Hi all
I am checking out site to site VPN with SSO. I have configured two hsrp
groups, king2 on the outside interface and king on the inside. The VPN is
configured on the outside interface. I have associated the
inside HSRP group king to the redundany. For the crypto map, I am using
outside hsrp group king2.
This works. But I am wondering, how is it working?
The HSRP group that I configured for the crypto map is not associated in the
SSO then how come the IPSec stateful information is being passed. The HSRP
group in the crypto map should be HSRP
group in the SSO right?
The snippet below claims that HSRP group with the crypto map can be
different from the SSO HSRP group.
Any thoughts?
redundancy inter-device
scheme standby king
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 1234
local-ip 10.20.30.43
remote-port 1234
remote-ip 10.20.30.44
interface FastEthernet0/0
ip address 20.10.30.1 255.255.255.0
duplex auto
speed auto
standby 7 ip 20.10.30.7
standby 7 priority 123
standby 7 preempt
standby 7 name king2
crypto map cisco redundancy king2 stateful
!
interface FastEthernet0/1
ip address 10.20.30.43 255.255.255.0
duplex auto
speed auto
standby 0 ip 10.20.30.70
standby 0 priority 123
standby 0 name king
Snippet from
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_failover_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html
crypto map map-name [redundancy standby-group-name [stateful]]
This command binds the crypto map on the specified interface to the
redundancy group.
*Note *Although the standby group does not have to be the same group that
was used when enabling SSO, it does have to be the same group that was used
with the *standby ip* command on this interface.
This crypto map will use the same VIP address for both IKE and IPsec to
communicate with peers.
With regards
Kings
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
