Using IPsec Stateful Failover
DPD, routing protocols, and HSRP provide stateless failover—the tunnel
drops and must be re-created if a peer fails. Stateful failover maintains SA
information between an active and a failover device. It depends on two
protocols:
■ HSRP—Tracks both the inside and outside interfaces. If either goes
down, it removes the router from active status, and ownership of the
IPsec and IKE SAs passes to the standby router.
■ Stateful Switchover (SSO)—Synchronizes IPsec state information
between the active and standby HSRP routers using Stream Control
Transmission Protocol (SCTP) and Inter-Process Communication
(IPC) protocol.
For stateful failover to work, you must configure HSRP, use the virtual IP
address in the IPsec peering, and configure SSO. The following example
shows this configuration on one router. The configuration must be duplicated
exactly on the other router; both routers must use the same Cisco IOS
version and must be connected via a switch or hub:
Crypto map configuration
crypto dynamic-map VPN1 10
set peer 10.1.1.1
set transform-set TRANSFORM1
match address 172
reverse-route
!
crypto map HAVPN 10 ipsec-isakmp dynamic VPN1
!
HSRP Configuration--must be done on both inside and outside
interfaces
interface FastEthernet0/0
ip address 10.3.7.3 255.255.255.0
standby 1 ip 10.3.7.1
standby 1 preempt
standby 1 name IPSEC1
standby 1 track FastEthernet0/1
crypto map HAVPN redundancy IPSEC1 stateful
!
SSO Configuration
redundancy inter-device
scheme standby IPSEC1
!
IPC Configuration
ipc zone default
association 1
protocol sctp
local-port 5555
local-ip 10.3.7.3
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 10
remote-port 5555
remote-ip 10.1.1.1