Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Client to Site VPN and Stateful Failover

I am using stateful failover and when I failover from one PIX to the other VPN clients security associations are lost.

Does the PIX replicate sa information. It appears not however I suspect it should work.

2 REPLIES
New Member

Re: Client to Site VPN and Stateful Failover

The PIX does not yet share key material or SA material (IKE or IPsec) between devices. It is pipelined on the roadmap.

-- Russell Rice

New Member

Re: Client to Site VPN and Stateful Failover

For the Pix or any other ipsec device to achieve statefull failover of the IPSec session would mean that they would have to share either the Session keys or the Diffie-hellman seed values. These are at the center of the ipsec algorithm and must be protected at all costs. If they share any of these values and they get compromised, the data can then be decrypted. I would rather give up statefull failover of the IPSec session than risk compromising the confidentiality of the data. Use Ike keep-alives, at least you will get fail-over, albiet not statefull.

Just my two cents worth.

130
Views
0
Helpful
2
Replies
CreatePlease to create content