Kingsley,
I notice in your crypto map that you have the peer as your SSO peer. SSO is between a redundant IPSec pair. They should both have the same IPSec configuration applied to them. The remote peer should not be considered part of SSO. The remote peer should be peering with the HSRP address of the redundant SSO pair. what does the command "show redundancy inter-device" show? Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Wednesday, April 07, 2010 2:37 PM To: Stuart Hare Cc: Brandon Carroll; [email protected]; Tyson Scott Subject: Re: [OSL | CCIE_Security] IPSec with SSO My config Router A redundancy inter-device scheme standby king ! ! redundancy no keepalive-enable ipc zone default association 1 no shutdown protocol sctp local-port 1234 local-ip 10.20.30.41 retransmit-timeout 300 1234 path-retransmit 3 assoc-retransmit 3 remote-port 1234 remote-ip 10.20.30.42 crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto map king 1 ipsec-isakmp set peer 10.20.30.41 set transform-set tran match address 123 reverse-route static interface GigabitEthernet0/0 ip address 10.20.30.41 255.255.255.0 duplex auto speed auto standby 4 ip 10.20.30.43 standby 4 priority 123 standby 4 preempt standby 4 name king crypto map king redundancy king stateful Router B redundancy inter-device scheme standby king ! ! redundancy ! ! ipc zone default association 1 no shutdown protocol sctp local-port 1234 local-ip 10.20.30.42 retransmit-timeout 300 1234 path-retransmit 3 assoc-retransmit 3 remote-port 1234 remote-ip 10.20.30.41 crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto map king 1 ipsec-isakmp set peer 10.20.30.41 set transform-set tran match address 123 reverse-route static interface GigabitEthernet0/0 ip address 10.20.30.42 255.255.255.0 duplex auto speed auto standby 1 preempt standby 4 ip 10.20.30.43 standby 4 preempt standby 4 name king crypto map king redundancy king stateful On Wed, Apr 7, 2010 at 2:52 AM, Stuart Hare <[email protected]> wrote: I might be stating the obvious, as I cant quite remember the state sequence for SSO of the top of my head, but are you aware that you must reboot each device to initialise it fully. Thats if you do have the AIM-VPN module installed as stated of course. The last time I checked all ISR's do not have the AIM VPN mod as standard, its optional and if my memory serves me correct this is not actually available in the lab either. I recall tearing out the little hair I have with this technology, not one of my favourite study topics ;) Stu On Tue, Apr 6, 2010 at 6:50 PM, Kingsley Charles <[email protected]> wrote: Hi Tyson/Brandon I have AIM-VPN/EPII-Plus enabled on both the routers. I went through the stateful IPSec of IPexpert lab. The configuration that I am using now is same as the example given in the following link. The only difference is that I have enabled HSRP on only one interface. The local ip/remote ip are off the interface which has HSRP and cryptp map. http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/gu ide/sec_failover_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html With regards Kings On Tue, Apr 6, 2010 at 10:27 PM, Kingsley Charles <[email protected]> wrote: All the ISRs has inbuilt onboard VPN module. With regards Kings On Tue, Apr 6, 2010 at 9:03 PM, Brandon Carroll <[email protected]> wrote: Tyson is correct. I was thinking of Stateful Failover minus the IPSec part. ipc zone default association 1 no shutdown protocol sctp local-port 55001 local-ip 9.9.156.6 remote-port 50001 remote-ip 9.9.156.11 http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_f wall_state_fov.html#wp1167791 I did in fact forget about the requirements: The Cisco Integrated Services Routers (ISRs) and the VPN modules that support stateful failover for IPsec are as follows: -The AIM-VPN/BPII-PLUS and AIM-VPN/SSL-1 hardware encryption modules are supported in a Cisco 1841 router. -The AIM-VPN/EPII-Plus and AIM-VPN/SSL-2 hardware encryption modules are supported in Cisco 2801, 2811, 2821 and 2851 routers. -The AIM-VPN/EPII+ and AIM-VPN/SSL-3 hardware encryption modules are supported in a Cisco 3825 router. -The AIM-VPN/HPII+ and AIM-VPN/SSL3 hardware encryption modules are supported in a Cisco 3845 router. -The VPN Acceleration Module (VAM) and VAM2 hardware encryption modules are supported in a Cisco 7200 series router. Found here: http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/gu ide/sec_failover_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html# wp1043332 Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> On Apr 6, 2010, at 8:23 AM, Tyson Scott wrote: You must have an AIM-VPN module installed to do testing with SSO. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website atwww.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, April 06, 2010 7:17 AM To: [email protected] Subject: [OSL | CCIE_Security] IPSec with SSO Hi all I am trying to configure IPSec with SSO. router1#show redundancy states my state = 13 -ACTIVE peer state = 1 -DISABLED Mode = Simplex Unit ID = 0 Can someone please let me know the reasons, why the peer state is disabled. With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> -- Regards, Stuart Hare CCIE #25616 (Security), CCSP, Microsoft MCP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com <http://www.ipexpert.com/>
<<image001.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
