inter-device device redundancy for IPSEC

hwouters · ‎09-14-2007

Hi , I have a pair of 2821 routers which are configured as ipsec hubs with inter-device redundancy . I use 2 interfaces with HSRP "HA-OUT" to terminate ipsec over vti tunnels and 2 interaces on with HSRP "HA-OUT-ENC" for encapsulated IPSEC .Question is now , can I have redundancy inter-device , scheme standby HA-OUT and scheme standby HA-OUT-ENC ?

umedryk · ‎09-21-2007

The following link discusses about the IPSEC redundancy

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094c1f.shtml

The debug dialer and several show command outputs displayed here show the primary link as failed, and dialer watch recognizesthe lost route. The router then initiates the backup link and OSPF converges through the secondary link. Each time the idle timeout expires, the router checks whether the primary link is down. If the primary link is found to be up, dialer watch disconnects the backup link after the disable timer expires and tears down the call, and OSPF converges by way of the primary link as usual

hwouters · ‎09-21-2007

Hi ,

I was talking about statefull HA IPSEC redundancy. The problem I have is that you configure an sctp connection between the 2 devices over which they exchange state . This sctp connection is linked with the HSRP group that is configured on the interfaces , but you cannot link it at the same time to a second HSRP group .

redundancy inter-device

scheme standby HA-out

security ipsec sso-secure

you cannot add a second scheme in here

And that is what I'd like to do

andi.saputro · ‎07-20-2017

HA IPSEC not on redundancy inter-device command.

its in the interface.

ex.

interface GigabitEthernet0/0

standby 2 name ISP-B
crypto map VPN redundancy ISP-B stateful

interface GigabitEthernet0/2

standby 1 name ISP-A
crypto map VPN2 redundancy ISP-A stateful