Cisco – Stateful Failover for IPsec – VPN Availability Configuration Guide

VPN Availability Configuration Guide – Stateful Failover for IPsec

interface Ethernet0/0
 ip address 209.165.201.1 255.255.255.224
 standby 1 ip 209.165.201.3
 standby 1 preempt
 standby 1 name HA-out
 standby 1 track Ethernet1/0
 standby delay reload 120

Stateful Failover for IPsec

Last Updated: February 14, 2012

Stateful failover for IP Security (IPsec) enables a router to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This failover process is transparent to users and does not require adjustment or reconfiguration of any remote peer.

Stateful failover for IPsec is designed to work in conjunction with stateful switchover (SSO) and Hot Standby Routing Protocol (HSRP). HSRP provides network redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from failures in network edge devices or access circuits. That is, HSRP monitors both the inside and outside interfaces so that if either interface goes down, the whole router is deemed to be down and the ownership of Internet Key Exchange (IKE) and IPsec security associations (SAs) is passed to the standby router (which transitions to the HSRP active state). SSO allows the active and standby routers to share IKE and IPsec state information so both routers have enough information to become the active router at any time. To configure stateful failover for IPsec, a network administrator must enable HSRP, assign a virtual IP address (VIP), and enable SSO.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Stateful Failover for IPsec

Complete, Duplicate IPsec and IKE Configuration on the Active and Standby Devices

This document assumes that you have a complete IKE and IPsec configuration.

The IKE and IPsec configuration that is set up on the active device must be duplicated on the standby device. That is, the crypto configuration must be identical with respect to Internet Security Association and Key Management Protocol (ISAKMP) policy, ISAKMP keys (preshared), IPsec profiles, IPsec transform sets, all crypto map sets that are used for stateful failover, all access control lists (ACLs) that are used in match address statements on crypto map sets, all AAA configurations used for crypto, client configuration groups, IP local pools used for crypto, and ISAKMP profiles.


Note

The configuration information between the active and standby devices is not automatically transferred; you are responsible for ensuring that the crypto configurations match on both devices. If the crypto configurations on both devices do not match, failover from the active device to the standby device will not be successful.


Device Requirements

Stateful failover for IPsec requires that your network contains two identical routers that are available to be either the primary or secondary device. Both routers should be the same type of device, have the same CPU and memory, and have either no encryption accelerator or identical encryption accelerators.

Restrictions for Stateful Failover for IPsec

When configuring redundancy for a VPN, the following restrictions apply:

  • Both the active and standby devices must run the identical version of the Cisco IOS software, and both the active and standby devices must be connected via a hub or switch.
  • The Cisco Integrated Services Routers (ISRs) and the VPN modules that support stateful failover for IPsec are as follows:
    • The AIM-VPN/BPII-PLUS and AIM-VPN/SSL-1 hardware encryption modules are supported on the Cisco 1841 router.
    • The AIM-VPN/EPII-Plus and AIM-VPN/SSL-2 hardware encryption modules are supported on Cisco 2801, 2811, 2821, and 2851 routers.
    • The AIM-VPN/EPII+ and AIM-VPN/SSL-3 hardware encryption modules are supported on the Cisco 3825 router.
    • The AIM-VPN/HPII+ and AIM-VPN/SSL-3 hardware encryption modules are supported on the Cisco 3845 router.
    • The VPN Acceleration Module (VAM) and VAM2 hardware encryption modules are supported on the Cisco 7200 series router.
  • Stateful failover for IPsec is supported on the Cisco Integrated Services Routers Generation 2 (ISR G2), with or without the Internal Service Module (ISM).
  • Only “box-to-box” failover is supported; that is, intrachassis failover is not supported.
  • WAN interfaces between the active (primary) router and the standby (secondary) router are not supported. (HSRP requires inside interfaces and outside interfaces to be connected via LANs.)
  • Load balancing is not supported; that is, no more than one device in a redundancy group can be active at any given time.
  • Stateful failover of IPsec with Layer 2 Tunneling Protocol (L2TP) is not supported.
  • Public key infrastructure (PKI) is not supported when used with stateful failover. (Only preshared keys for IKE are supported.)
  • IKE keepalives are not supported. (Enabling this functionality will cause the connection to be torn down after the standby router assumes ownership control.) However, dead peer detection (DPD) and periodic DPD are supported.
  • IPsec idle timers are not supported when used with stateful failover.
  • A stateful failover crypto map applied to an interface in a virtual routing forwarding (VRF) instance is not supported. However, VRF-aware IPsec features are supported when a stateful failover crypto map is applied to an interface in the global VRF.
  • Stateful failover is not compatible or interoperable with the State Synchronization Protocol (SSP) version of stateful failover (which is available in Cisco IOS Release 12.2YX1 and Cisco IOS Release 12.2SU).

