Cisco 871 EZVPN Client Failover

[ICTrains]

I have a Cisco 871 setup as a VPN client to a third-party’s VPN server. For business reasons this VPN connection is critical and must stay up continuously. We are about to send off our server/router setup to a hosting center across the country and want to enable high availability for this VPN connection. I have researched the HSRP and even enabled it on two 871’s with matching configurations and the high availability works great. The internal interface fails over from the primary to the secondary router with no problem. However, the problem is the VPN; since we can only connect to the VPN server once, I need some mechanism to automatically disable the primary router’s VPN connection and enable the secondary router’s VPN connection.

I have found documentation on setting up failover using HSRP for VPN servers, but I’ve found no examples doing what we are trying to do.

Any help would be greatly appreciated.

Thanks,
John

 

[burtsbees]

You want to establish the VPN with a VIP, not an IP of one router or the other...here's an example...

http://blog.ine.com/2008/11/06/ipsec-vpn-high-availability-with-hsrp/

What you seem to have is not a remote access (client to server), but a site to site vpn, and with HSRP, the gateway and the VPN IP address is the shared VIP of both HSRP routers.

If this is not what you need, please explain the difference between this and what you actually need. \

Can you post configs? They won't be identical if you are using HSRP (the HSRP configs will be different, for example).

/



tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ICTrains]

Thanks for the information BurtsBees. I'm really not a Cisco guy (or a real network guy for that matter) and I believe I failed to mention something very important. We are useing EZVPN. The config for the single router came from the third party organization and we are trying to modify this config to get it to work in failover. Below are the configs the two routers are running.

Again, I'm a newbie to the Cisco stuff, but is there a way that we can tell the HSRP to disable the external interface when in standby mode and enable it when in active mode?

ROUTER 1:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
crypto ipsec client ezvpn MyVPN
connect auto
group GroupName key GroupKey
mode client
peer x.x.x.24
username UserName password Password
xauth userid mode local
!
!
archive
log config
hidekeys
!
interface Loopback0
ip address x.x.x.32 255.255.255.255
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description LAN Subnet that has Internet Gateway $ETH-WAN$
ip address y.y.19.226 255.255.255.0
ip access-group FIREWALLACL in
ip virtual-reassembly
duplex auto
speed auto
standby delay minimum 30 reload 60
standby 1 ip y.y.19.228
standby 1 timers msec 500 3
standby 1 name isp
standby 1 track FastEthernet3
crypto ipsec client ezvpn MyVPN
!
interface Vlan1
description MQ Clients Subnet
ip address y.y.31.2 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1452
standby delay minimum 30 reload 60
standby 2 ip y.y.31.1
standby 2 timers msec 500 3
standby 2 name lan
standby 2 track FastEthernet4
crypto ipsec client ezvpn MyVPN inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 y.y.19.1
!
ip http server
ip http secure-server
!
ip access-list extended FIREWALLACL
remark REMOVED
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
end

ROUTER 2:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
crypto ipsec client ezvpn MyVPN
connect auto
group GroupName key GroupKey
mode client
peer x.x.x.24
username UserName password Password
xauth userid mode local
!
!
archive
log config
hidekeys
!
interface Loopback0
ip address x.x.x.32 255.255.255.255
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description LAN Subnet that has Internet Gateway $ETH-WAN$
ip address y.y.19.227 255.255.255.0
ip access-group FIREWALLACL in
ip virtual-reassembly
duplex auto
speed auto
standby delay minimum 30 reload 60
standby 1 ip y.y.19.228
standby 1 timers msec 500 3
standby 1 name isp
standby 1 track FastEthernet3
crypto ipsec client ezvpn MyVPN
!
interface Vlan1
description MQ Clients Subnet
ip address y.y.31.3 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1452
standby delay minimum 30 reload 60
standby 2 ip y.y.31.1
standby 2 timers msec 500 3
standby 2 name lan
standby 2 track FastEthernet4
crypto ipsec client ezvpn MyVPN inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 y.y.19.1
!
ip http server
ip http secure-server
!
ip access-list extended FIREWALLACL
remark REMOVED
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
end

Thanks for any input.

John