco(config)#crypto ipsec profile VTI
cisco(ipsec-profile)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
no Negate a command or set its defaults
redundancy Configure HA for this ipsec profile
responder-only Do not initiate SAs from this device
set Set values for encryption/decryption

cisco(ipsec-profile)#redundancy ?
WORD Redundancy group name
cisco(ipsec-profile)#redundancy MRT ?
stateful enable stateful failover


I can suggest, that it is the same as crypto map redundancy. But no documentaion or examples were found...

View solution in original post

5 REPLIES 5
Highlighted
Enthusiast

Not sure, what the question

Not sure, what the question is about...

As far as I know, you can use IPsec redundancy for two routers, and configure Stateful Switch Over (SSO) to synchronize IPsec databases between two routers.

This document desribes the technology:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white_paper_c11_472859.html

Highlighted
Beginner

Thanks for the response. 

Thanks for the response. 

The document shows how to use HSRP with 'policy based vpn' where we use crypto acl to match interesting traffic. I on the otherhand want to use hsrp redundnacy along with 'route based vpn' where the interesting traffic is identified by a static route pointing to the tunnel interface.

Highlighted
Enthusiast

Ok, I understand the question

Ok, I understand the question now. Sorry, I don't have any document for this task. 

I can see, that in crypto ipsec profile, which you will use under Tunnel interface configuration to enable protection, you can configure redundancy:

cisco(config)#crypto ipsec profile VTI
cisco(ipsec-profile)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
no Negate a command or set its defaults
redundancy Configure HA for this ipsec profile
responder-only Do not initiate SAs from this device
set Set values for encryption/decryption

cisco(ipsec-profile)#redundancy ?
WORD Redundancy group name
cisco(ipsec-profile)#redundancy MRT ?
stateful enable stateful failover


I can suggest, that it is the same as crypto map redundancy. But no documentaion or examples were found...

View solution in original post

Highlighted
Beginner

Hey! 

Hey! 

I think you are right. check this out. Its referring to the 'redundancy' command and tunnel interface both. 

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/m1/sec-m1-cr-book/sec-cr-r2.html#wp3201756504

Highlighted
Enthusiast

Ok, thanks for link.

Ok, thanks for link.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here