[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
Configuring DPD and IPSec Tunnel Failover
You can use the ipsec option dpd command to enable dead peer detection (DPD) on the router. DPD is
also known as IKE keepalive. If an IPSec tunnel destination backup
is configured, the router redirects traffic to the alternate destination
when DPD detects a disconnection between the E-series router and the
regular tunnel destination. See the tunnel
destination backup command.
To enable DPD and create an alternate IPSec tunnel
destination for failover:
- Enable DPD on the router.
- host1(config)#ipsec option dpd
- Enter virtual router mode. Specify the VR that contains
the source and destination addresses assigned to the tunnel interface
(that is, the transport virtual router context).
- host1(config)#virtual-router vrA
- host1:vrA(config)#
- Create an IPSec tunnel, and specify the transport VR.
- host1:vrA(config)#interface tunnel ipsec:Aottawa2boston
transport-virtual-router default
- host1:vrA(config-if)#
- Specify the address or identity of the tunnel destination
backup endpoint.
- host1:vrA(config-if)#tunnel destination backup
identity branch500.customer77.isp.net
ipsec
option dpd
- Use to enable dead peer detection (DPD) on the router.
DPD is also known as IKE keepalive.
- You configure DPD on a per-virtual router basis.
- Both peers must support DPD.
- Example
- host1(config)#ipsec option dpd
- Use the no version to restore
the default, which disables DPD.
- See ipsec option dpd.
tunnel
destination backup
- Use to specify the address or identity of the remote IPSec
tunnel endpoint that is a backup tunnel destination. When DPD detects
a disconnection between the E-series router and the regular IPSec
tunnel destination, the router redirects traffic to the tunnel destination
backup, and vice versa.
- You can use either the IP address or fully qualified domain
name (FQDN) to identify the backup IPSec tunnel, however you must
use the same type of identity that is used to specify the regular
tunnel destination.
- For signaled IPSec tunnels in cable
or DSL environments, use the FQDN to identify the tunnel destination
backup, which does not have a fixed IP address.
- The identity string can include an optional user@ specification preceding the FQDN (this is also known
as a user FQDN).
 |
Note:
If you use a FQDN to specify the IPSec tunnel destination backup,
the tunnel is not initiated by the ERX router. However, the router
does respond to negotiations for this backup tunnel.
|
- Examples
- host1(config-if)#tunnel destination backup
10.10.11.15
- host1(config-if)#tunnel destination backup
identity branch245.customer88.isp.net
- host1(config-if)#tunnel destination backup
identity user4925@branch245.customer88.isp.net
- Use the no version to restore
the default in which the regular tunnel destination is also the backup
tunnel destination.
- See tunnel destination backup.
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
