ipsec failover without loosing session

a.diot · ‎10-07-2002

hi all ,

I've heard that it was possible to perform failover ipsec without loosing sessions

with ios/ipsec routers and tunnel and routing protocol.

How does it works,

do i need hsrp on inside and outside?

how can i detect if ipsec tunnel on router 1 is down? and force the second one

to become active router?

A sample config or link would be useful.

Thanks

gfullage · ‎10-07-2002

Stateful failover of IPSec is not available as yet in IOS, although they are talking about it. The best you cna do at the moment is point your IPSec router to a HSRP address at the head-end, and then use the following:

http://www.cisco.com/warp/public/707/ipsec_feat.html

Note the "crypto map redundancy option on the interface.

mjbriggs · ‎11-07-2002

Hi ,

Just setting this up myself ! The only IOS that supports HSRP and VPN tunnels is , I believe , 12.2-8.T5 but this will NOT permit stateful tracking of the IPSEC tunnel so if the HSRP group changes you will loose all current sessions .Try looking for IPsec VPN high Availablility Enhancements under ver 12.2 but unless this feature is migrated to other IOS releases I would suspect some other form of HSRP/VPN offering is on the way .This feature permits tracking of a Crypto map to an HSRP name and sends keepalives to ensure tunnels are torn down and re-established on the new HSRP master .

Good luck !

Mike