Cisco IOS Stateful Failover for IPsec works in conjunction with Stateful Switchover (SSO) and Hot Standby Router Protocol (HSRP).
In this example R1 and R2 routers are redundant routers.R3 is the remote IPSEC routerConfigurations:
R1:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.1.3
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.1.3
set transform-set testset
match address 101
reverse-route
!
!
interface FastEthernet1/1
ip address 192.168.1.1 255.255.255.0
no shut
standby delay reload 180
standby 1 ip 192.168.1.10
standby 1 priority 150
standby 1 preempt
standby 1 name HSRP-out
standby 1 track FastEthernet1/0 60
crypto map testmap redundancy HSRP-in
!
interface FastEthernet1/0
ip address 10.10.10.1 255.255.255.0
no shut
standby delay reload 180
standby 1 ip 10.10.10.10
standby 1 priority 150
standby 1 preempt
standby 1 name HSRP-in
standby 1 track FastEthernet1/1 60
!
ip route 0.0.0.0 0.0.0.0 192.168.1.3
access-list 101 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
redundancy inter-device
scheme standby HSRP-in
!
!
redundancy
!
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 10.10.10.1
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 10
remote-port 5000
remote-ip 10.10.10.2
--------------
R2:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.1.3
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.1.3
set transform-set testset
match address 101
reverse-route
!
!
interface FastEthernet1/1
ip address 192.168.1.2 255.255.255.0
no shut
standby delay reload 180
standby 1 ip 192.168.1.10
standby 1 preempt
standby 1 name HSRP-out
standby 1 track FastEthernet1/0 60
crypto map testmap redundancy HSRP-in
!
interface FastEthernet1/0
ip address 10.10.10.2 255.255.255.0
no shut
standby delay reload 180
standby 1 ip 10.10.10.10
standby 1 preempt
standby 1 name HSRP-in
standby 1 track FastEthernet1/1 60
!
ip route 0.0.0.0 0.0.0.0 192.168.1.3
access-list 101 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
redundancy inter-device
scheme standby HSRP-in
!
!
redundancy
!
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 10.10.10.2
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 10
remote-port 5000
remote-ip 10.10.10.1
-----------------------
R3 :
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.1.10
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.1.10
set transform-set testset
match address 101
reverse-route
!
!
interface FastEthernet1/0
ip address 20.20.20.3 255.255.255.0
interface FastEthernet1/1
ip address 192.168.1.3 255.255.255.0
crypto map testmap
access-list 101 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
No comments:
Post a Comment