cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1197
Views
0
Helpful
9
Replies

Redundant routers with IPSEC failover

jasonww04
Beginner
Beginner

For the failover between routers I plan to use HSRP:

####### Router 1 #######

interface FastEthernet0/0

ip address 151.4.0.21 255.255.255.0

standby 1 ip 151.4.0.20

standby 1 priority 120

standby 1 preempt

######## Router 2########

interface FastEthernet0/0

ip address 64.232.113.10 255.255.255.0

standby 1 ip 151.4.0.20

standby 1 priority 110

standby 1 preempt

Each router is connected to the internet via different ISPs. Router 1 has ISP A and router 2 has ISP B. I plan on using an IPSEC site-to-site VPN. How do I configure each router so when router 1 fails, router 2 will not only pick up all outgoing LAN traffic via HSRP, but also create the site-to-site VPN?

9 Replies 9

Istvan Matyasovszki
Cisco Employee
Cisco Employee

Hi,

The following document provides the description on a possible solution :

Configuring HSRP with IPsec

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vpn_ha_enhance_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1056265

Hope this helps

Best regards

Istvan

Thanks for the link. I'm sure it will help but it seems to have the same problem as everything else I've found. It assumes you only have one ISP.

I need a config example with two routers and two ISPs using HSRP and site-to-site IPSEC VPNs.

Could you please share some additional details about the crypto configuration so I can understand your concerns better ?

For example, are you planning to terminate the IPSec SAs on the same remote device ? If yes using the same IP (local identity)  or not ?

Thank you

Istvan

The site-to-site VPN will terminate on one remote device. So I need router 1 with ISP A and router 2 with ISP B to both be able to terminate a site-to-site VPN to RemoteSite1. Since each router will have a different ISP, each router will have a different WAN IP. The crypto config on both router 1 and 2 will be identical but the RemoteSite1 will be seeing two different IPs making the VPN. Is that enough info?

Hi,

Here are the guidelines for configuring the scenario which you described :

Configuring HSRP with IPsec

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vpn_ha_enhance_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1056265

First you need to name the the HSRP group :

-> standby name group-name

e.g. standby name TEST

-> you define a on both devices a crypto map named e.g. called CRYMAP_TEST

-> then apply the crypto map on both devices (router1 and router2 ) to F0/0 :

    -> crypto map map-name redundancy [standby-name]

e.g. crypto map CRYMAP_TEST redundancy TEST

-> when defining the crypto peer setting on RemoteSite1 you define one peer only i.e.  151.4.0.20 (HSRP VIP)

So basically you will end up with a stateless IPSec High Availaibility setup.

Istvan

So on the WAN ports I'm basically setting up another HSRP group even though each router is on a completely different subnet? Is the addressing below correct?

Router 1

ip address  1.1.1.2 255.255.255.0    

standby 1 IP 1.1.1.1

standby 1 priority 120

standby 1 preempt

Router 2

ip address 21.21.21.21.21 255.255.255.0

standby 1 IP 1.1.1.1

standby 1 priority 110

standby 1 preempt

RemoteSite1

remote peer 1.1.1.1

Hi Jason,

I am not sure the above HSRP configuration wil work. As far as i know, the 2 interfaces participating in HSRP must be in the same subnet. Have you managed to try it? You might get beter help if you post this question in the network infrastructure community.

Regards,

Prapanch

I didn't think it would work. All the documentation I've seen always has the two routers on the same subnet. I'll try posting in the network infrastructure forum. Thanks.

No problem. Do post back the results of the discussion here in case anyone runs into a similar situation in future.

Cheers,

Prapanch

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers