VPN redundancy with HSRP and dual routers

chris fricke · ‎03-31-2013

Headquarters has a single router with a single ISP. The Remote site has dual routers both with dual WAN interfaces going to two different ISP's.

I am already using IPSLA and HSRP to get failover between the routers and between the dual ISP. Now I am trying to add failover on the VPN tunnel so that the VPN is terminated at the two HSRP WAN group IP's (1.1.1.3 and 2.2.2.3).

I know this setup works using a single router with two WAN interfaces at the Remote site (see link below). I just run into trouble when I turn those WAN interfaces into HSRP groups and add R2.

When I have two routers and using HSRP groups I cannot apply the Crypto Map to the second HSRP group. I get error stating "crypto map already applied with another redundancy name"

This setup with a single router and dual ISP's is done like this:

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links

I want to accomplish the same thing but with dual routers and dual ISP's.

Here's the config that I'm trying to run, I listed where I"m getting the errors on R1 and R2 when adding the crypto maps to the HSRP groups.

------------------------------------------------------------------------------------------------------------------

CONFIGS

R1

crypto map HQT-VPN

set peer 3.3.3.3

routing to peer 3.3.3.3 done using ipsla and weighted static routes

fa0/0

ip address 1.1.1.1 255.255.255.248

standby 1 ip 1.1.1.3

standby 1 preempt

standby 1 priority 145

standby 1 name WANHSRP

crypto map HQT-VPN redundancy WANHSRP

fa0/1

ip address 2.2.2.1 255.255.255.248

standby 2 ip 2.2.2.3

standby 2 preempt

standby 2 priority 145

standby 2 name WANHSRP2

{crypto map HQT-VPN redundancy WANHSRP2}

{error says: Crypto Map already applied with another redundancy name}

-------------------------------------------------

R2

crypto map HQT-VPN

set peer 3.3.3.3

fa0/0

ip address 1.1.1.2 255.255.255.248

standby 1 ip 1.1.1.3

standby 1 preempt

standby 1 priority 145

standby 1 name WANHSRP

crypto map HQT-VPN redundancy WANHSRP

fa0/1

ip address 2.2.2.2 255.255.255.248

standby 2 ip 2.2.2.3

standby 2 preempt

standby 2 priority 145

standby 2 name WANHSRP2

{crypto map HQT-VPN redundancy WANHSRP2}

{error says: Crypto Map already applied with another redundancy name}

jawad-mukhtar · ‎04-01-2013

What i think so Reduduncy is not need in that Case.

Just apply simple Cryptro MAP on boht interfaces. It will perfer primary HSRP and if primary goes down it will shift to backup.

Do correct if i am wrong.

*** Do Rate All Helpful Posts***

Jawad

chris fricke · ‎04-02-2013

Thanks for the suggestion,

I tried just setting simple crypto map to both interfaces. But the problem is that the VPN isn't terminated on the HSRP vip, it's terminated on the interface IP of the active interface.

So on the HQT router instead of having two peers to deal with it now has four possible peers.

The statement (peer 1.1.1.1 2.2.2.2) only supports a primary and secondary ip.

Somehow I need to get the VPN to terminate on the HSRP vip's, which I think requires the redundancy command.

andi.saputro · ‎07-20-2017

you can add this :

two crypto map [HQT-VPN and HQT-VPN2]

ex.

crypto map HQT-VPN 1 ipsec-isakmp dynamic A

crypto map HQT-VPN2 1 ipsec-isakmp dynamic A

crypto map HQT-VPN2

fa0/1

ip address 2.2.2.1 255.255.255.248

standby 2 ip 2.2.2.3

standby 2 preempt

standby 2 priority 145

standby 2 name WANHSRP2

crypto map HQT-VPN2 redundancy WANHSRP2