Information About Stateful Failover for IPsec

Supported Deployment Scenarios for Stateful Failover for IPsec

You can implement stateful failover for IPsec in one of the following recommended deployment scenarios: a single interface scenario or a dual interface scenario.

In a single interface scenario, VPN gateways use one LAN connection for both encrypted traffic arriving from remote peers and decrypted traffic flowing to inside hosts (see the figure below). The single interface design allows customers to save money on router ports and subnets. This design is typically used if all traffic flowing in and out of the organization does not traverse the VPN routers.

Figure 1 Single Interface Network Topology

In a dual interface scenario, a VPN gateway has more than one interface, enabling traffic to flow in and out of the router via separate interfaces (see the figure below). This scenario is typically used if traffic flowing in and out of a site must traverse the routers, so the VPN routers will provide the default route out of the network.

Figure 2 Dual Interface Network Topology

The table below lists the functionality available in single-interface and dual-interface scenarios.

Table 1 Single- and Dual-Interface Functionality Overview
Functionality Single Interface Dual Interface
Route Injection Routes must be injected to provide the devices that are behind the VPN gateways with a next hop for traffic that requires encryption. Stateful failover for IPsec typically requires routes to be injected for this network topology. If the VPN gateways are not the logical next hop for devices inside the network, the routes must be created and injected into the routing process. Thus, traffic that is returning from inside the network can be sent back to the VPN routers for IPsec services before it is sent out. A virtual IP (VIP) address cannot be used as the advertiser of routing updates, so flows must be synchronized via the injected routes.

If the VPN gateways are the next hop (default route) for all devices inside the network, the VIP address that is used on the inside interfaces can be used as the next hop. Thus, injection of the VPN routes is not required. However, static routes on inside hosts must be used to direct the routes to the next hop VIP address.

HSRP Configuration The role of HSRP is simplified in a single interface design because if the only interface is disabled, the entire device is deemed unavailable. This functionality helps to avoid some of the routing considerations to be discussed in the next scenario. Because each interface pair functions independently, you should configure HSRP so that multiple pairs of interfaces can be tracked. (That is, HSRP should not be configured on only one pair of interfaces or on both pairs of interfaces without each pair mutually tracking each other.) Mutual tracking means that if the outside interface does fail, the inside interface on the same router will also be deemed down, allowing for complete router failover to the secondary router.
Secure State Information If secure state information is passed between routers, the information is passed over the same interface as all other traffic. The router has a separate inside and outside interface; thus, the inside interface can be used as a more secure channel for the exchange of state information.
Firewall Configuration The VPN gateways can sit in front of a firewall or behind a firewall. VPN gateways may sit behind or in front of a firewall. A firewall can be installed in parallel to the VPN gateways.

IPsec Stateful Failover for Remote Access Connections

The main difference between a remote access and a LAN-to-LAN connection is the use of Xauth and mode-config. IKE Xauth is often used to authenticate a user. IKE mode-config is often used to push security policy from a hub (concentrator) router to a user’s IPsec implementation. Mode-config is also typically used to assign an internal company network IP address to a user.

