inter-device device redundancy for IPSEC

Unanswered Question
Sep 14th, 2007
User Badges:

Hi , I have a pair of 2821 routers which are configured as ipsec hubs with inter-device redundancy . I use 2 interfaces with HSRP "HA-OUT" to terminate ipsec over vti tunnels and 2 interaces on with HSRP "HA-OUT-ENC" for encapsulated IPSEC .Question is now , can I have redundancy inter-device , scheme standby HA-OUT and scheme standby HA-OUT-ENC ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
umedryk Fri, 09/21/2007 - 08:25
User Badges:
  • Bronze, 100 points or more

The following link discusses about the IPSEC redundancy

The debug dialer and several show command outputs displayed here show the primary link as failed, and dialer watch recognizesthe lost route. The router then initiates the backup link and OSPF converges through the secondary link. Each time the idle timeout expires, the router checks whether the primary link is down. If the primary link is found to be up, dialer watch disconnects the backup link after the disable timer expires and tears down the call, and OSPF converges by way of the primary link as usual

hwouters Fri, 09/21/2007 - 11:07
User Badges:

Hi ,

I was talking about statefull HA IPSEC redundancy. The problem I have is that you configure an sctp connection between the 2 devices over which they exchange state . This sctp connection is linked with the HSRP group that is configured on the interfaces , but you cannot link it at the same time to a second HSRP group .

redundancy inter-device

scheme standby HA-out

security ipsec sso-secure

you cannot add a second scheme in here

And that is what I'd like to do


This Discussion