Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
998
Views
0
Helpful
1
Replies

IPSec stateful failover in IOS

truongdinh
Level 1
Level 1

‎05-23-2009 07:47 AM - edited ‎02-21-2020 04:14 PM

I have very simple site-2-site VPN setup:

Site A is my company A running on a single Cisso VXR7206 IOS version 12.3(T). network behind my company is 192.168.1.0/24

Site B is company B running a pair of Checkpoint Firewall NGx R65. network behind company B is 10.0.0.0/24

Site C is company C running a single Cisco 3845 IOS version 12.4(T). network behind company C is 172.16.1.0/24

Company B and company C do not know each other.

I have a L2L VPN between company A and company B. That one is working fine, just regular L2L IPSec tunnel.

I have a L2L VPN between company A and company C. This is done via an GRE encapsulate inside an IPSec tunnel (i.e. GRE/IPSec),

Everything is working fine. But now my company A want to add redundancy to the L2L VPN between company A and company B and company A and company C.

We are going to add another VXR7206 at Site A. The objective is that if one of the routers at site A crashes, the other will take over without missing a beat.

I can create multiple GRE/IPSec tunnels between company A and company C and use HSRP to control the flow of the traffics between site A and site C and

that the connection will be "stateful" due to the nature of GRE/IPSec.

My issue has to do with the stateful of IPSec between the cisco and Checkpoint firewall. Checkpoint platform the customer use does not support GRE,

only IPSec.

Anyone know how I can resolve this problem?

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

paul
Level 1
Level 1

‎05-24-2009 10:17 AM

I would actually prefer the use of an IGP to handle the failover between site A and C, but there may be limitations with doing that. You could combine that with two active GRE or VTI tunnels and it would work great for the A to C connection.

Your question is along the traditional IPSec side. You may want to look at the following URL which discusses the new stateful failover features in the later 12.4T.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/white_paper_c11_472859.html

If money were no object, I would do A to B with two ASA's in failover and reverse route injection and the A to C with VTI and an IGP protocol like (EIGRP or OSPF). The ASA has a great stateful failover.

0 Helpful
Customers Also Viewed These Support Documents