This chapter outlines a broad scope of concepts required for understanding IPSec VPN HA. In summary, there are five very broad components of IPSec VPN HA that should be explored when designing HA into an IPSec VPN deployment: This chapter ties in with various topologies discussed in previous HA discussions, and the book continues to do so in subsequent HA chapters. There are many different design options for each of the HA categories listed previously in this summary and introduced previously in this chapter. Table 5-2 shows some design concepts that you should be familiar with at this point in the text and the area of HA to which they pertain. Table 5-2. HA Design SummaryHA Deployment Option | HA Deployment Category |
---|
Advantages and disadvantages of terminating IPSec on multiple interfaces versus terminating IPSec on a Virtual Interface (HSRP/VRRP). | Termination redundancy | IKE Keepalives and Dead Peer DetectionThe similarities and differences of each and when to use one or the other. | Path availability | When to use multiple peering statements for tunnel redundancy and when to rely on the underlying RP for tunnel redundancy. | Termination redundancy network redundancy | What load balancing is and where it fits into the IPSec HA paradigm. | Load balancing and HA | Encrypted RPs and GRE KeepalivesWhy they are useful and the associated packet and performance overhead. | Path availability | BGP and IGPs with Unicast NeighborsWhen they are a useful design alternative to encrypted RPs. | Path availability | How RRI, RP Metrics, and HSRP can all be used to abate IPSec control plane issues with path asymmetry. | Path symmetry | DNS-based IPSec load balancing, RP-based IPSec load balancing, IPSec load balancing alternate with peering statements, VPN3000 clustering with VCA, and IPSec load balancing with external load balancers: What each method requires, the advantages/disadvantages of each, and when to consider each design option. | Load balancing and HA |
The ensuing chapters discuss these design concepts in greater detail, including configuration and troubleshooting steps. Each subject is presented in the context of local High Availability (Chapter 6, "Site-to-Site Local HA Solutions") and geographic High Availability (Chapter 7, "Site-to-Site Geographic HA Solutions"). Many of the IPSec HA design options introduced in this chapter, such as VPN3000 clustering, pertain to RAVPN environments. The HA discussions in Chapter 9, "Remote Access VPN High Availability," focus solely on RAVPN environments. |