It just means that interdevice-redundancy information will be shared with the redundancy scheme but the isakmp and ipsec sa's will be shared over the standby name associated with the interface the crypto map is applied to.
They chose to let it work this way. It says it works this way. Not sure what further clarification you are looking for? The stateful information will be shared over TCP port 1234 with protocol SCTP protocol and will be shared based on the standby name of kings2. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Wednesday, October 20, 2010 11:18 AM To: [email protected] Subject: [OSL | CCIE_Security] IPSec with SSO Hi all I am checking out site to site VPN with SSO. I have configured two hsrp groups, king2 on the outside interface and king on the inside. The VPN is configured on the outside interface. I have associated the inside HSRP group king to the redundany. For the crypto map, I am using outside hsrp group king2. This works. But I am wondering, how is it working? The HSRP group that I configured for the crypto map is not associated in the SSO then how come the IPSec stateful information is being passed. The HSRP group in the crypto map should be HSRP group in the SSO right? The snippet below claims that HSRP group with the crypto map can be different from the SSO HSRP group. Any thoughts? redundancy inter-device scheme standby king ! ipc zone default association 1 no shutdown protocol sctp local-port 1234 local-ip 10.20.30.43 remote-port 1234 remote-ip 10.20.30.44 interface FastEthernet0/0 ip address 20.10.30.1 255.255.255.0 duplex auto speed auto standby 7 ip 20.10.30.7 standby 7 priority 123 standby 7 preempt standby 7 name king2 crypto map cisco redundancy king2 stateful ! interface FastEthernet0/1 ip address 10.20.30.43 255.255.255.0 duplex auto speed auto standby 0 ip 10.20.30.70 standby 0 priority 123 standby 0 name king Snippet from http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/gu ide/sec_failover_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html crypto map map-name [redundancy standby-group-name [stateful]] This command binds the crypto map on the specified interface to the redundancy group. Note Although the standby group does not have to be the same group that was used when enabling SSO, it does have to be the same group that was used with the standby ip command on this interface. This crypto map will use the same VIP address for both IKE and IPsec to communicate with peers. With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
