02-14-2008 01:49 PM - edited 02-21-2020 03:33 PM
Is it possible to have redundancy - say HSRP - as part of a VPN infrastruture? That is - could the peer IP address be an HSRP or VRRP VIP? If no - an you wanted redundancy of two VPN routers what mechanism would be used for failover? Thanks.
Solved! Go to Solution.
02-14-2008 04:06 PM
I've actually recently been looking into this myself and there are a few differention options depending on your platforms and design.
VPN head end statefull failover on 7200's and 3600's.This allows for the statefull failover of IPSEC Tunnels from a primary router to secondary.
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d03f2.html
IPSEC failover using HSRP and Reverse route injection. Stateless IOS based tunnel failover. Closer to what you want if your using IOS VPN.
http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml
As i'm using ASA at the head end and IOS at the remote I am currently looking at using static virtual tunnel interfaces at the remote sites with HSRP tracking these VTI interfaces with fail-over based on the tunnel status. Not entirely sure whether HSRP can track VTI interfaces but i assume it can.
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041faef.html
The only other questions this leaves me with is how does the ASA handle routing where it as mutliple tunnels from two different endpoints. Anyone know ?
02-14-2008 04:06 PM
I've actually recently been looking into this myself and there are a few differention options depending on your platforms and design.
VPN head end statefull failover on 7200's and 3600's.This allows for the statefull failover of IPSEC Tunnels from a primary router to secondary.
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d03f2.html
IPSEC failover using HSRP and Reverse route injection. Stateless IOS based tunnel failover. Closer to what you want if your using IOS VPN.
http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml
As i'm using ASA at the head end and IOS at the remote I am currently looking at using static virtual tunnel interfaces at the remote sites with HSRP tracking these VTI interfaces with fail-over based on the tunnel status. Not entirely sure whether HSRP can track VTI interfaces but i assume it can.
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041faef.html
The only other questions this leaves me with is how does the ASA handle routing where it as mutliple tunnels from two different endpoints. Anyone know ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: