provides the basis for more resilient and reliable
VPN design. Figure is a simple representation of a network
using HSRP to provide redundancy and resilience. With HSRP, a
set of routers works in concert to present the illusion of a
single virtual router to the hosts on the LAN. This set of
routers is called an HSRP group or a standby group. HSRP
selects a single router from the group that is responsible for
forwarding the packets that hosts send to the virtual router.
This router is known as the active router. Another router is
designated as the standby router. In the event that the active
router fails, the standby router assumes the packet-forwarding
duties of the active router. Although an arbitrary number of
routers may run HSRP, only the active router forwards the
packets that are sent to the virtual router. To minimize
network traffic, only the active and standby routers send
periodic HSRP messages after the protocol has completed the
election process. If the active router fails, the standby
router takes over as the active router. If the standby router
fails or becomes the active router, another router is
designated as the standby router. On a particular LAN, multiple
hot standby groups can coexist and overlap. Each standby group
emulates a single virtual router. The individual routers can
participate in multiple groups. In this case, the router
maintains a separate state and timer for each group. Each
standby group has a single, well-known MAC address as well as
an IP address.
Content 3.6 Configuring
High-Availability VPNs 3.6.4 HSRP for Default
Gateway at Remote Site The network shown in Figure uses
HSRP at remote sites where devices behind the pair of IPsec
gateways are configured with a static default gateway. To
ensure that a single device failure can be mitigated, the
default gateway points to an HSRP virtual IP address. This set
up ensures that the default IP gateway is always present.
Content 3.6 Configuring High-Availability VPNs
3.6.5 HSRP for Head-end IPsec Routers The
network shown in Figure uses HSRP to make the pair of head-end
VPN routers appear as a single device. A failure of the primary
device results in the IPsec tunnels failing, but the remote
sites will reestablish the tunnels to the other router using
the same peer address. Devices behind the head-end VPN routers
can find the return path toward remote sites using one of these
two mechanisms: - HSRP on the inside interface,
configured similarly to the HSRP on the outside interface
- Reverse Route Injection (RRI) to inject remote networks
into an Interior Gateway Protocol (IGP) and distribute it to
other routers in the network
Content
3.6 Configuring High-Availability VPNs
3.6.6 IPsec Stateful Failover When IPsec is
configured as stateless failover, then when there is a failure,
a tunnel will typically go down and have to be reestablished.
Stateful failover ensures that when there is a failure, any
tunnel that goes down is reestablished automatically without
losing state. To provide a stateful failover, a pair of devices
must run in a virtually identical environment (same hardware,
software, configuration, and so forth) and exchange live
information about IPsec SAs. Restrictions for Stateful
Failover for IPsec
When configuring redundancy for a
VPN, these restrictions exist: - Both the active and
standby devices must run the identical Cisco IOS software
release, and both the active and standby devices must be
connected to each other via a hub or switch.
- Only the
VPN Acceleration Module (VAM), VPN Acceleration Module 2
(VAM2), and Advanced Integration Module (AIM)-VPN/HPII hardware
encryption accelerators are supported.
- Only
“box-to-box” failover is supported; that is, intra-chassis
failover is currently not supported.
- WAN interfaces
between the active (primary) router and the standby (secondary)
router are not supported. HSRP requires inside interfaces and
outside interfaces to be connected via LANs.
- Load
balancing is not supported; that is, no more than one device in
a redundancy group can be active at any given time.
- Stateful failover of IPsec with Layer 2 Tunneling Protocol
(L2TP) is not supported.
- IKE keepalives are not
supported. Enabling this functionality will cause the
connection to be torn down after the standby router assumes
ownership control. However, DPD and periodic DPD are
supported.
- IPsec idle timers are not supported when
used with stateful failover.
- A stateful failover
crypto map that is applied to an interface in a virtual routing
and forwarding (VRF) instance is not supported. However,
VRF-aware IPsec features are supported when a stateful failover
crypto map is applied to an interface in the global VRF.
- Stateful failover is not compatible or interoperable with
the State Synchronization Protocol (SSP) version of stateful
failover (which is available in Cisco IOS Release 12.2YX1 and
Cisco IOS Release 12.2SU).
Stateful failover for
IPsec, introduced in Cisco IOS Release 12.3(11)T, enables a
router to continue processing and forwarding IPsec packets
after a planned or unplanned outage occurs. Customers employ a
backup (secondary) router that automatically takes over the
tasks of the active (primary) router if the active router loses
connectivity for any reason. This process is transparent to the
user and does not require adjustment or reconfiguration of any
remote peer. Stateful failover for IPsec works in conjunction
with stateful switchover (SSO) and HSRP. HSRP provides network
redundancy for IP networks, ensuring that user traffic
immediately and transparently recovers from failures in network
edge devices or access circuits. That is, HSRP monitors both
the inside and outside interfaces so that if either interface
goes down, the whole router is deemed to be down and ownership
of IKE and IPsec SAs is passed to the standby router (which
transitions to the HSRP active state). SSO allows the active
and standby routers to share IKE and IPsec state information so
that each router has enough information to become the active
router at any time. To configure stateful failover for IPsec,
you should enable HSRP, assign a virtual IP address, and enable
the SSO protocol. IPsec Stateful Failover Example
Figure illustrates a configuration for IPsec stateful
failover. In the figure, the crypto map redundancy is
configured with the stateful keyword, which requires
HSRP to be configured in combination with SSO. The right part
of the configuration example shows how the HSRP profile named
VPNHA is configured to exchange IPsec state with the other HSRP
router using Stream Control Transmission Protocol (SCTP) on
source and destination port 12345.
Content 3.6
Configuring High-Availability VPNs 3.6.7
Backing Up a WAN Connection with an IPsec VPN Figure shows
a scenario in which an IPsec VPN backs up the WAN. A failure of
the primary permanent virtual circuit (PVC) should result in
the two sites rerouting onto the IPsec VPN. This result can
easily be achieved if the same routing protocol that is used in
the WAN is also deployed over the IPsec VPN. IGP metric tuning
(for example, interface delay for Enhanced Interior Gateway
Routing Protocol [EIGRP] or per-interface Open Shortest Path
First [OSPF] cost) can be used to influence the primary and
backup path selection. Note
In order to operate an
IGP across an IPsec tunnel, you should use GRE over IPsec,
which provides a virtual point-to-point link. Alternatively,
you can use a newer method in which virtual interfaces are used
with native IPsec (no additional GRE headers are used). An
alternative is to use native IPsec and configure floating
static routes (that is, routes that have high administrative
distance and, optionally, that are locally redistributed having
a very high cost) for the VPN destination that points to the
Internet. A lost route from the WAN results in the use of the
floating static route toward the Internet. The floating static