Hi Tyson Actually, the config that I put here is an edited (manually typed) one as I deleted the original config on the router. The address in the crypto map is wrong here, it was actually a remote peer "10.20.30.44". The HSRP address is 10.20.30.43.
I was able to make tunnel up between remote peer 10.20.30.44 and 10.20.30.43. With regards Kings On Thu, Apr 8, 2010 at 12:37 AM, Tyson Scott <[email protected]> wrote: > Kingsley, > > > > I notice in your crypto map that you have the peer as your SSO peer. > > > > SSO is between a redundant IPSec pair. They should both have the same > IPSec configuration applied to them. > > > > The remote peer should not be considered part of SSO. The remote peer > should be peering with the HSRP address of the redundant SSO pair. > > > > what does the command "show redundancy inter-device" show? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Wednesday, April 07, 2010 2:37 PM > *To:* Stuart Hare > *Cc:* Brandon Carroll; [email protected]; Tyson Scott > *Subject:* Re: [OSL | CCIE_Security] IPSec with SSO > > > > My config > > > > *Router A* > > > > redundancy inter-device > scheme standby king > ! > ! > redundancy > no keepalive-enable > > ipc zone default > association 1 > no shutdown > protocol sctp > local-port 1234 > local-ip 10.20.30.41 > retransmit-timeout 300 1234 > path-retransmit 3 > assoc-retransmit 3 > remote-port 1234 > remote-ip 10.20.30.42 > > > > crypto isakmp policy 1 > authentication pre-share > crypto isakmp key cisco address 0.0.0.0 0.0.0.0 > > > > crypto map king 1 ipsec-isakmp > set peer 10.20.30.41 > set transform-set tran > match address 123 > reverse-route static > > > > interface GigabitEthernet0/0 > ip address 10.20.30.41 255.255.255.0 > duplex auto > speed auto > standby 4 ip 10.20.30.43 > standby 4 priority 123 > standby 4 preempt > standby 4 name king > crypto map king redundancy king stateful > > > *Router B* > > > > redundancy inter-device > scheme standby king > ! > ! > redundancy > ! > ! > ipc zone default > association 1 > no shutdown > protocol sctp > local-port 1234 > local-ip 10.20.30.42 > retransmit-timeout 300 1234 > path-retransmit 3 > assoc-retransmit 3 > remote-port 1234 > remote-ip 10.20.30.41 > > > > crypto isakmp policy 1 > authentication pre-share > crypto isakmp key cisco address 0.0.0.0 0.0.0.0 > ! > ! > crypto map king 1 ipsec-isakmp > set peer 10.20.30.41 > set transform-set tran > match address 123 > reverse-route static > > > interface GigabitEthernet0/0 > ip address 10.20.30.42 255.255.255.0 > duplex auto > speed auto > standby 1 preempt > standby 4 ip 10.20.30.43 > standby 4 preempt > standby 4 name king > crypto map king redundancy king stateful > > > > On Wed, Apr 7, 2010 at 2:52 AM, Stuart Hare <[email protected]> wrote: > > I might be stating the obvious, as I cant quite remember the state sequence > for SSO of the top of my head, but are you aware that you must reboot each > device to initialise it fully. Thats if you do have the AIM-VPN module > installed as stated of course. > > > > The last time I checked all ISR's do not have the AIM VPN mod as standard, > its optional and if my memory serves me correct this is not actually > available in the lab either. > > > > I recall tearing out the little hair I have with this technology, not one > of my favourite study topics ;) > > > > Stu > > > > On Tue, Apr 6, 2010 at 6:50 PM, Kingsley Charles < > [email protected]> wrote: > > Hi Tyson/Brandon > > > > I have AIM-VPN/EPII-Plus enabled on both the routers. > > > > I went through the stateful IPSec of IPexpert lab. The configuration that > I am using now is same as the example given in the following link. > > > > The only difference is that I have enabled HSRP on only one interface. The > local ip/remote ip are off the interface which has HSRP and cryptp map. > > > > > http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_failover_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html > > > > > > With regards > > Kings > > On Tue, Apr 6, 2010 at 10:27 PM, Kingsley Charles < > [email protected]> wrote: > > All the ISRs has inbuilt onboard VPN module. > > > > > > With regards > > Kings > > On Tue, Apr 6, 2010 at 9:03 PM, Brandon Carroll <[email protected]> > wrote: > > Tyson is correct. I was thinking of Stateful Failover minus the IPSec > part. > > > > ipc zone default > > association 1 > > no shutdown > > protocol sctp > > local-port 55001 > > local-ip 9.9.156.6 > > remote-port 50001 > > remote-ip 9.9.156.11 > > > > > > > http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_fwall_state_fov.html#wp1167791 > > > > I did in fact forget about the requirements: > > > > The Cisco Integrated Services Routers (ISRs) and the VPN modules that > support stateful failover for IPsec are as follows: > > –The AIM-VPN/BPII-PLUS and AIM-VPN/SSL-1 hardware encryption modules are > supported in a Cisco 1841 router. > > –The AIM-VPN/EPII-Plus and AIM-VPN/SSL-2 hardware encryption modules are > supported in Cisco 2801, 2811, 2821 and 2851 routers. > > –The AIM-VPN/EPII+ and AIM-VPN/SSL-3 hardware encryption modules are > supported in a Cisco 3825 router. > > –The AIM-VPN/HPII+ and AIM-VPN/SSL3 hardware encryption modules are > supported in a Cisco 3845 router. > > –The VPN Acceleration Module (VAM) and VAM2 hardware encryption modules > are supported in a Cisco 7200 series router. > > > > Found here: > http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_failover_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1043332 > > > > > > > Regards, > > > > Brandon Carroll - CCIE #23837 > > Senior Technical Instructor - IPexpert > > Mailto: [email protected] > > Telephone: +1.810.326.1444 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > > > > > On Apr 6, 2010, at 8:23 AM, Tyson Scott wrote: > > > > You must have an AIM-VPN module installed to do testing with SSO. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website atwww.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, April 06, 2010 7:17 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] IPSec with SSO > > > > Hi all > > > > I am trying to configure IPSec with SSO. > > > > > > router1#show redundancy states > my state = 13 -ACTIVE > peer state = 1 -DISABLED > Mode = Simplex > Unit ID = 0 > > > > > > Can someone please let me know the reasons, why the peer state is disabled. > > > > > > > > With regards > > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > -- > Regards, > > Stuart Hare > CCIE #25616 (Security), CCSP, Microsoft MCP > Sr. Support Engineer – IPexpert, Inc. > URL: http://www.IPexpert.com <http://www.ipexpert.com/> > > >
<<image001.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
