Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4385
Views
10
Helpful
4
Replies

ipsec VPN redundancy with two routers by using GLBP

Go to solution
k.hariharan1
Level 1
Level 1

‎10-07-2010 10:44 PM - edited ‎03-04-2019 10:02 AM

Hi,

Is it possible to configure  ipsec vpn  (site to site)  redundancy with two routers by using GLBP instead of HSRP. i am not finding any doucuments related to GLBP vpn redundancy.

1. if we are using HSRP for vpn redundancy, the ipsec traffic will always hitts single router and the second router will always be in standby state.

2. i want to use GLBP for vpn redundancy so that i could able to use both routers for the ipsec traffic.

can anyone help me...

Regards,

Hariharan k

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to k.hariharan1

‎10-08-2010 04:08 AM

Hello Hariharan,

GLBP load balancing works based on the fact that the router with AVG role replies to ARP request for the VIP with the MAC address of virtual forwarder1 then with that of virtual forwader2.

Unless your remote sites are connected with VPLS, they arrive to one device (a router of a firewall) that will perfom a SINGLE Arp request for VIP and will use it for all packets coming from all remote sites.

if they are connected with VPLS you could gain from using GLBP but when ARP entry times out the remote site will ARP again with the risk to receive the MAC address of the other virtual forwarder making IPSec to fail.

So you should have IPSec security associtions lifetime less then ARP table timeout but even this does not provide easy transition,

Ideally you would need persistency to have a remote site bound to same virtual MAC address all the time. But then if one router fails the other router should be informed of IPSec connections that were present in other device.

There is stateful IPSec but it is combined with HSRP and not with GLBP as far as I know.

Stateful communication is built on internal interface and the two boxes have two HSRP groups one inside and one outside.

see

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/white_paper_c11_472859.html

Hope to help

Giuseppe

View solution in original post

4 Replies 4

Go to solution
Robert Taylor
Cisco Employee
Cisco Employee

‎10-07-2010 11:37 PM

Because with GLBP, both routers are always in an "active" state, meaning that they are always potentially the active gateway for any client on the lan side, you must create two ipsec tunnels, as opposed to having just one ipsec tunnel that flaps between the two hsrp routers.

So from local lan to remote lan, traffic will go from clienta to "clienta-gateway"(that clients specific glbp gateway), and then out over a vpn tunnel to the remote site.  Traffic back from the remote site would then potentially take either tunnel, based on the vpn traffic profiles that you set up on that remote site.

So, with this in mind, make sure you do not have any stateful inspection or anything being done on the local site (where your two glbp routers are located), or else return traffic may fail.

Hope this helps!

0 Helpful

Go to solution
k.hariharan1
Level 1
Level 1
In response to Robert Taylor

‎10-08-2010 12:11 AM

hi,

kindly find the attach file for my network set up and  let me know is it possible for me to configure ipsec vpn redundancy in VPN routers by using glbp.

currently i am using HSRP for vpn redundancy. so always all the branches will Establish the tunnel with single router. and one router will be utilised at all the time . and my configuration as below.

vpn router 1

===========

interface GigabitEthernet0/1

ip address 10.251.240.2 255.255.255.0

duplex auto

speed auto

media-type rj45

standby 0 ip 10.251.240.1

standby 0 priority 105

standby 0 name group1

standby 0 track GigabitEthernet0/0

crypto map FED redundancy group1

vpn router 2

===========

interface GigabitEthernet0/1

ip address 10.251.240.3 255.255.255.0

duplex auto

speed auto

media-type rj45

standby 0 ip 10.251.240.1

standby 0 name group1

crypto map FED redundancy group1

All my branches will have the set peer ip address as my vip of HSRP.  now i am planing to configure GLBP. can anyone help me in configuring glbp.

Regards,

Hariharan k

Preview file
50 KB
0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to k.hariharan1

‎10-08-2010 04:08 AM

Hello Hariharan,

GLBP load balancing works based on the fact that the router with AVG role replies to ARP request for the VIP with the MAC address of virtual forwarder1 then with that of virtual forwader2.

Unless your remote sites are connected with VPLS, they arrive to one device (a router of a firewall) that will perfom a SINGLE Arp request for VIP and will use it for all packets coming from all remote sites.

if they are connected with VPLS you could gain from using GLBP but when ARP entry times out the remote site will ARP again with the risk to receive the MAC address of the other virtual forwarder making IPSec to fail.

So you should have IPSec security associtions lifetime less then ARP table timeout but even this does not provide easy transition,

Ideally you would need persistency to have a remote site bound to same virtual MAC address all the time. But then if one router fails the other router should be informed of IPSec connections that were present in other device.

There is stateful IPSec but it is combined with HSRP and not with GLBP as far as I know.

Stateful communication is built on internal interface and the two boxes have two HSRP groups one inside and one outside.

see

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/white_paper_c11_472859.html

Hope to help

Giuseppe

Go to solution
k.hariharan1
Level 1
Level 1
In response to Giuseppe Larosa

‎10-08-2010 05:47 AM

hi giuslar,

thanks a lot for your reply.

i understood that   "There is stateful IPSec but it is combined with HSRP and not with GLBP as far as I know."

Regards,

Hariharan k

0 Helpful
Customers Also Viewed These Support Documents