Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
0
Helpful
1
Replies

VPN Peer and failover

Go to solution
mmedwid
Level 3
Level 3

‎02-14-2008 01:49 PM - edited ‎02-21-2020 03:33 PM

Is it possible to have redundancy - say HSRP - as part of a VPN infrastruture? That is - could the peer IP address be an HSRP or VRRP VIP? If no - an you wanted redundancy of two VPN routers what mechanism would be used for failover? Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acraick
Level 1
Level 1

‎02-14-2008 04:06 PM

I've actually recently been looking into this myself and there are a few differention options depending on your platforms and design.

VPN head end statefull failover on 7200's and 3600's.This allows for the statefull failover of IPSEC Tunnels from a primary router to secondary.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d03f2.html

IPSEC failover using HSRP and Reverse route injection. Stateless IOS based tunnel failover. Closer to what you want if your using IOS VPN.

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

As i'm using ASA at the head end and IOS at the remote I am currently looking at using static virtual tunnel interfaces at the remote sites with HSRP tracking these VTI interfaces with fail-over based on the tunnel status. Not entirely sure whether HSRP can track VTI interfaces but i assume it can.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041faef.html

The only other questions this leaves me with is how does the ASA handle routing where it as mutliple tunnels from two different endpoints. Anyone know ?

View solution in original post

0 Helpful
1 Reply 1

Go to solution
acraick
Level 1
Level 1

‎02-14-2008 04:06 PM

I've actually recently been looking into this myself and there are a few differention options depending on your platforms and design.

VPN head end statefull failover on 7200's and 3600's.This allows for the statefull failover of IPSEC Tunnels from a primary router to secondary.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d03f2.html

IPSEC failover using HSRP and Reverse route injection. Stateless IOS based tunnel failover. Closer to what you want if your using IOS VPN.

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

As i'm using ASA at the head end and IOS at the remote I am currently looking at using static virtual tunnel interfaces at the remote sites with HSRP tracking these VTI interfaces with fail-over based on the tunnel status. Not entirely sure whether HSRP can track VTI interfaces but i assume it can.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008041faef.html

The only other questions this leaves me with is how does the ASA handle routing where it as mutliple tunnels from two different endpoints. Anyone know ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents