03-31-2013 07:50 PM - edited 03-04-2019 07:27 PM
Headquarters has a single router with a single ISP. The Remote site has dual routers both with dual WAN interfaces going to two different ISP's.
I am already using IPSLA and HSRP to get failover between the routers and between the dual ISP. Now I am trying to add failover on the VPN tunnel so that the VPN is terminated at the two HSRP WAN group IP's (1.1.1.3 and 2.2.2.3).
I know this setup works using a single router with two WAN interfaces at the Remote site (see link below). I just run into trouble when I turn those WAN interfaces into HSRP groups and add R2.
When I have two routers and using HSRP groups I cannot apply the Crypto Map to the second HSRP group. I get error stating "crypto map already applied with another redundancy name"
This setup with a single router and dual ISP's is done like this:
I want to accomplish the same thing but with dual routers and dual ISP's.
Here's the config that I'm trying to run, I listed where I"m getting the errors on R1 and R2 when adding the crypto maps to the HSRP groups.
------------------------------------------------------------------------------------------------------------------
CONFIGS
R1
crypto map HQT-VPN
set peer 3.3.3.3
routing to peer 3.3.3.3 done using ipsla and weighted static routes
fa0/0
ip address 1.1.1.1 255.255.255.248
standby 1 ip 1.1.1.3
standby 1 preempt
standby 1 priority 145
standby 1 name WANHSRP
crypto map HQT-VPN redundancy WANHSRP
fa0/1
ip address 2.2.2.1 255.255.255.248
standby 2 ip 2.2.2.3
standby 2 preempt
standby 2 priority 145
standby 2 name WANHSRP2
{crypto map HQT-VPN redundancy WANHSRP2}
{error says: Crypto Map already applied with another redundancy name}
-------------------------------------------------
R2
crypto map HQT-VPN
set peer 3.3.3.3
fa0/0
ip address 1.1.1.2 255.255.255.248
standby 1 ip 1.1.1.3
standby 1 preempt
standby 1 priority 145
standby 1 name WANHSRP
crypto map HQT-VPN redundancy WANHSRP
fa0/1
ip address 2.2.2.2 255.255.255.248
standby 2 ip 2.2.2.3
standby 2 preempt
standby 2 priority 145
standby 2 name WANHSRP2
{crypto map HQT-VPN redundancy WANHSRP2}
{error says: Crypto Map already applied with another redundancy name}
04-01-2013 01:33 AM
What i think so Reduduncy is not need in that Case.
Just apply simple Cryptro MAP on boht interfaces. It will perfer primary HSRP and if primary goes down it will shift to backup.
Do correct if i am wrong.
*** Do Rate All Helpful Posts***
04-02-2013 09:03 AM
Thanks for the suggestion,
I tried just setting simple crypto map to both interfaces. But the problem is that the VPN isn't terminated on the HSRP vip, it's terminated on the interface IP of the active interface.
So on the HQT router instead of having two peers to deal with it now has four possible peers.
The statement (peer 1.1.1.1 2.2.2.2) only supports a primary and secondary ip.
Somehow I need to get the VPN to terminate on the HSRP vip's, which I think requires the redundancy command.
07-20-2017 12:49 AM
you can add this :
two crypto map [HQT-VPN and HQT-VPN2]
ex.
crypto map HQT-VPN 1 ipsec-isakmp dynamic A
crypto map HQT-VPN2 1 ipsec-isakmp dynamic A
crypto map HQT-VPN2
fa0/1
ip address 2.2.2.1 255.255.255.248
standby 2 ip 2.2.2.3
standby 2 preempt
standby 2 priority 145
standby 2 name WANHSRP2
crypto map HQT-VPN2 redundancy WANHSRP2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide