IPsec Headend redundancy (failover)

Unanswered Question
Jun 8th, 2010

We have two geographically separated datacenter. Our primary data center has a vpn headend device that many external organization connects to (IPsec S2S vpn). We would like to set up DR vpn headend device in our backup data center. Now the problem is we would like to do that without changing any thing on the remote end (no change for the external organization, transparent failover). Is there any way to achieve this? 

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jay Young Fri, 06/25/2010 - 11:55

The only type of transparent failover that is offered uses HSRP or ASAs in failover mode.  Naturally this will require both boxes to be in the same subnet in the same datacenter.  If you are trying to achieve backup you can do so but it will require alteration on the remote peer.  Within the crypto map they can configure multiple "set peer" ip addresses.  They will try to connect to the first ip and then second in the list.

You will need to have some routing protocol and Reverse Route Injection running in your network too, so that when the tunnel fails over routing within your network will be handled correctly.

Another option to consider (since you'll need to have remote end make config changes) is to have them run site-2-site vpns to both data centers and use a GRE tunnel over the ipsec.  Then you can dynamically failover from one tunnel to the next.  Unfortunately this doesn't necessarily scale that well to a large number of sites.


This Discussion