In addition to the differences between a remote access configuration and a LAN-to-LAN configuration, you should note the following remote-access-server-specific functions:

  • Assigned IP address–An IP address can be assigned to the client via one of the following options:
    • Local IP poolsFor local IP pools, the administrator must first configure identical local IP address pools on each router in the high availability (HA) pair (via the ip local pool client-address-pool command). This pool name can be applied in one of two places–in a group policy via the crypto isakmp client configuration group group-name (and the submode command pool pool-name) or in a client configuration via the crypto isakmp client configuration address-pool local local-pool command.
    • RADIUS-assigned addressIf you are using RADIUS authentication and the RADIUS server returns the Framed-IP-Address attribute, the concentrator will always assign the address to the client. It is recommended that you refer to your RADIUS server vendor’s documentation, especially for vendors that allow you to configure address pools on the RADIUS server. Typically, those servers require crypto accounting to work properly.

To enable accounting on the HA pair, you should execute the following command on both active and standby devices: aaa accounting network and apply radius-accounting either to the crypto ISAKMP profile or the crypto map set.

  • RADIUS Network Access Server (NAS)-IP addressThe HA pair should appear as a single device to the RADIUS server. Thus, both HA routers must communicate with the RADIUS server using the same IP address. However, when communicating with the RADIUS server, the router must use a physical IP address, not a virtual IP (VIP) address as the NAS-IP address of the router. To configure the RADIUS NAS-IP address for the HA pair, you must configure the same loopback address in the HA pair via interface loopback command; thereafter, you must execute the ip radius source-interface command in the HA pair. Finally, add the new loopback IP address to the RADIUS servers configuration so the RADIUS server can process requests from the HA pair.

For additional information on how to configure IPsec stateful failover for a remote access connection, see the section “Example: Configuring IPSec Stateful Failover for an Easy VPN Server.”

Dead Peer Detection with IPsec High Availability

To configure Dead Peer Detection (DPD) with IPsec High Availability (HA), it is recommended that you use a value other than the default (2 seconds). A keepalive time of 10 seconds with 5 retries seems to work well with HA because of the time it takes for the router to get into active mode.

To configure DPD with IPsec HA, use the crypto isakmp keepalive command.

How to Enable Stateful Failover for IPsec

Enabling HSRP IP Redundancy and a Virtual IP Address

HSRP provides two services, IP redundancy and a virtual IP (VIP) address. Each HSRP group may provide either or both of these services. IPsec stateful failover uses the IP redundancy services from only one HSRP standby group. It can use the VIP address from one or more HSRP groups. Use this task to configure HSRP on the outside and inside interfaces of the device.

When configuring HSRP, you must ensure the following:

  • Both the inside (private) interface and the outside (public) interface must belong to separate HSRP groups, but the HSRP group number can be the same.
  • The state of the inside interface and the outside interface must be the same–both interfaces must be in the active state or standby state; otherwise, the packets will not have a route out of the private network.
  • Standby priorities should be equal on both active and standby routers. If the priorities are not equal, the higher priority router will unnecessarily take over as the active router, negatively affecting uptime.
  • The IP addresses on the HSRP-tracked interfaces of the standby and active routers should both be either lower or higher on one router than the other. In the case of equal priorities (an HA requirement), HSRP will assign the active state on the basis of the IP address. If an addressing scheme exists so that the public IP address of Router A is lower than the public IP address of Router B, but the opposite is true for their private interfaces, an active/standby-standby/active split condition could exist which will break connectivity.


Note

Each time an active device relinquishes control to become the standby device, the active device will reload. This functionality ensures that the state of the new standby device synchronizes correctly with the new active device.


Before You BeginBefore you perform this task, you must perform one of the following steps to ensure that the correct HSRP settings are configured on the switch that connects the active and standby routers:

  • Enable the spanning-tree portfast command on every switch port that connects to an HSRP-enabled router interface.
  • Disable the Spanning Tree Protocol (STP) on the switch only if your switch does not connect to other switches. Disabling spanning tree in a multiswitch environment may cause network instability.
  • Enable the standby delay minimum [min-delay] reload [reload-delay] command if you do not have access to the switch. The reload-delay argument should be set to a value of at least 120 seconds. This command must be applied to all HSRP interfaces on both routers.

