Here is a working configuration I did for the VoD. You will see that the configuration below is very similar to yours so I don't see any errors beyond what I already mentioned.
track 1 ip route 15.15.15.15 255.255.255.255 reachability
track 2 interface FastEthernet0/1 ip routing
track 3 list boolean and
object 1
object 2
interface FastEthernet0/1
standby version 2
standby 608 ip 192.1.68.254
standby 608 priority 120
standby 608 preempt deny minimum 20 reload 40 sync 30
standby 608 timers msec 100 1
standby 608 name HSRP_608
standby 608 track 3 decrement 30
!
ip access-list extended HA_VPN
permit ip host 6.6.6.6 host 8.8.8.8
permit ip host 6.6.6.6 host 192.1.8.0 0.0.0.255
!
crypto isakmp key cisco address 192.1.68.8
!
crypto ipsec transform-set AES-128 esp-aes esp-sha-hmac
crypto map HA_VPN 10 ipsec-isakmp
set peer 192.1.68.8
set transform-set AES-128
match address HA_VPN
reverse-route
!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 2 on-demand
!
redundancy inter-device
scheme standby HSRP_608
!
ipc zone default
association 1
protocol sctp
local-port 5000
local-ip 192.1.6.6
remote-port 5000
remote-ip 192.1.6.1
interface FastEthernet0/1
crypto map HA_VPN redundancy HSRP_608 stateful
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: <mailto:[email protected]> [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: <http://www.ipexpert.com/chat>
www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
<http://www.ipexpert.com/communities> www.ipexpert.com/communities and our
public website at <http://www.ipexpert.com/> www.ipexpert.com
From: Kingsley Charles [mailto:[email protected]]
Sent: Wednesday, April 07, 2010 2:37 PM
To: Stuart Hare
Cc: Brandon Carroll; [email protected]; Tyson Scott
Subject: Re: [OSL | CCIE_Security] IPSec with SSO
My config
Router A
redundancy inter-device
scheme standby king
!
!
redundancy
no keepalive-enable
ipc zone default
association 1
no shutdown
protocol sctp
local-port 1234
local-ip 10.20.30.41
retransmit-timeout 300 1234
path-retransmit 3
assoc-retransmit 3
remote-port 1234
remote-ip 10.20.30.42
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto map king 1 ipsec-isakmp
set peer 10.20.30.41
set transform-set tran
match address 123
reverse-route static
interface GigabitEthernet0/0
ip address 10.20.30.41 255.255.255.0
duplex auto
speed auto
standby 4 ip 10.20.30.43
standby 4 priority 123
standby 4 preempt
standby 4 name king
crypto map king redundancy king stateful
Router B
redundancy inter-device
scheme standby king
!
!
redundancy
!
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 1234
local-ip 10.20.30.42
retransmit-timeout 300 1234
path-retransmit 3
assoc-retransmit 3
remote-port 1234
remote-ip 10.20.30.41
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto map king 1 ipsec-isakmp
set peer 10.20.30.41
set transform-set tran
match address 123
reverse-route static
interface GigabitEthernet0/0
ip address 10.20.30.42 255.255.255.0
duplex auto
speed auto
standby 1 preempt
standby 4 ip 10.20.30.43
standby 4 preempt
standby 4 name king
crypto map king redundancy king stateful
On Wed, Apr 7, 2010 at 2:52 AM, Stuart Hare <[email protected]> wrote:
I might be stating the obvious, as I cant quite remember the state sequence
for SSO of the top of my head, but are you aware that you must reboot each
device to initialise it fully. Thats if you do have the AIM-VPN module
installed as stated of course.
The last time I checked all ISR's do not have the AIM VPN mod as standard,
its optional and if my memory serves me correct this is not actually
available in the lab either.
I recall tearing out the little hair I have with this technology, not one of
my favourite study topics ;)
Stu
On Tue, Apr 6, 2010 at 6:50 PM, Kingsley Charles
<[email protected]> wrote:
Hi Tyson/Brandon
I have AIM-VPN/EPII-Plus enabled on both the routers.
I went through the stateful IPSec of IPexpert lab. The configuration that I
am using now is same as the example given in the following link.
The only difference is that I have enabled HSRP on only one interface. The
local ip/remote ip are off the interface which has HSRP and cryptp map.
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/gu
ide/sec_failover_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html
With regards
Kings
On Tue, Apr 6, 2010 at 10:27 PM, Kingsley Charles
<[email protected]> wrote:
All the ISRs has inbuilt onboard VPN module.
With regards
Kings
On Tue, Apr 6, 2010 at 9:03 PM, Brandon Carroll <[email protected]>
wrote:
Tyson is correct. I was thinking of Stateful Failover minus the IPSec part.
ipc zone default
association 1
no shutdown
protocol sctp
local-port 55001
local-ip 9.9.156.6
remote-port 50001
remote-ip 9.9.156.11
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_f
wall_state_fov.html#wp1167791
I did in fact forget about the requirements:
The Cisco Integrated Services Routers (ISRs) and the VPN modules that
support stateful failover for IPsec are as follows:
-The AIM-VPN/BPII-PLUS and AIM-VPN/SSL-1 hardware encryption modules are
supported in a Cisco 1841 router.
-The AIM-VPN/EPII-Plus and AIM-VPN/SSL-2 hardware encryption modules are
supported in Cisco 2801, 2811, 2821 and 2851 routers.
-The AIM-VPN/EPII+ and AIM-VPN/SSL-3 hardware encryption modules are
supported in a Cisco 3825 router.
-The AIM-VPN/HPII+ and AIM-VPN/SSL3 hardware encryption modules are
supported in a Cisco 3845 router.
-The VPN Acceleration Module (VAM) and VAM2 hardware encryption modules are
supported in a Cisco 7200 series router.
Found here:
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/gu
ide/sec_failover_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html#
wp1043332
Regards,
Brandon Carroll - CCIE #23837
Senior Technical Instructor - IPexpert
Mailto: [email protected]
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
<http://www.ipexpert.com/>
On Apr 6, 2010, at 8:23 AM, Tyson Scott wrote:
You must have an AIM-VPN module installed to do testing with SSO.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website atwww.ipexpert.com
<http://www.ipexpert.com/>
From: [email protected]
[mailto:[email protected]] On Behalf Of Kingsley
Charles
Sent: Tuesday, April 06, 2010 7:17 AM
To: [email protected]
Subject: [OSL | CCIE_Security] IPSec with SSO
Hi all
I am trying to configure IPSec with SSO.
router1#show redundancy states
my state = 13 -ACTIVE
peer state = 1 -DISABLED
Mode = Simplex
Unit ID = 0
Can someone please let me know the reasons, why the peer state is disabled.
With regards
Kings
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com <http://www.ipexpert.com/>
--
Regards,
Stuart Hare
CCIE #25616 (Security), CCSP, Microsoft MCP
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com <http://www.ipexpert.com/>
<<image001.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
