VPN Peer and failover

Answered Question
Feb 14th, 2008
User Badges:

Is it possible to have redundancy - say HSRP - as part of a VPN infrastruture? That is - could the peer IP address be an HSRP or VRRP VIP? If no - an you wanted redundancy of two VPN routers what mechanism would be used for failover? Thanks.

Correct Answer by acraick about 9 years 3 months ago

I've actually recently been looking into this myself and there are a few differention options depending on your platforms and design.


VPN head end statefull failover on 7200's and 3600's.This allows for the statefull failover of IPSEC Tunnels from a primary router to secondary.


http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d03f2.html


IPSEC failover using HSRP and Reverse route injection. Stateless IOS based tunnel failover. Closer to what you want if your using IOS VPN.


http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml


As i'm using ASA at the head end and IOS at the remote I am currently looking at using static virtual tunnel interfaces at the remote sites with HSRP tracking these VTI interfaces with fail-over based on the tunnel status. Not entirely sure whether HSRP can track VTI interfaces but i assume it can.


http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041faef.html


The only other questions this leaves me with is how does the ASA handle routing where it as mutliple tunnels from two different endpoints. Anyone know ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acraick Thu, 02/14/2008 - 16:06
User Badges:

I've actually recently been looking into this myself and there are a few differention options depending on your platforms and design.


VPN head end statefull failover on 7200's and 3600's.This allows for the statefull failover of IPSEC Tunnels from a primary router to secondary.


http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d03f2.html


IPSEC failover using HSRP and Reverse route injection. Stateless IOS based tunnel failover. Closer to what you want if your using IOS VPN.


http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml


As i'm using ASA at the head end and IOS at the remote I am currently looking at using static virtual tunnel interfaces at the remote sites with HSRP tracking these VTI interfaces with fail-over based on the tunnel status. Not entirely sure whether HSRP can track VTI interfaces but i assume it can.


http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041faef.html


The only other questions this leaves me with is how does the ASA handle routing where it as mutliple tunnels from two different endpoints. Anyone know ?


Actions

This Discussion