For more information on HSRP instability, see the document Avoiding HSRP Instability in a Switching Environment with Various Router Platforms.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.   interface type number

4.   standby standby-group-number name standby-group-name

5.   standby standby-group-number ip ip-address

6.    standby standby-group-number track interface-type interface-number

7.    standby [group-number] preempt

8.    standby [group-number] timers [msec] hellotime [msec] holdtime

9.    standby delay minimum [min-delay] reload [reload-delay]

10.   Repeat this task on both routers (active and standby) and on both interfaces of each router.

DETAILED STEPS

Command or Action Purpose
Step 1
enable

Example:

Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2
configure terminal

Example:

Router# configure terminal

Enters global configuration mode.
Step 3
interface type number

Example:

Router(config)# interface Ethernet 0/0

Configures an interface type for the router and enters interface configuration mode.
Step 4
standby standby-group-number name standby-group-name

Example:

Router(config-if)# standby 1 name HA-out

Assigns a user-defined group name to the HSRP redundancy group.

Note    The standby-group-number argument should be the same for both routers that are on directly connected interfaces. However, the standby-group-name argument should be different between two (or more) groups on the same router. The standby-group-number argument can be the same on the other pair of interfaces as well.
Step 5
standby standby-group-number ip ip-address

Example:

Router(config-if)# standby 1 ip 209.165.201.1

Assigns an IP address that is to be “shared” among the members of the HSRP group and owned by the primary IP address.

Note    The virtual IP address must be configured identically on both routers (active and standby) that are on directly connected interfaces.
Step 6
standby standby-group-number track interface-type interface-number

Example:

Router(config-if)# standby 1 track Ethernet1/0

(Optional) Configures HSRP to monitor the second interface so that if either of the two interfaces goes down, HSRP causes failover to the standby device.

Note    Although this command is not required, it is recommended for dual interface configurations.
Step 7
standby [group-number] preempt

Example:

Router(config-if)# standby 1 preempt

Enables HSRP preemption and preemption delay.
Step 8
standby [group-number] timers [msec] hellotime [msec] holdtime

Example:

Router(config-if)# standby 1 timers 1 5

(Optional) Configures the time between hello packets and the time before other routers declare the active Hot Standby or standby router to be down.

  • holdtime–Amount of time the routers take to detect types of failure. A larger hold time means that failure detection will take longer.

For the best stability, it is recommended that you set the hold time between 5 and 10 times the hello interval time; otherwise, a failover could falsely occur when no actual failure has happened.

Step 9
standby delay minimum [min-delay] reload [reload-delay]

Example:

Router(config-if)# standby delay minimum reload 120

Configures the delay period before the initialization of HSRP groups.

Note    It is suggested that you enter 120 as the value for the reload-delay argument and leave the min-delay argument at the preconfigured default value.
Step 10
Repeat this task on both routers (active and standby) and on both interfaces of each router.

Troubleshooting Tips

To help troubleshoot possible HSRP-related configuration problems, issue any of the following HSRP-related debug commands–debug standby errors, debug standby events, and debug standby packets [terse].

Examples

The following example shows how to configure HSRP on a router:

interface Ethernet0/0
 ip address 209.165.201.1 255.255.255.224
 standby 1 ip 209.165.201.3
 standby 1 preempt
 standby 1 name HA-out
 standby 1 track Ethernet1/0
 standby delay reload 120

What to Do Next

After you have successfully configured HSRP on the inside and outside interfaces, you should enable SSO as described in the section “Enabling SSO.”

Enabling SSO

Enabling SSO Interaction with IPsec and IKE

SSO is a method of providing redundancy and synchronization for many Cisco IOS applications and features. SSO is necessary for IPsec and IKE to learn about the redundancy state of the network and to synchronize their internal application state with their redundant peers.

