Thanks for the link. I'm sure it will help but it seems to have the same problem as everything else I've found. It assumes you only have one ISP.

I need a config example with two routers and two ISPs using HSRP and site-to-site IPSEC VPNs.

Could you please share some additional details about the crypto configuration so I can understand your concerns better ?

For example, are you planning to terminate the IPSec SAs on the same remote device ? If yes using the same IP (local identity)  or not ?

Thank you

Istvan

The site-to-site VPN will terminate on one remote device. So I need router 1 with ISP A and router 2 with ISP B to both be able to terminate a site-to-site VPN to RemoteSite1. Since each router will have a different ISP, each router will have a different WAN IP. The crypto config on both router 1 and 2 will be identical but the RemoteSite1 will be seeing two different IPs making the VPN. Is that enough info?

Hi,

Here are the guidelines for configuring the scenario which you described :

Configuring HSRP with IPsec

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vpn_ha_enhance_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1056265

First you need to name the the HSRP group :

-> standby name group-name

e.g. standby name TEST

-> you define a on both devices a crypto map named e.g. called CRYMAP_TEST

-> then apply the crypto map on both devices (router1 and router2 ) to F0/0 :

    -> crypto map map-name redundancy [standby-name]

e.g. crypto map CRYMAP_TEST redundancy TEST

-> when defining the crypto peer setting on RemoteSite1 you define one peer only i.e.  151.4.0.20 (HSRP VIP)

So basically you will end up with a stateless IPSec High Availaibility setup.

Istvan

So on the WAN ports I'm basically setting up another HSRP group even though each router is on a completely different subnet? Is the addressing below correct?

Router 1

ip address  1.1.1.2 255.255.255.0    

standby 1 IP 1.1.1.1

standby 1 priority 120

standby 1 preempt

Router 2

ip address 21.21.21.21.21 255.255.255.0

standby 1 IP 1.1.1.1

standby 1 priority 110

standby 1 preempt

RemoteSite1

remote peer 1.1.1.1

Hi Jason,

I am not sure the above HSRP configuration wil work. As far as i know, the 2 interfaces participating in HSRP must be in the same subnet. Have you managed to try it? You might get beter help if you post this question in the network infrastructure community.

Regards,

Prapanch

I didn't think it would work. All the documentation I've seen always has the two routers on the same subnet. I'll try posting in the network infrastructure forum. Thanks.

No problem. Do post back the results of the discussion here in case anyone runs into a similar situation in future.

Cheers,

Prapanch