IPsec stateful failover uses two protocols for proper and continual operation:
■ HSRP—Monitors both the inside and outside interfaces. If either goes down, the entire router
is deemed unworthy and ownership of the IKE and IPsec SA processes is passed to the
standby router. When this transition occurs, the standby router becomes the active HSRP
router.
■ Stateful Switchover (SSO)—Shares the IKE and IPsec SA information between the active
and backup routers. At any time, either router knows enough to be the active IPsec VPN
router.
There are some limitations/restrictions:
■ Both the active and standby devices must run an identical Cisco IOS release.
■ The active and standby devices must be connected via LAN ports, either directly or through
a switch. WAN interfaces are not supported.
■ Both the inside and outside interfaces must be connected via LAN ports.
■ Only “box-to-box” failover is supported. Intrachassis (card-to-card) failover is not currently
supported.
■ Load balancing is not supported. Only one device in a redundancy group can be active at any
time.
■ IKE keepalive messages are not supported. DPD and periodic DPD are supported.
■ Stateful failover of Layer 2 Tunneling Protocol (L2TP) is not supported.
■ IPsec idle timers are not supported.
Router C:
crypto dynamic-map from-remote 10
set transform-set trans1
reverse-route
!
crypto map central-office 10 ipsec-isakmp dynamic from-remote
!
interface fastethernet 1/0
ip address 172.20.1.1 255.255.255.0
standby 1 ip 172.20.1.5
standby 1 priority 150
standby 1 preempt
standby 1 name vpn-remote
crypto map central-office redundancy vpn-remote stateful
!
redundancy inter-device
scheme standby vpn-remote
!
ipc zone default
association 1
protocol sctp
local-port 12321
local-ip 10.20.1.1
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 20
remote-port 12321
remote-ip 10.20.1.2
Комментариев нет:
Отправить комментарий