Before You BeginBefore you perform this task, you must:

  • Configure HSRP before enabling SSO.
  • Include the following commands in the local address section of the Stream Control Transmission Protocol (SCTP) section when configuring Inter-Process Communication (IPC):
    • retransmit-timeout retran-min [msec] retra-max [msec]
    • path-retransmit max-path-retries
    • assoc-retransmit retries


Note

The above commands are included to avoid losing SCTP communication between peers.


SUMMARY STEPS

1.    enable

2.    configure terminal

3.    redundancy inter-device

4.    scheme standby standby-group-name

5.    exit

6.    ipc zone default

7.    association association-ID

8.    protocol sctp

9.    local-port local-port-number

10.    local-ip device-real-ip-address [device-real-ip-address2]

11.    retransmit-timeout retran-min [msec] retra-max [msec]

12.    path-retransmit max-path-retries

13.    assoc-retransmit max-association-retries

14.    exit

15.    remote-port remote-port-number

16.    remote-ip peer-real-ip-address [peer-real-ip-address2]

17.   end

DETAILED STEPS

Command or Action Purpose
Step 1
enable

Example:

Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2
configure terminal

Example:

Router# configure terminal

Enters global configuration mode.
Step 3
redundancy inter-device

Example:

Router(config)# redundancy inter-device

Configures redundancy and enters inter-device configuration mode.

  • To exit inter-device configuration mode, use the exit command. To remove all inter-device configuration, use the no form of the command.
Step 4
scheme standby standby-group-name

Example:

Router(config-red-interdevice)# scheme standby HA-out

Defines the redundancy scheme. Currently, “standby” is the only supported scheme.

  • standby-group-name–Must match the standby name specified in the standby name interface configuration command. Also, the standby name should be the same on both routers.

Note    Only the active or standby state of the standby group is used for SSO. The VIP address of the standby group is not required or used by SSO. Also, the standby group does not have to be part of any crypto map configuration.
Step 5
exit

Example:

Router(config-red-interdevice)# exit

Exits inter-device configuration mode and returns to global configuration mode.
Step 6
ipc zone default

Example:

Router(config)# ipc zone default

Configures the inter-device communication protocol, Inter-Process Communication (IPC), and enters IPC zone configuration mode.

  • Use this command to initiate the communication link between the active router and standby router.
Step 7
association association-ID

Example:

Router(config-ipczone)# association 1

Configures an association between the two devices and enters IPC association configuration mode.

  • association-ID–Association ID assignment. The value range is from 1 through 255. The association ID must be unique within a specific zone.
Step 8
protocol sctp

Example:

Router(config-ipczone-assoc)# protocol sctp

Configures Stream Control Transmission Protocol (SCTP) as the transport protocol and enters SCTP protocol configuration mode.
Step 9
local-port local-port-number

Example:

Router(config-ipc-protocol-sctp)# local-port 5000

Defines the local SCTP port number that is used to communicate with the redundant peer and enters IPC transport-SCTP local configuration mode.

  • local-port-number–There is no default value. This argument must be configured for the local port to enable inter-device redundancy. Valid port values: 1 to 65535. The local port number should be the same as the remote port number on the peer router.
Step 10
local-ip device-real-ip-address [device-real-ip-address2]

Example:

Router(config-ipc-local-sctp)# local-ip 10.0.0.1

Defines at least one local IP address that is used to communicate with the redundant peer.

  • The local IP addresses must match the remote IP addresses on the peer router. There can be either one or two IP addresses, which must be in the global VRF. A virtual IP address cannot be used.
Step 11
retransmit-timeout retran-min [msec] retra-max [msec]

Example:

Router(config-ipc-local-sctp)# retransmit-timeout 300 10000

Configures the maximum amount of time, in milliseconds, that SCTP will wait before retransmitting data.

  • retran-min–Range is 300 to 60000. Default value is 300.
  • retran-max–Range is 300 to 60000. Default value is 600.
Step 12
path-retransmit max-path-retries

Example:

Router(config-ipc-local-sctp)# path-retransmit 10

Configures the number of consecutive retransmissions SCTP will perform before failing a path within an association.

