06-02-2016 03:01 PM - edited 03-05-2019 04:09 AM
I'm hoping someone can help give advice and point me in the right direction.
I have a single Cisco 1921 edge router on a public IP (Hop router on the rough attached diagram) with a PBR IPSec VPN tunnel from a source location that relays traffic to a destination location via 2nd VPN tunnel and need to setup a hot failover router and ISP redundancy. There is nothing connected to the LAN, can not add routing protocols, or change the VPN tunnel types to say DMVPN or static/dynamic VTI. The backup router will also be a 1921.
I was thinking of HSRP via a LAN setup direct between the 2 routers, but this wouldn't work as the public static IP WAN addresses would have to be identical for the static IP PBR IPSec VPN tunnels. Then I thought I could do HSRP over the WAN, but believe this would use 3 public IP addresses which would be nice to avoid if possible, but not mandatory.
Another requirement is the PBR IPSec tunnels must fail over between the primary and secondary ISP connections on site and was thinking of a IP SLA setup.
What is the best way to setup a hot standby redundant router in case the primary hop router fails and fail over the VPN tunnels between the 2 ISP connections in case the primary ISP fails?
Any example configuration or how to resources would be helpful as well.
Thanks,
Chris
Solved! Go to Solution.
06-04-2016 01:34 PM
Yes, we can make this work! Yes, you'll need two HSRP groups, one for each ISP. Yes, the remote VPN will terminate on the HSRP peer(s).
To make the example easier, lets pretend the HSRP address is 1.2.3.4. You can repeat the config for the other HSRP group.
crypto keyring keyring-vpn-site-to-site
local-address 1.2.3.4
pre-shared-key address a.b.c.d key ...
crypto isakmp profile isakmp-vpn-site-to-site
keyring keyring-vpn-site-to-site
match identity address a.b.c.d 255.255.255.255
local-address 1.2.3.4
crypto map outside_map 1 ipsec-isakmp
set peer a.b.c.d
set isakmp-profile isakmp-vpn-site-to-site
...
06-02-2016 04:32 PM
All all the VPN endpoints Cisco routers?
If so, use DMVPN and make life easy. It handles all this complex stuff automatically.
06-02-2016 06:04 PM
Philip,
Thanks for the reply, but DMVPN isn't an option. Any other suggestions/input?
06-02-2016 06:05 PM
Static GRE over IPSec VPN tunnels and a dynamic routing protocol like EIGRP.
06-03-2016 03:35 AM
Philip,
Per my original post, adding a routing protocol isn't really an option either. Couldn't I just add a second peer IP for the secondary ISP on the tunnel between the hop and destination routers? Any ideas on the hot hop router failover front?
06-03-2016 02:00 PM
One of the questions I asked was are all the end points Cisco routers - and the answer to your question depends on the answer to my question.
06-03-2016 02:06 PM
The destination router is not a Cisco, but the rest are.
06-03-2016 02:27 PM
This may not be possible to achieve without having Cisco kit at both ends.
Lets check for a silver bullet. The two hop routers; are their outside public IP addresses in the same subnet - and can you configure HSRP between their two outside interfaces?
06-04-2016 06:37 AM
Yes, both primary and failover hop routers have public ip addresses from both ISPs on the same subnet and connect to the same dmz switch on their WAN interfaces. Both ISP routers connect to the dmz switch on the diagram attached to the first post. I wanted to avoid consuming 3 public ip off each ISP to go with WAN facing HSRP, but this may be the only way? How would router and ISP failover work with this option? 2 HSRP groups, one for each ISP, and source/destination sites would VPN peer to both HSRP virtual IP addresses?
06-04-2016 01:34 PM
Yes, we can make this work! Yes, you'll need two HSRP groups, one for each ISP. Yes, the remote VPN will terminate on the HSRP peer(s).
To make the example easier, lets pretend the HSRP address is 1.2.3.4. You can repeat the config for the other HSRP group.
crypto keyring keyring-vpn-site-to-site
local-address 1.2.3.4
pre-shared-key address a.b.c.d key ...
crypto isakmp profile isakmp-vpn-site-to-site
keyring keyring-vpn-site-to-site
match identity address a.b.c.d 255.255.255.255
local-address 1.2.3.4
crypto map outside_map 1 ipsec-isakmp
set peer a.b.c.d
set isakmp-profile isakmp-vpn-site-to-site
...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: