My config
*Router A*
**
redundancy inter-device
scheme standby king
!
!
redundancy
no keepalive-enable
ipc zone default
association 1
no shutdown
protocol sctp
local-port 1234
local-ip 10.20.30.41
retransmit-timeout 300 1234
path-retransmit 3
assoc-retransmit 3
remote-port 1234
remote-ip 10.20.30.42
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto map king 1 ipsec-isakmp
set peer 10.20.30.41
set transform-set tran
match address 123
reverse-route static
interface GigabitEthernet0/0
ip address 10.20.30.41 255.255.255.0
duplex auto
speed auto
standby 4 ip 10.20.30.43
standby 4 priority 123
standby 4 preempt
standby 4 name king
crypto map king redundancy king stateful
*Router B*
redundancy inter-device
scheme standby king
!
!
redundancy
!
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 1234
local-ip 10.20.30.42
retransmit-timeout 300 1234
path-retransmit 3
assoc-retransmit 3
remote-port 1234
remote-ip 10.20.30.41
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto map king 1 ipsec-isakmp
set peer 10.20.30.41
set transform-set tran
match address 123
reverse-route static
interface GigabitEthernet0/0
ip address 10.20.30.42 255.255.255.0
duplex auto
speed auto
standby 1 preempt
standby 4 ip 10.20.30.43
standby 4 preempt
standby 4 name king
crypto map king redundancy king stateful
On Wed, Apr 7, 2010 at 2:52 AM, Stuart Hare <[email protected]> wrote:
> I might be stating the obvious, as I cant quite remember the state sequence
> for SSO of the top of my head, but are you aware that you must reboot each
> device to initialise it fully. Thats if you do have the AIM-VPN module
> installed as stated of course.
>
> The last time I checked all ISR's do not have the AIM VPN mod as standard,
> its optional and if my memory serves me correct this is not actually
> available in the lab either.
>
> I recall tearing out the little hair I have with this technology, not one
> of my favourite study topics ;)
>
> Stu
>
> On Tue, Apr 6, 2010 at 6:50 PM, Kingsley Charles <
> [email protected]> wrote:
>
>> Hi Tyson/Brandon
>>
>> I have AIM-VPN/EPII-Plus enabled on both the routers.
>>
>> I went through the stateful IPSec of IPexpert lab. The configuration that
>> I am using now is same as the example given in the following link.
>>
>> The only difference is that I have enabled HSRP on only one interface. The
>> local ip/remote ip are off the interface which has HSRP and cryptp map.
>>
>>
>> http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_failover_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html
>>
>>
>> With regards
>> Kings
>>
>> On Tue, Apr 6, 2010 at 10:27 PM, Kingsley Charles <
>> [email protected]> wrote:
>>
>>> All the ISRs has inbuilt onboard VPN module.
>>>
>>>
>>> With regards
>>> Kings
>>>
>>> On Tue, Apr 6, 2010 at 9:03 PM, Brandon Carroll <[email protected]
>>> > wrote:
>>>
>>>> Tyson is correct. I was thinking of Stateful Failover minus the IPSec
>>>> part.
>>>>
>>>> ipc zone default
>>>> association 1
>>>> no shutdown
>>>> protocol sctp
>>>> local-port 55001
>>>> local-ip 9.9.156.6
>>>> remote-port 50001
>>>> remote-ip 9.9.156.11
>>>>
>>>>
>>>>
>>>> http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_fwall_state_fov.html#wp1167791
>>>>
>>>> I did in fact forget about the requirements:
>>>>
>>>> The Cisco Integrated Services Routers (ISRs) and the VPN modules that
>>>> support stateful failover for IPsec are as follows:
>>>>
>>>> –The AIM-VPN/BPII-PLUS and AIM-VPN/SSL-1 hardware encryption modules
>>>> are supported in a Cisco 1841 router.
>>>>
>>>> –The AIM-VPN/EPII-Plus and AIM-VPN/SSL-2 hardware encryption modules
>>>> are supported in Cisco 2801, 2811, 2821 and 2851 routers.
>>>>
>>>> –The AIM-VPN/EPII+ and AIM-VPN/SSL-3 hardware encryption modules are
>>>> supported in a Cisco 3825 router.
>>>>
>>>> –The AIM-VPN/HPII+ and AIM-VPN/SSL3 hardware encryption modules are
>>>> supported in a Cisco 3845 router.
>>>>
>>>> –The VPN Acceleration Module (VAM) and VAM2 hardware encryption modules
>>>> are supported in a Cisco 7200 series router.
>>>>
>>>> Found here:
>>>> http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_failover_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1043332
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Brandon Carroll - CCIE #23837
>>>> Senior Technical Instructor - IPexpert
>>>> Mailto: [email protected]
>>>> Telephone: +1.810.326.1444
>>>> Live Assistance, Please visit: www.ipexpert.com/chat
>>>> eFax: +1.810.454.0130
>>>>
>>>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
>>>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
>>>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with
>>>> training locations throughout the United States, Europe, South Asia and
>>>> Australia. Be sure to visit our online communities at
>>>> www.ipexpert.com/communities and our public website at www.ipexpert.com
>>>>
>>>>
>>>>
>>>> On Apr 6, 2010, at 8:23 AM, Tyson Scott wrote:
>>>>
>>>> You must have an AIM-VPN module installed to do testing with SSO.
>>>>
>>>> Regards,
>>>>
>>>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>>>> Technical Instructor - IPexpert, Inc.
>>>> Mailto: [email protected]
>>>> Telephone: +1.810.326.1444, ext. 208
>>>> Live Assistance, Please visit: www.ipexpert.com/chat
>>>> eFax: +1.810.454.0130
>>>>
>>>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
>>>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
>>>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with
>>>> training locations throughout the United States, Europe, South Asia and
>>>> Australia. Be sure to visit our online communities at
>>>> www.ipexpert.com/communities and our public website atwww.ipexpert.com
>>>>
>>>> *From:* [email protected] [mailto:
>>>> [email protected]] *On Behalf Of *Kingsley
>>>> Charles
>>>> *Sent:* Tuesday, April 06, 2010 7:17 AM
>>>> *To:* [email protected]
>>>> *Subject:* [OSL | CCIE_Security] IPSec with SSO
>>>>
>>>> Hi all
>>>>
>>>> I am trying to configure IPSec with SSO.
>>>>
>>>>
>>>> router1#show redundancy states
>>>> my state = 13 -ACTIVE
>>>> peer state = 1 -DISABLED
>>>> Mode = Simplex
>>>> Unit ID = 0
>>>>
>>>>
>>>> Can someone please let me know the reasons, why the peer state is
>>>> disabled.
>>>>
>>>>
>>>>
>>>> With regards
>>>> Kings
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>>
>
>
> --
> Regards,
>
> Stuart Hare
> CCIE #25616 (Security), CCSP, Microsoft MCP
> Sr. Support Engineer – IPexpert, Inc.
> URL: http://www.IPexpert.com <http://www.ipexpert.com/>
>
<<blank.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
