cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3186
Views
5
Helpful
7
Replies

Enable HSRP on Serial

terryyau
Level 1
Level 1

We have 2 x Cisco 3640 Internet Router with VPN module, each router has 1 serial port connected to E1 line.

We will form VPN tunnel with our partner and as the crpto map has to be applied on outgoing interface (i.e. serial interface), is it possible to create HSRP group for serial port of 2 x Cisco3640 such that the parnter will point to our "serial HSRP" as VPN gateway IP?

7 Replies 7

a.awan
Level 4
Level 4

HSRP is a LAN application service and is supported on media like Ethernet, Token Ring, and FDDI. It has to do with a shared protocol (IP) address and a virtual MAC address. You cannot create an HSRP group for a serial interface. To achieve redundancy in your case you might want to create two separate tunnels and run routing over them for seamless failover.

Dear Atif,

Many thanks for your answer, your answer is very clear and make me understand easily.

As you mentioned about VPN reduadancy by means of routing, could you let me know more? I can't imagine because our Internet router uses default static router to point to our ISP.

I am supporting a network for a customer that implements redundancy for IPSec VPNs based on a routing protocol. As your question says, our router that terminates the VPN tunnels has static routes pointed to the ISP. We run a routing protocol over the tunnel between the central site router and the remote site router. The remote router has two tunnels to two different routers at the central site. The routing protocol is used to determine which tunnel will carry traffic and to provide the failover capability. Since the routing protocol updates are in the tunnel nothing in the Internet sees the routing updates. In this case the interface included in the routing protocol is the tunnel interface not the physical interface over which the traffic will flow.

Note that IPSec processes unicast traffic. To run a routing protocol you must run GRE tunnels with IPSec.

There is also a High Availability option in IPSec in some recent versions of IOS. This allows you to run IPSec without the GRE tunnel and does not require a routing protocol. In this option there is now some capability within IPSec to implement the failover.

HTH

Rick

HTH

Rick

Rick described it pretty well so i will just provide a link that has some configuration examples for configuring routing over GRE+IPSec.

http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

The link has a lot of configuration examples but only a few are specific to configuring GRE with IPSec. Just do a search for GRE.

Dear Professionals,

Is it better to separate the routing function and VPN function into two devices rather than in one box?

i.e. 2 x Cisco 3640 + 2 x VPN3xxx concentrator

That may reduce the risk in case of failure when the WAN link is down or router failure.

Also, After my study, there is some drawback on IPSec over GRE: The MTU size of packet will be reduced. I am afraid there will be some unexpected result.

Looking forward your comments

Routing and VPN need to be tightly integrated for this solution so i would keep both components on the same box. You need routing updates to be sent over the tunnel and even if you try to separate routing and VPN i do not think you can literally achieve that in this particular case. Moreover, if you are concerned about redundancy then keep in mind that you have two routers and a VPN tunnel terminating on each router so even if one WAN link or one router goes down you still have a second way into your head end site. Normally when one is implementing redundancy one tries to avoid any single point of failure. If you start thinking about trying to avoid multiple points of failure then things become unnecessarily complicated.

The MTU concern is a valid one but if you understand the effect of tunneling on MTU and how traffic is handled (fragmented or not) you should be fine. Just make sure that ICMP is not blocked anywhere in the network as that can cause MTU detection to fail. There is a great link on CCO on this subject and i would suggest reading it in detail:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Hi,

My partner is using 2 x Netscreen 204 VPN device (2 device uses 1 IP) to form VPN tunnel with our Cisco 3640 router. I am not sure if dynamic routing can be exchanged between our cisco router and netscreen.

My partner is only able to form one connection to one of our cisco at same time, therefore the redundancy is maually achieved, that is, when one WAN link is down, we call our partner to establish to another router.

Usually, for forming of VPN tunnel with non-cisco device, is it better to use VPN concentrator?

Review Cisco Networking for a $25 gift card