Best Practices
High availability in IPsec is very important for both LAN-to-LAN and Remote Access IPsec VPN. There are several features available on PIX Firewall to provide resilience for site-to-site and Remote Access IPsec VPN connections. This section looks into all the features and available options on the PIX firewall to attain high availability for the VPN connection:
Dead peer discovery (DPD)
Reverse route injection (RRI)
Stateful failover for VPN connections
A more detailed discussion follows in the next sections.
Dead Peer Discovery (DPD)
To achieve resiliency for IPsec connections, it is extremely important to monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the PIX firewall removes the connection. Enabling IKE keepalives prevents hung connections when the IKE peer loses connectivity. Dead Peer Discovery (DPD) helps to detect the connectivity loss very efficiently. DPD is based upon the ability to send a keepalive message only when necessary, because it tracks existing traffic and communications with the peer. A keepalive is not sent until a worry state has occurred, which is defined by each peer and is usually caused by lack of traffic from its peer. This is an intelligent way to reduce the number of messages and, most important, it will reduce the amount of overhead on the head-end device. DPD can be configured with isakmp keepalive command under tunnel-group group_name ipsec-attributes. DPD should be configured in conjunction with "Reverse Route Injection" and "Stateful Failover for VPN Connections," which are discussed in the following sections.
Reverse Route Injection (RRI)
Reverse Route Injection (RRI) lets the PIX firewall install the route for the connected peers/ clients. For LAN-to-LAN connection, the route is installed based on the access-list defined for crypto map for interesting traffic. For Remote Access VPN, these routes are installed based on the address assigned to the client with AAA, IP Pools, or DHCP server. The route installed by RRI is a static route in the routing table of the PIX firewall, and can be redistributed to the downstream routers via RIP or OSPF protocols. This feature is extremely useful when a backup is in place, and when there are many changes on the remote peers. RRI can work in conjunction with the Stateful VPN Failover that is discussed in the next section to provide good resiliency for both LAN-to-LAN and Remote Access VPN connections.
To enable RRI, use crypto map map-name seq-num set reverse-route for both LAN-to-LAN and Remote Access VPN connections. RRI can also be configured for dynamic crypto maps.
Stateful Failover For VPN Connections
In version PIX 7.0, stateful failover is supported for IPsec, IPsec over NAT-T, IPsec over UDP and IPsec over TCP for Remote Access VPN connections. Stateful failover is also supported for IPsec, IPsec over NAT-T for LAN-to-LAN VPN connections. Certificates and RSA/DSA crypto keys created on the active unit will be replicated to the standby unit. For Remote Access VPN, DHCP leases are replicated. Hence, the Remote Access VPN client that uses DHCP-assigned IP address will be renewed automatically after failover. VPN stateful failover supports all common AAA servers: NT Domain, SDI, RADIUS, and so on. It is important to note that stateful failover for VPN connections is only supported in single routed mode, and not supported in multi-context or transparent firewall mode.
To enable stateful failover for VPN connection, configure LAN Base stateful failover as shown in Chapter 3, "Troubleshooting Cisco Secure PIX Firewalls," to enable stateful failover for the VPN connections. You do not need any special configuration for the VPN connections.