cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
892
Views
0
Helpful
9
Replies

HSRP with 2 ISP and VPN tunnel relay

freeman6351
Level 1
Level 1

I'm hoping someone can help give advice and point me in the right direction.

I have a single Cisco 1921 edge router on a public IP (Hop router on the rough attached diagram) with a PBR IPSec VPN tunnel from a source location that relays traffic to a destination location via 2nd VPN tunnel and need to setup a hot failover router and ISP redundancy. There is nothing connected to the LAN, can not add routing protocols, or change the VPN tunnel types to say DMVPN or static/dynamic VTI. The backup router will also be a 1921.

I was thinking of HSRP via a LAN setup direct between the 2 routers, but this wouldn't work as the public static IP WAN addresses would have to be identical for the static IP PBR IPSec VPN tunnels. Then I thought I could do HSRP over the WAN, but believe this would use 3 public IP addresses which would be nice to avoid if possible, but not mandatory.

Another requirement is the PBR IPSec tunnels must fail over between the primary and secondary ISP connections on site and was thinking of a IP SLA setup.

What is the best way to setup a hot standby redundant router in case the primary hop router fails and fail over the VPN tunnels between the 2 ISP connections in case the primary ISP fails?

Any example configuration or how to resources would be helpful as well.

Thanks,

Chris

1 Accepted Solution

Accepted Solutions

Yes, we can make this work!  Yes, you'll need two HSRP groups, one for each ISP.  Yes, the remote VPN will terminate on the HSRP peer(s).

To make the example easier, lets pretend the HSRP address is 1.2.3.4.  You can repeat the config for the other HSRP group.

crypto keyring keyring-vpn-site-to-site
 local-address 1.2.3.4
 pre-shared-key address a.b.c.d key ...

crypto isakmp profile isakmp-vpn-site-to-site
  keyring keyring-vpn-site-to-site
  match identity address a.b.c.d 255.255.255.255
  local-address 1.2.3.4

crypto map outside_map 1 ipsec-isakmp
  set peer a.b.c.d
  set isakmp-profile isakmp-vpn-site-to-site
  ...

View solution in original post

9 Replies 9

Philip D'Ath
VIP Alumni
VIP Alumni

All all the VPN endpoints Cisco routers?

If so, use DMVPN and make life easy.  It handles all this complex stuff automatically.

Philip,

Thanks for the reply, but DMVPN isn't an option. Any other suggestions/input?

Static GRE over IPSec VPN tunnels and a dynamic routing protocol like EIGRP.

Philip,

Per my original post, adding a routing protocol isn't really an option either. Couldn't I just add a second peer IP for the secondary ISP on the tunnel between the hop and destination routers? Any ideas on the hot hop router failover front?

One of the questions I asked was are all the end points Cisco routers - and the answer to your question depends on the answer to my question.

The destination router is not a Cisco, but the rest are.

This may not be possible to achieve without having Cisco kit at both ends.

Lets check for a silver bullet.  The two hop routers; are their outside public IP addresses in the same subnet - and can you configure HSRP between their two outside interfaces?

Yes, both primary and failover hop routers have public ip addresses from both ISPs on the same subnet and connect to the same dmz switch on their WAN interfaces. Both ISP routers connect to the dmz switch on the diagram attached to the first post. I wanted to avoid consuming 3 public ip off each ISP to go with WAN facing HSRP, but this may be the only way? How would router and ISP failover work with this option? 2 HSRP groups, one for each ISP, and source/destination sites would VPN peer to both HSRP virtual IP addresses?

Yes, we can make this work!  Yes, you'll need two HSRP groups, one for each ISP.  Yes, the remote VPN will terminate on the HSRP peer(s).

To make the example easier, lets pretend the HSRP address is 1.2.3.4.  You can repeat the config for the other HSRP group.

crypto keyring keyring-vpn-site-to-site
 local-address 1.2.3.4
 pre-shared-key address a.b.c.d key ...

crypto isakmp profile isakmp-vpn-site-to-site
  keyring keyring-vpn-site-to-site
  match identity address a.b.c.d 255.255.255.255
  local-address 1.2.3.4

crypto map outside_map 1 ipsec-isakmp
  set peer a.b.c.d
  set isakmp-profile isakmp-vpn-site-to-site
  ...
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: