11-20-2008 03:06 AM
Hi, we have now two 2821 VPN concentrator, is there any way to make redundancy between them, one down-other up ¿?
Thanks.
11-21-2008 10:19 AM
Yes, it's possible.
This link will give you a detailed explanation on how to implement IPSec High Availability using HSRP, giving an example:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml
If you need a simple configuration example, please tell.
Cheers:
Istvan
11-24-2008 09:27 AM
Ok so as I understand this doc, we only have to no-shutdown our free LAN ifaces on the routers, link the routers with a brand new cable, set the interfaces to a new subnet, create a crypto map to apply it to the new interfaces and then apply this block of code to each interface ( don't mind the example subnet example )
interface FastEthernet0/0
ip address 172.16.172.52 255.255.255.240
duplex full
speed 100
standby 1 ip 172.16.172.53
standby 1 priority 200
standby 1 preempt
standby 1 name VPNHA
standby 1 track FastEthernet0/1 150
crypto map vpn redundancy VPNHA
interface FastEthernet0/0
ip address 172.16.172.54 255.255.255.240
ip directed-broadcast
duplex full
standby 1 ip 172.16.172.53
standby 1 preempt
standby 1 name VPNHA
standby 1 track FastEthernet1/0
crypto map vpn redundancy VPNHA
Thanks.
11-24-2008 09:59 AM
Yes, and you should create the VPN tunnel between the HSRP virtual IP address (172.16.172.53) and the remote inteface.
I.e. on the remote router you should apply the "set peer 172.16.172.53" command within the static crypto map.
On the HSRP routers you will need to create dynamic crypto maps, possibly with reverse route injection.
Cheers:
Istvan
11-24-2008 11:08 AM
Keep in mind that the configuration does NOT
offer IPSec STATEFUL failover.
11-24-2008 01:09 PM
Yes,
Stateful failover is a different story. Only some high-end platforms have that feature.
Istvan
11-24-2008 04:29 PM
platform such as 2851 and 3845 can support
IPSec stateful failover.
That being said, IPSec stateful failover does
not work well on Cisco as compared to other
vendors such as Checkpoint or Juniper.
11-25-2008 12:21 AM
Ok, I'm only interested on physical redundancy anyways. Thank you all-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide