I might be stating the obvious, as I cant quite remember the state sequence for SSO of the top of my head, but are you aware that you must reboot each device to initialise it fully. Thats if you do have the AIM-VPN module installed as stated of course.
The last time I checked all ISR's do not have the AIM VPN mod as standard, its optional and if my memory serves me correct this is not actually available in the lab either. I recall tearing out the little hair I have with this technology, not one of my favourite study topics ;) Stu On Tue, Apr 6, 2010 at 6:50 PM, Kingsley Charles <[email protected] > wrote: > Hi Tyson/Brandon > > I have AIM-VPN/EPII-Plus enabled on both the routers. > > I went through the stateful IPSec of IPexpert lab. The configuration that > I am using now is same as the example given in the following link. > > The only difference is that I have enabled HSRP on only one interface. The > local ip/remote ip are off the interface which has HSRP and cryptp map. > > > http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_failover_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html > > > With regards > Kings > > On Tue, Apr 6, 2010 at 10:27 PM, Kingsley Charles < > [email protected]> wrote: > >> All the ISRs has inbuilt onboard VPN module. >> >> >> With regards >> Kings >> >> On Tue, Apr 6, 2010 at 9:03 PM, Brandon Carroll >> <[email protected]>wrote: >> >>> Tyson is correct. I was thinking of Stateful Failover minus the IPSec >>> part. >>> >>> ipc zone default >>> association 1 >>> no shutdown >>> protocol sctp >>> local-port 55001 >>> local-ip 9.9.156.6 >>> remote-port 50001 >>> remote-ip 9.9.156.11 >>> >>> >>> >>> http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_fwall_state_fov.html#wp1167791 >>> >>> I did in fact forget about the requirements: >>> >>> The Cisco Integrated Services Routers (ISRs) and the VPN modules that >>> support stateful failover for IPsec are as follows: >>> >>> –The AIM-VPN/BPII-PLUS and AIM-VPN/SSL-1 hardware encryption modules are >>> supported in a Cisco 1841 router. >>> >>> –The AIM-VPN/EPII-Plus and AIM-VPN/SSL-2 hardware encryption modules are >>> supported in Cisco 2801, 2811, 2821 and 2851 routers. >>> >>> –The AIM-VPN/EPII+ and AIM-VPN/SSL-3 hardware encryption modules are >>> supported in a Cisco 3825 router. >>> >>> –The AIM-VPN/HPII+ and AIM-VPN/SSL3 hardware encryption modules are >>> supported in a Cisco 3845 router. >>> >>> –The VPN Acceleration Module (VAM) and VAM2 hardware encryption modules >>> are supported in a Cisco 7200 series router. >>> >>> Found here: >>> http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_failover_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1043332 >>> >>> >>> >>> Regards, >>> >>> Brandon Carroll - CCIE #23837 >>> Senior Technical Instructor - IPexpert >>> Mailto: [email protected] >>> Telephone: +1.810.326.1444 >>> Live Assistance, Please visit: www.ipexpert.com/chat >>> eFax: +1.810.454.0130 >>> >>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>> training locations throughout the United States, Europe, South Asia and >>> Australia. Be sure to visit our online communities at >>> www.ipexpert.com/communities and our public website at www.ipexpert.com >>> >>> >>> >>> On Apr 6, 2010, at 8:23 AM, Tyson Scott wrote: >>> >>> You must have an AIM-VPN module installed to do testing with SSO. >>> >>> Regards, >>> >>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>> Technical Instructor - IPexpert, Inc. >>> Mailto: [email protected] >>> Telephone: +1.810.326.1444, ext. 208 >>> Live Assistance, Please visit: www.ipexpert.com/chat >>> eFax: +1.810.454.0130 >>> >>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>> training locations throughout the United States, Europe, South Asia and >>> Australia. Be sure to visit our online communities at >>> www.ipexpert.com/communities and our public website atwww.ipexpert.com >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Kingsley >>> Charles >>> *Sent:* Tuesday, April 06, 2010 7:17 AM >>> *To:* [email protected] >>> *Subject:* [OSL | CCIE_Security] IPSec with SSO >>> >>> Hi all >>> >>> I am trying to configure IPSec with SSO. >>> >>> >>> router1#show redundancy states >>> my state = 13 -ACTIVE >>> peer state = 1 -DISABLED >>> Mode = Simplex >>> Unit ID = 0 >>> >>> >>> Can someone please let me know the reasons, why the peer state is >>> disabled. >>> >>> >>> >>> With regards >>> Kings >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >>> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Regards, Stuart Hare CCIE #25616 (Security), CCSP, Microsoft MCP Sr. Support Engineer – IPexpert, Inc. URL: http://www.IPexpert.com
<<blank.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
