Stateful FailoverYou have seen in Chapter 2, "IPSec Overview," that the establishment of an IPSec security association between two endpoints requires the creation of security state information that is used to encrypt or authenticate traffic. The security association state is stored in data structures referred to as the security association database (SADB). In the event of a communications failure between two IPSec peers, the SADB must be cleared for the peer and re-created as the IPSec security association is restored. Obviously, it would be very useful for redundancy if the SADB can be duplicated and kept in synch on another peer. This is exactly the intent of the stateful failover model. Stateful failover is accomplished via a SADB transfer and synchronization process. SADB TransferThe IPSec state stored for a remote peer on an active router may be transferred to a standby router such that the standby router may assume the responsibilities for communicating with the active router's remote peers. The active router and the standby router must synchronize the SADB between themselves. By synchronizing the state of the SADB between the two active and standby peers, the remote peer may maintain its IPSec state with either of the active or standby routers without requiring the renegotiation of IKE and IPSec security associations. Of course, the security transform associated with the remote peers is specified in the SADB; therefore, the IPSec policies will be identical. SADB SynchronizationTwo IPSec gateways engaged in the stateful failover model must be configured such that the IKE identity address is consistent because the IPSec policy between the routers must not change. The standby router must assume the IKE identity of the active router during failover. By synchronizing the state of the SABD between the two potential remote peers, the loss of an active peer allows the standby peer to assume the role of the active peer without the remote peer's knowledge of the transfer of responsibility. The information that the active router transmits to the standby router includes:
IKE cookie's stamp
Session keys
Sequence number counter and window state
Kilobyte (KB) lifetime expirations
Dead peer detection (DPD) sequence number updates
Shown in Example 3-6 is the configuration of VPN-GW1-EAST and VPN-GW2-EAST with stateful IPSec using the State Synchronization Protocol (SSP) configured between them. The example also includes snapshots of various relevant show commands on both the gateways showing the SADB synchronization. Example 3-6. Configuration for Stateful Switchover using SSP
vpn-gw1-east
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryptionyf
!
hostname vpn-gw1-east
!
ip subnet-zero
!
ip cef
!
ssp group 1
remote 9.1.1.36
redundancy ipsec
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 9.1.1.146
crypto isakmp keepalive 10 10
crypto isakmp ssp 1
!
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map vpn ha replay-interval inbound 100 outbound 1
crypto map vpn 1 ipsec-isakmp
set peer 9.1.1.146
set transform-set test
match address 100
reverse-route remote-peer 9.1.1.33
!
!
interface FastEthernet0/0
ip address 9.1.1.35 255.255.255.248
duplex full
random-detect
standby delay minimum 30 reload 60
standby ip 9.1.1.34
standby priority 105
standby preempt
standby name ipsec
standby track FastEthernet2/0
crypto map vpn ssp 1
!
interface FastEthernet2/0
ip address 10.1.1.2 255.255.255.0
duplex full
standby 1 ip 10.1.1.1
standby 1 priority 105
standby 1 preempt
standby 1 name ip
standby 1 track FastEthernet0/0
!
router ospf 1
log-adjacency-changes
redistribute static subnets
network 10.1.1.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 9.1.1.33
no ip http server
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.68.0 0.0.0.255
!
!
end
vpn-gw1-east#show cry isa sa
dst src state conn-id slot
9.1.1.34 9.1.1.146 QM_IDLE 1 0
vpn-gw1-east#show cry eng conn act
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 FastEthernet0/0 9.1.1.35 set HMAC_SHA+DES_56_CB 0 0
2000 FastEthernet0/0 9.1.1.35 set HMAC_SHA+3DES_56_C 0 4631
2001 FastEthernet0/0 9.1.1.35 set HMAC_SHA+3DES_56_C 4610 0
vpn-gw1-east#show cry ipsec sa
interface: FastEthernet0/0
Crypto map tag: vpn, local addr. 9.1.1.34
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.68.0/255.255.255.0/0/0)
current_peer: 9.1.1.146
PERMIT, flags={origin_is_acl,}
#pkts encaps: 6893, #pkts encrypt: 6893, #pkts digest 6893
#pkts decaps: 6893, #pkts decrypt: 6893, #pkts verify 6893
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 9.1.1.34, remote crypto endpt.: 9.1.1.146
path mtu 1500, media mtu 1500
current outbound spi: DE0F857C
inbound esp sas:
spi: 0x5E9B7765(1587246949)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 100, conn id: 2000, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4607260/3534)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDE0F857C(3725559164)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 100, conn id: 2001, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4607622/3534)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
vpn-gw1-east#show ssp packet
SSP packet Information
Socket creation time: 00:01:42
Local port: 3249 Server port: 3249
Packets Sent = 43, Bytes Sent = 2232
Packets Received = 5, Bytes Received = 92
vpn-gw1-east#show ssp peer
SSP Peer Information
IP Address Connection State Local Interface
9.1.1.36 Connected FastEthernet0/0
vpn-gw1-east#show cry ipsec ha
Interface VIP SAs ipsec HA State
FastEthernet0/0 9.1.1.34 2 Active since 16:09:50
vpn-gw2-east# show running-config
Building configuration...
