Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3197
Views
0
Helpful
5
Replies

Cisco IOS IPSec Failover | Route-Based-VPN with HSRP

Go to solution
Tanveer Dewan
Level 1
Level 1

‎11-18-2015 10:42 AM - edited ‎02-21-2020 08:33 PM

I can find IPSec vpn redundancy using Policy-Based-VPN with HSRP.

Any document that provides route-based-vpn redundancy with HSRP?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Boris Uskov
Level 4
Level 4
In response to Tanveer Dewan

‎11-20-2015 01:08 AM

Ok, I understand the question now. Sorry, I don't have any document for this task. 

I can see, that in crypto ipsec profile, which you will use under Tunnel interface configuration to enable protection, you can configure redundancy:

cisco(config)#crypto ipsec profile VTI
cisco(ipsec-profile)#?
Crypto Map configuration commands:
 default Set a command to its defaults
 description Description of the crypto map statement policy
 dialer Dialer related commands
 exit Exit from crypto map configuration mode
 no Negate a command or set its defaults
 redundancy Configure HA for this ipsec profile
 responder-only Do not initiate SAs from this device
 set Set values for encryption/decryption

cisco(ipsec-profile)#redundancy ?
 WORD Redundancy group name
cisco(ipsec-profile)#redundancy MRT ?
 stateful enable stateful failover


I can suggest, that it is the same as crypto map redundancy. But no documentaion or examples were found...

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Boris Uskov
Level 4
Level 4

‎11-19-2015 12:12 AM

Not sure, what the question is about...

As far as I know, you can use IPsec redundancy for two routers, and configure Stateful Switch Over (SSO) to synchronize IPsec databases between two routers.

This document desribes the technology:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white_paper_c11_472859.html

0 Helpful

Go to solution
Tanveer Dewan
Level 1
Level 1
In response to Boris Uskov

‎11-20-2015 12:43 AM

Thanks for the response. 

The document shows how to use HSRP with 'policy based vpn' where we use crypto acl to match interesting traffic. I on the otherhand want to use hsrp redundnacy along with 'route based vpn' where the interesting traffic is identified by a static route pointing to the tunnel interface.

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4
In response to Tanveer Dewan

‎11-20-2015 01:08 AM

Ok, I understand the question now. Sorry, I don't have any document for this task. 

I can see, that in crypto ipsec profile, which you will use under Tunnel interface configuration to enable protection, you can configure redundancy:

cisco(config)#crypto ipsec profile VTI
cisco(ipsec-profile)#?
Crypto Map configuration commands:
 default Set a command to its defaults
 description Description of the crypto map statement policy
 dialer Dialer related commands
 exit Exit from crypto map configuration mode
 no Negate a command or set its defaults
 redundancy Configure HA for this ipsec profile
 responder-only Do not initiate SAs from this device
 set Set values for encryption/decryption

cisco(ipsec-profile)#redundancy ?
 WORD Redundancy group name
cisco(ipsec-profile)#redundancy MRT ?
 stateful enable stateful failover


I can suggest, that it is the same as crypto map redundancy. But no documentaion or examples were found...

0 Helpful

Go to solution
Tanveer Dewan
Level 1
Level 1
In response to Boris Uskov

‎11-20-2015 02:12 AM

Hey! 

I think you are right. check this out. Its referring to the 'redundancy' command and tunnel interface both. 

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/m1/sec-m1-cr-book/sec-cr-r2.html#wp3201756504

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4
In response to Tanveer Dewan

‎11-20-2015 02:47 AM

Ok, thanks for link.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents