VPN IPSEC HA

Unanswered Question
Feb 18th, 2010

I would like to know if it is possible of there is a document with the guidelines on how to configure/create the following configuration:

-          Headquarters with two routers 1800 (let’s call them R1 and R2)

-          Branch offices with 800 routers (R3 and R4)

The router R2 must be the one with more priority towards VPN conections. In addition to that R1 router must give Internet connection to user on Headquarter’s LAN.

Branch offices must connect through IPSec tunneling (NO GRE) to the headquarters R1 with redundant availability in case of failure through R2.

There are remote clients of Windows that through IPSec VPN must be able to tunnel to routers R1 and R2

The idea is to have redundancy on the VPN’s and that, in addition, we can have remote clients that connect through Cisco VPN client.

Thanks a lot,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Lei Tian Thu, 02/18/2010 - 07:21

Hi,

You can take a look for EZVPN. EZVPN supports site to site VPN and remote access via VPN client. You can use 1800 as your EZVPN server and 800 as your EZVPN remote. Here it the link for EZVPN support platform and required IOS

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/eprod_qas0900aecd805358e0.html

For /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} redundancy, you can configure 2 peers at 800 EZVPN remote router; when the primary peer fail, it will automatically build SA with the 2nd peer. The downside is there is no preempt feature for backup, which means when you primary peer comes back it will not switch over. Here is the link for EZVPN configuration guide


http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps10591_TSD_Products_Configuration_Guide_Chapter.html

HTH,

Lei Tian

ROBERTO TACCON Fri, 02/19/2010 - 03:02

Stateful Failover for IPSec

"Stateful failover for IP Security (IPSec) enables a router to continue processing and forwarding IPSec packets after a planned or unplanned outage occurs"

"SSO allows the active and standby routers to share IKE and IPSec state information so that each router has enough information to become the active router at any time. To configure stateful failover for IPSec, a network administrator should enable HSRP, assign a virtual IP address, and enable the SSO protocol."

*** URL:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gt_topht.html

*** HADWARE compatible:

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

search for "Stateful Failover for IPSec"

*** briefly consideration:

- Two methods for stateless failover:

1) IKE SA keepalives:

       - allows detection of loss of connectivity between peers.

       - Default is 10 sec keepalive interval.  3 misses and the peer is declared dead.  Then new peer needs to negotiate.  So overall failover time can be up to 2 minutes.

       - Remote router uses 2 peer statements to the 2 head-end routers

       - Feature is not universally available.

       - There is no switchover back to primary until the IKE SA lifetime expires (24hour default)

2) GRE tunnels

       - remote site has 2 GREs tunnels.

       - can run a routing protocol across the tunnels.  failover is accomplished via the routing protocol.

       - failover time is significantly lower since both SAs are already up...governed by the RP convergence time.

       - for IOS routers.

HTH,
Roberto Taccon

Actions

This Discussion