Current configuration : 1587 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vpn-gw2-east
!
ip subnet-zero
!
!
ip cef
!
ssp group 1
remote 9.1.1.35
redundancy ipsec
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 9.1.1.146
crypto isakmp keepalive 10 10
crypto isakmp ssp 1
!
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map vpn ha replay-interval inbound 100 outbound 1
crypto map vpn 1 ipsec-isakmp
set peer 9.1.1.146
set transform-set test
match address 100
reverse-route remote-peer 9.1.1.33
!
interface FastEthernet0/0
ip address 9.1.1.36 255.255.255.248
duplex full
standby delay minimum 30 reload 60
standby ip 9.1.1.34
standby preempt
standby name ipsec
standby track FastEthernet2/0
crypto map vpn ssp 1
!
interface FastEthernet2/0
ip address 10.1.1.3 255.255.255.0
duplex full
standby 1 ip 10.1.1.1
standby 1 preempt
standby 1 name ip
standby 1 track FastEthernet0/0
!
router ospf 1
log-adjacency-changes
redistribute static subnets
network 10.1.1.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 9.1.1.33
no ip http server
ip pim bidir-enable
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.68.0 0.0.0.255
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end
vpn-gw2-east#show cry isa sa
dst src state conn-id slot
9.1.1.34 9.1.1.146 QM_IDLE 1 0
vpn-gw2-east#show ssp packet
SSP packet Information
Socket creation time: 00:05:19
Local port: 11001 Server port: 3249
Packets Sent = 5, Bytes Sent = 92
Packets Received = 121, Bytes Received = 5664
vpn-gw2-east#show cry isa ha
VIP SAs Stamp HA State
9.1.1.34 1 6F2BFDBB Standby since 16:10:44 UTC
vpn-gw2-east#show cry ipsec sa
interface: FastEthernet0/0
Crypto map tag: vpn, local addr. 9.1.1.34
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.68.0/255.255.255.0/0/0)
current_peer: 9.1.1.146
PERMIT, flags={origin_is_acl,}
#pkts encaps: 162402, #pkts encrypt: 162402, #pkts digest 162402
#pkts decaps: 162404, #pkts decrypt: 162404, #pkts verify 162404
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 57, #recv errors 0
local crypto endpt.: 9.1.1.34, remote crypto endpt.: 9.1.1.146
path mtu 1500, media mtu 1500
current outbound spi: DE0F857C
inbound esp sas:
spi: 0x5E9B7765(1587246949)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 100, conn id: 2000, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4142627/3552)
IV size: 8 bytes
replay detection support: Y
HA Status: STANDBY
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDE0F857C(3725559164)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 100, conn id: 2001, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4147199/3552)
IV size: 8 bytes
replay detection support: Y
HA Status: STANDBY
outbound ah sas:
outbound pcp sas:
Example 3-6 shows the configuration of stateful IPSec using SSP. An alternate way to configure IPSec failover using an alternate mechanism known as Stateful Switch Over (SSO) is shown in Example 3-7. Example 3-7. Configuration for Stateful Switchover using SSOvpn-gw1-east version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryptionyf ! hostname vpn-gw1-east ! ip subnet-zero ! redundancy inter-device scheme standby ipsec ! ipc zone default association 1 no shutdown protocol sctp local-port 5000 local-ip 9.1.1.35 retransmit-timeout 300 1000 path-retransmit 10 assoc-retransmit 20 remote-port 5000 remote-ip 9.1.1.36 ! ip cef ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 9.1.1.146 crypto isakmp keepalive 10 10 ! crypto ipsec transform-set test esp-3des esp-sha-hmac ! crypto map vpn ha redundancy replay-interval inbound 1000 outbound 1000 crypto map vpn 1 ipsec-isakmp set peer 9.1.1.146 set transform-set test match address 100 reverse-route remote-peer 9.1.1.33 ! ! interface FastEthernet0/0 ip address 9.1.1.35 255.255.255.248 duplex full random-detect standby delay minimum 30 reload 60 standby ip 9.1.1.34 standby priority 105 standby preempt standby name ipsec standby track FastEthernet2/0 crypto map vpn redundancy ipsec stateful ! interface FastEthernet2/0 ip address 10.1.1.2 255.255.255.0 duplex full standby 1 ip 10.1.1.1 standby 1 priority 105 standby 1 preempt standby 1 name ip standby 1 track FastEthernet0/0 ! router ospf 1 log-adjacency-changes redistribute static subnets network 10.1.1.0 0.0.0.255 area 0 ! ip classless ip route 0.0.0.0 0.0.0.0 9.1.1.33 no ip http server ! access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.68.0 0.0.0.255 ! ! end The objective of both configurations shown in Example 3-6 and 3-7 is the same, which is to provide IPSec stateful failover. From an end-user perspective, other than the configuration syntax, there is not much difference between the two mechanisms. The SSP mechanism was developed specifically for IPSec stateful failover, whereas the SSO mechanism uses a more generic High Availability infrastructure which is used for providing stateful failover mechanisms for many other protocols in Cisco IOS such as OSPF, BGP, IP and others, in addition to IPSec.
|