Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Peer and failover

Is it possible to have redundancy - say HSRP - as part of a VPN infrastruture? That is - could the peer IP address be an HSRP or VRRP VIP? If no - an you wanted redundancy of two VPN routers what mechanism would be used for failover? Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: VPN Peer and failover

I've actually recently been looking into this myself and there are a few differention options depending on your platforms and design.

VPN head end statefull failover on 7200's and 3600's.This allows for the statefull failover of IPSEC Tunnels from a primary router to secondary.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d03f2.html

IPSEC failover using HSRP and Reverse route injection. Stateless IOS based tunnel failover. Closer to what you want if your using IOS VPN.

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

As i'm using ASA at the head end and IOS at the remote I am currently looking at using static virtual tunnel interfaces at the remote sites with HSRP tracking these VTI interfaces with fail-over based on the tunnel status. Not entirely sure whether HSRP can track VTI interfaces but i assume it can.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041faef.html

The only other questions this leaves me with is how does the ASA handle routing where it as mutliple tunnels from two different endpoints. Anyone know ?

1 REPLY
New Member

Re: VPN Peer and failover

I've actually recently been looking into this myself and there are a few differention options depending on your platforms and design.

VPN head end statefull failover on 7200's and 3600's.This allows for the statefull failover of IPSEC Tunnels from a primary router to secondary.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d03f2.html

IPSEC failover using HSRP and Reverse route injection. Stateless IOS based tunnel failover. Closer to what you want if your using IOS VPN.

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

As i'm using ASA at the head end and IOS at the remote I am currently looking at using static virtual tunnel interfaces at the remote sites with HSRP tracking these VTI interfaces with fail-over based on the tunnel status. Not entirely sure whether HSRP can track VTI interfaces but i assume it can.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041faef.html

The only other questions this leaves me with is how does the ASA handle routing where it as mutliple tunnels from two different endpoints. Anyone know ?

222
Views
0
Helpful
1
Replies
CreatePlease login to create content