11-24-2020 12:52 PM
Hello!
I have 2 ISR 4K routers and i want to put it on the edge of the network, facing ISP. It will maintain dynamic nat for users, connecting to internet, and also ikev2 site to site ipsec vpn. I configured stateful redundancy for nat, so when one router fails, the other continues to forward traffic and all nat sessions are synchronized.
I also want to configure redundancy for VPN, but in this doc it is said, that i can only configure it with hsrp
When i try to configure hsrp and stateful redundancy at the same time, it shows error, when im trying to put standby ip on interface:
% address cannot equal interface IP address
Is there any way to achieve stateful box-to-box nat redundancy and IPSEC redundancy at the same time? And if there is, how can i do it?
Thanks in advance!
Solved! Go to Solution.
11-26-2020 12:26 AM
Hello @Skevich17 ,
you are right you have something different a redundancy group.
if you have a free IP address on the WAN side you can add an HSRP group using as VIP that free IP address and that will be the IPSec endpoint .
If the router does not accept the configuration means the two features HSRP and redudancy group are not compatible on the same interface.
Hope to help
Giuseppe
11-25-2020 02:21 AM
Hello @Skevich17 ,
>> % address cannot equal interface IP address
HSRP requires the use of a dedicated IP address for the VIP address it cannot be equal to the interface IP address. This is the meaning of the error you have seen,
so on the WAN side yo would need an additional IP address to be used as VIP you may need to change the current interface IP address on the WAN side to be able to re-use current IP as HSRP VIP.
The same logic has to be applied on the LAN internal side.
Hope to help
Giuseppe
11-25-2020 05:34 AM
I know that, but my interface uses different ip address. This hsrp vip is the same as i use for redundancy group vip for stateful Nat.
11-25-2020 06:08 AM
Hello @Skevich17 ,
ok I see your point
if you have already an HSRP group and HSRP VIP in place you can try to use it also as endpoint for IPSec VPN LAN to LAN there is no need to add a new HSRP group.
If you need a new HSRP group it will need a different HSRP VIP address and if you have an address avaiable on the WAN public side this is also a way to configure it.
Hope to help
Giuseppe
11-25-2020 10:40 AM
"if you have already an HSRP group and HSRP VIP in place you can try to use it also as endpoint for IPSec VPN LAN to LAN there is no need to add a new HSRP group."
It's not a hsrp group, it's application redundancy group for statefull Nat redundancy.
interface GigabitEthernet2
description LinkISP
ip address 10.0.81.243 255.255.255.248
ip nat outside
negotiation auto
no mop enabled
no mop sysid
redundancy rii 200
redundancy group 1 ip 10.0.81.242 exclusive decrement 100
ip virtual-reassembly
To add crypto map to this interface to work on VIP i need to add command:
crypto map <name> redundancy <name>
But it says i dont have redundancy configured on this interface.
If i try to configure HSRP, it says:
% address cannot equal interface IP address
Maybe I'm understanding something wrong.. I need 2 routers to have box-to-box redundancy for users traffic, destined to internet and also for site to site vpns. Maybe there is different solution to achieve what i want?
11-26-2020 12:26 AM
Hello @Skevich17 ,
you are right you have something different a redundancy group.
if you have a free IP address on the WAN side you can add an HSRP group using as VIP that free IP address and that will be the IPSec endpoint .
If the router does not accept the configuration means the two features HSRP and redudancy group are not compatible on the same interface.
Hope to help
Giuseppe
12-13-2020 11:39 PM
Sorry for a long response. I was able to test it just now, and it works! Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide