• Chapter 1: Describing Network Requirements
• Chapter 2: Topologies for Teleworker Connectivity
• Chapter 3: Using Cable to Connect to a Central Site
• Chapter 4: Using DSL to Connect to a Central Site
• Chapter 5: Configuring DSL Access with PPPoE
• Chapter 6: Configuring DSL Access with PPPoA
• Chapter 7: DSL Connection Troubleshooting
• Chapter 8: The MPLS Conceptual Model
• Chapter 9: MPLS Architecture
• Chapter 10: Configuring Frame Mode MPLS
• Chapter 11: MPLS VPN Technologies
• Chapter 12: IPsec Overview
• Chapter 13: Site-to-Site VPN Operations
• Chapter 14: GRE Tunneling over IPsec
• Chapter 15: IPsec High Availability Options
• Chapter 16: Configuring Cisco Easy VPN
• Chapter 18: Cisco Device Hardening
• Chapter 19: Securing Administrative Access
• Chapter 20: Using AAA to Scale Access Control
• Chapter 21: Cisco IOS Threat Defense Features
• Chapter 22: Implementing Cisco IOS Firewalls
• Chapter 23: Implementing Cisco IDS and IPS

Chapter 15: IPsec High Availability Options

Common Sources of Failure

• Access link failure - Failure of a physical interface or cable
• Remote peer failure - Failure at the distant end
• Device failure - Failure of some intermediary device in the VPN path
• Path failure - A routing or circuit issue between VPN endpoints

IPsec Stateless Failover

In a stateless failover configuration, routers do not directly track the status of tunnels.

Dead Peer Detection (DPD)

DPD can operate in either periodic mode or on-demand mode.

Periodic mode:

• Keepalive messages are sent between VPN peers periodically
• Keepalives are only sent in the absence of normal data traffic
• Keepalives are sent in addition to regular IPsec rekey messages

On-demand mode (default):

• Keepalives are only sent when the health of the peer is suspect
• Less overhead than periodic mode
• Might not detect a dead peer until the IPsec SA expires and needs to be rekeyed

DPD configuration:

Router(config)# crypto isakmp keepalive <seconds> [<retries>] [periodic | on-demand]

IGP Within a GRE over IPsec Tunnel

An IGP such as EIGRP or OSPF is run between peers, treating the tunnels like normal layer 3 links.

HSRP

HSRP is used on a pair of routers facing a peer, so that either will answer for the VPN peer address.

The HSRP group on an interface must be designated as providing IPsec redundancy with the redundancy command appended to the interface crypto map specification:

crypto map central-office 10 dynamic from-remote
!
interface FastEthernet1/0
 ip address 192.168.0.3
 standby 1 ip 192.168.0.1
 standby 1 name vpn-remote
 crypto map central-office redundancy vpn-remote

IPsec Stateful Failover

Stateful failover uses identical active and backup devices running HSRP and Stateful Switchover (SSO).

Inside and outside interfaces on the devices must be LAN interfaces.

Both modes of DPD (periodic and on-demand) are supported.

The HSRP configuration of an interface is similar to the stateless configuration, but with the addition of stateful to the interface crypto map specification:

crypto map central-office 10 dynamic from-remote
!
interface FastEthernet1/0
 ip address 192.168.0.3
 standby 1 ip 192.168.0.1
 standby 1 name vpn-remote
 crypto map central-office redundancy vpn-remote stateful

SSO is enabled by specifying the HSRP group as follows:

redundancy inter-device
 scheme standby vpn-remote

Inter-device Communication Protocol (IPC) facilitates inter-device communication:

ipc zone default
 association 1
 protocol sctp
  local-port 12321
 local-ip 10.10.10.1
 retransmit-timeout 300 10000
 path-retransmit 10
 assoc-retransmit 20
  remote-port 12321
 remote-ip 10.10.20.1

Stream Control Transmission Protocol (SCTP) is used as the transport protocol. Local and remote port numbers must match.