  • max-path-retries–Range is 2 to 10. Default value is 4 retries.
Step 13
assoc-retransmit max-association-retries

Example:

Router(config-ipc-local-sctp)# assoc-retransmit 10

Configures the number of consecutive retransmissions SCTP will perform before failing an association.

  • max-association-retries–Range is 2 to 10. Default value is 4 retries.
Step 14
exit

Example:

Router(config-ipc-local-sctp)# exit

Exits IPC transport-SCTP local configuration mode and enters SCTP protocol configuration mode.
Step 15
remote-port remote-port-number

Example:

Router(config-ipc-protocol-sctp)# remote-port 5000

Defines the remote SCTP port number that is used to communicate with the redundant peer and enters IPC transport-SCTP remote configuration mode.

  • remote-port-number–There is no default value. This argument must be configured for the remote port to enable inter-device redundancy. Valid port values: 1 to 65535. The remote port number should be the same as the local port number on the peer router.
Step 16
remote-ip peer-real-ip-address [peer-real-ip-address2]

Example:

Router(config-ipc-remote-sctp)# remote-ip 10.0.0.2

Defines at least one remote IP address of the redundant peer that is used to communicate with the local device.

  • All remote IP addresses must refer to the same device.
  • A virtual IP address cannot be used.
Step 17
end

Example:

Router(config-ipc-remote-sctp)# end

Exits IPC transport-SCTP remote configuration mode and returns to privileged EXEC mode.

Troubleshooting Tips

To help troubleshoot possible SSO-related configuration problems, use the debug redundancy command.

Examples

The following example shows how to enable SSO:

!
redundancy inter-device
 scheme standby HA-out
!
!
ipc zone default
 association 1
  no shutdown
  protocol sctp
   local-port 5000
    local-ip 10.0.0.1
    retransmit-timeout 300 10000
    path-retransmit 10
    assoc-retransmit 10
   remote-port 5000
    remote-ip 10.0.0.2

The following example shows how to configure RRI on the static crypto map “to-peer-outside”:

crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000
crypto map to-peer-outside 10 ipsec-isakmp 
 set peer 209.165.200.225
 set transform-set trans1 
 match address peer-outside
 reverse-route
interface Ethernet0/0
 ip address 209.165.201.1 255.255.255.224
 standby 1 ip 209.165.201.3
 standby 1 preempt
 standby 1 name HA-out
 standby 1 track Ethernet1/0
 crypto map to-peer-outside redundancy HA-out stateful

Enabling Stateful Failover for Tunnel Protection

crypto ipsec profile peer-profile
 redundancy HA-out stateful

interface Tunnel1
 ip unnumbered Loopback 0
 tunnel source 209.165.201.3
 tunnel destination 10.0.0.5
 tunnel protection ipsec profile peer-profile
!
interface Ethernet0/0
 ip address 209.165.201.1 255.255.255.224
 standby 1 ip 209.165.201.3
 standby 1 name HA-out

 

crypto isakmp key abc123 address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set trans2 ah-md5-hmac esp-aes 
!         
crypto ipsec profile sso-secure
 set transform-set trans2 
!
redundancy inter-device
 scheme standby HA-out
 security ipsec sso-secure
crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000
crypto map to-peer-outside 10 ipsec-isakmp 
 set peer 209.165.200.225
 set transform-set trans1 
 match address peer-outside
Verifying the Active Device
Router# show redundancy states

       my state = 13 -ACTIVE 
     peer state = 8  -STANDBY HOT 
           Mode = Duplex
        Unit ID = 0
     Split Mode = Disabled
   Manual Swact = Enabled
 Communications = Up
   client count = 7
 client_notification_TMR = 30000 milliseconds
          keep_alive TMR = 4000 milliseconds
        keep_alive count = 0 
    keep_alive threshold = 7 
           RF debug mask = 0x0   

Router# show crypto isakmp sa active

dst             src             state          conn-id slot status
209.165.201.3   209.165.200.225 QM_IDLE              5    0 ACTIVE

Router# show crypto ipsec sa active

 

 

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s