Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
4
Helpful
7
Replies

cisco router - site to site vpn with 2 link and preemption

secureIT
Level 4
Level 4

‎10-22-2014 05:19 AM

Hi Team,

I have found the below for PIX/ASA firewall. But I have the same scenario with router.

In router, can we achieve preemption for VPN tunnel to fall back to primary link when it restores from a failure. ?

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

If you configured VPN with multiple peer IP addresses for a crypto entry, the VPN gets established with the backup peer IP once the primary peer goes down. However, once the primary peer comes back, the VPN does not preempt to the primary IP address. You must manually delete the existing SA in order to reinitiate the VPN negotiation to switch it over to the primary IP address. As the conclusion says, the VPN preempt is not supported in the site-to-site tunnel.

Taken from here:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/67912-pix2pix-vpn-pix70-asdm.html

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

regards

SecIT

Labels:
0 Helpful
7 Replies 7

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-22-2014 05:26 AM

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1966957785

"default" option on peer is what's typically used. 

 

In case of policy based VPN you rarely want to preempt due to need to re-establish IPsec SAs (which could cause interruption). 

On IOS it's much better to go for route based VPN and have routing protocol decide which peer/path should be taken. 

0 Helpful

Sanjay S N
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-26-2014 12:36 AM

Hi Marcin, Even I'm facing the same issue. Could you please elaborate on the same.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Sanjay S N

‎10-26-2014 12:38 AM

I can try. What are your questions/doubts?

0 Helpful

Sanjay S N
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-26-2014 12:42 AM

As you said if running policy based VPN, it means we have to re-establish the IPSec SA ? Is there any mechanism which we can implement to over come this ?

 

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Sanjay S N

‎10-26-2014 12:59 AM

IKEv1/IPsec standard does not, or at least a couple of years ago it didn't, have a mechanism to check whether remote peer is available for negotiation  (not to say that OS cannot make certain decisions on behalf of IKE), i.e. you never know when IKE on the remote end is back up unless you try to send negotiation. 

 

A simple sla + track and EEM script will preempt those connections for you.

0 Helpful

Sanjay S N
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-26-2014 02:33 AM

I have ip sla configured for tracking, but once primary link get stable the tunnel is not getting through the primary.

As said in the first blog, does it remains the same if VPN with multiple peer IP addresses for a crypto entry, VPN does not preempt to the primary IP address ??

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Sanjay S N

‎10-26-2014 07:09 AM

Check FlexVPN's tracking capabilities if you don't want to do it via EEM.

 

Regarding preemption - read the command reference, of the config guide. But AFAIR there is no instantaneous preemption. 

Customers Also Viewed These Support Documents