IPsec VPN Stateful High Availability
IPsec VPN “Stateful” failover
In the case of Cisco ASA HA, config sync and stateful failover are built-in features
In the case of Cisco IOS HA, requires more manual configuration
- HSRP is used to determine device role (Active/Standby)
- SCTP is used to synchronize Phase1/Phase2 session states
- There is no config sync between Active/Standby
Configuration order
- Configure and verify HSRP
- Configure and verify SSO
- Configure and verify regular IPsec VPN
- Configure and verify stateful IPsec VPN
The scenarios
Crypto-map scenarios
- The IPsec VPN peering will be between “HSRP VIP on R2,R3” and “Loopback on R1”
- Assign HSRP instance to the stateful IPsec VPN on R2,R3
- R(config)#crypto map <name> redundancy <hsrp_name> stateful
IPsec profile (VTI/GRE) scenarios
- Tunnel source/destination will be between “HSRP VIP on R2,R3” and “Loopback on R1”
- Assign HSRP instance to the stateful IPsec VPN on R2,R3
- R(config)#crypto ipsec profile <name>
- R(ipsec-profile)#redundancy <hsrp_name> stateful
How to detect failure
- DPD with IPsec stateful HA is not useful for failover
- Since this scenario only have 1 logical peering between R1-Lo1 and R2-R3-HSRP_OUT
- It is recommended to use long timeout value
- #crypto isakmp keepalive 10 10
- Failure detection is relying on HSRP instance
- HSRP hello/keepalive between R2 and R3
- HSRP integrated with “Enhanced Object Tracking”
- It is recommended to activate invalid SPI recovery and increase the IPsec replay window
- #crypto isakmp invalid-spi-recovery
- #crypto ipsec security-association replay window-size 1024
Configuration example
| !! HUB R1 !! | !! Spoke R2 !! |
|
! HSRP config interface Ethernet0/0 ip address 100.2.3.2 255.255.255.224 standby 1 ip 100.2.3.23 standby 1 preempt standby 1 name HSRP_OUT standby 1 track <object> standby 1 priority 120 standby delay minimum reload 120
! Enabling SSO Interaction with IPsec and IKE redundancy inter-device scheme standby HSRP_OUT ! ipc zone default association 1 no shutdown protocol sctp local-port 5000 local-ip 10.2.3.2 retransmit-timeout 300 10000 path-retransmit 10 assoc-retransmit 10 remote-port 5000 remote-ip 10.2.3.3 //Active-SSO device also recommended to be rebooted
! Enabling Stateful Failover for Tunnel Protection crypto ipsec profile IPSEC_PROF redundancy HSRP_OUT stateful
interface Tunnel123 ip unnumbered Loopback123 tunnel source 100.2.3.23 tunnel destination 1.1.1.1 tunnel protection ipsec profile IPSEC_PROF
|
! HSRP config interface Ethernet0/0 ip address 100.2.3.3 255.255.255.224 standby 1 ip 100.2.3.23 standby 1 preempt standby 1 name HSRP_OUT standby 1 track <object> standby 1 priority 100 standby delay minimum reload 120
! Enabling SSO Interaction with IPsec and IKE redundancy inter-device scheme standby HSRP_OUT ! ipc zone default association 1 no shutdown protocol sctp local-port 5000 local-ip 10.2.3.3 retransmit-timeout 300 10000 path-retransmit 10 assoc-retransmit 10 remote-port 5000 remote-ip 10.2.3.2 //Standby-SSO device need to be rebooted
! Enabling Stateful Failover for Tunnel Protection crypto ipsec profile IPSEC_PROF redundancy HSRP_OUT stateful
interface Tunnel123 ip unnumbered Loopback123 tunnel source 100.2.3.23 tunnel destination 1.1.1.1 tunnel protection ipsec profile IPSEC_PROF
|
|
! Reset security association
clear crypto isakmp [active | standby] clear crypto sa [active | standby] clear crypto session [active | standby]
! State verification show redundancy [states | inter-device] //After SSO negotiation completed, 1=”ACTIVE” 1=”STANDBY HOT”
show crypto session [active | standby] show crypto session detail //Displays crypto sessions, 1=”UP-ACTIVE” 1=”UP-STANDBY”
show crypto ha //Displays all virtual IP addresses that are currently in use by IPsec and IKE
! SA verification show crypto isakmp sa [active | standby] show crypto ipsec sa [active | standby] |
0 Comments