VPN Peer and failover

Answered Question
Feb 14th, 2008

Is it possible to have redundancy - say HSRP - as part of a VPN infrastruture? That is - could the peer IP address be an HSRP or VRRP VIP? If no - an you wanted redundancy of two VPN routers what mechanism would be used for failover? Thanks.

I have this problem too.
0 votes
Correct Answer by acraick about 8 years 11 months ago

I've actually recently been looking into this myself and there are a few differention options depending on your platforms and design.

VPN head end statefull failover on 7200's and 3600's.This allows for the statefull failover of IPSEC Tunnels from a primary router to secondary.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d03f2.html

IPSEC failover using HSRP and Reverse route injection. Stateless IOS based tunnel failover. Closer to what you want if your using IOS VPN.

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

As i'm using ASA at the head end and IOS at the remote I am currently looking at using static virtual tunnel interfaces at the remote sites with HSRP tracking these VTI interfaces with fail-over based on the tunnel status. Not entirely sure whether HSRP can track VTI interfaces but i assume it can.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041faef.html

The only other questions this leaves me with is how does the ASA handle routing where it as mutliple tunnels from two different endpoints. Anyone know ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acraick Thu, 02/14/2008 - 16:06

I've actually recently been looking into this myself and there are a few differention options depending on your platforms and design.

VPN head end statefull failover on 7200's and 3600's.This allows for the statefull failover of IPSEC Tunnels from a primary router to secondary.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d03f2.html

IPSEC failover using HSRP and Reverse route injection. Stateless IOS based tunnel failover. Closer to what you want if your using IOS VPN.

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

As i'm using ASA at the head end and IOS at the remote I am currently looking at using static virtual tunnel interfaces at the remote sites with HSRP tracking these VTI interfaces with fail-over based on the tunnel status. Not entirely sure whether HSRP can track VTI interfaces but i assume it can.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041faef.html

The only other questions this leaves me with is how does the ASA handle routing where it as mutliple tunnels from two different endpoints. Anyone know ?

Actions

This Discussion