Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
1
Helpful
4
Replies

IKEv2 with IPSEC and HSRP

Go to solution
red2play
Level 1
Level 1

‎10-20-2023 12:52 PM

I've set it up with the HSRP address but the remote unit gives this error message:

2.2.2.1 is the HSRP address

2.2.2.3 is the real IP address.

Local:1.1.1.1:500 Remote:2.2.2.3:500 Username:2.2.2.1 IKEv2 Negotiation aborted due to ERROR: Failed to authenticate the IKE SA

The profile, keyring and policy all point to the HSRP address.  For instance, 

crypto ikev2 policy test

match address local 2.2.2.1

proposal test_propose

crypto keyring test_ring

peer testremote

match address 1.1.1.1

identity address 2.2.2.1

pre-shared-key test

crypto ikev2 profile

match address local 2.2.2.1

match identity remote address 1.1.1.1 255.255.255.255

identity local address 2.2.2.1

auth remote pre-share

auth local pre-share

keyring local test_ring

the rest doesn't have a local IP configured and it was working before I converted to having HSRP with the IPSEC tunnel.  One of the reasons that I'm using HSRP is that the guide lists it as such:

https://www.cisco.com/c/en/us/td/docs/routers/cloud_edge/c8500/software-configuration-guide/c8500-software-config-guide/High_Availability-1.html

"The IPsec on the Cisco 8500 Series Catalyst Edge Platform supports only stateless failover. Stateless failover uses protocols such as the Hot Standby Router Protocol (HSRP) to provide primary to secondary cutover and also allows the active and standby VPN gateways to share a common virtual IP address."

Does HSRP work with ikev2?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
AViftrup
Level 1
Level 1

‎10-22-2023 09:23 AM - edited ‎10-22-2023 09:23 AM

How does your configuration look like on the interfaces? Did you remember to put in the "redundancy" keyword on your crypto map?

Ex. 

crypto map vpn redundancy VPNHA

 Without the redundancy keyword, it'll not utilize the HSRP (or VRRP) configuration in regard to the source IP. Hence, it'll just source it from its own "outside" or crypto interface - and not taking VIP into account.

View solution in original post

4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎10-20-2023 10:32 PM

I think it work

You need to use virtual ip of hsrp in ikev2

And use set route reverse 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-21-2023 12:37 AM

as i take this side Cat 8K router - what is other devices ?  (what Logs you see there ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
AViftrup
Level 1
Level 1

‎10-22-2023 09:23 AM - edited ‎10-22-2023 09:23 AM

How does your configuration look like on the interfaces? Did you remember to put in the "redundancy" keyword on your crypto map?

Ex. 

crypto map vpn redundancy VPNHA

 Without the redundancy keyword, it'll not utilize the HSRP (or VRRP) configuration in regard to the source IP. Hence, it'll just source it from its own "outside" or crypto interface - and not taking VIP into account.

Go to solution
MHM Cisco World
VIP
VIP

‎10-23-2023 09:13 AM

@red2play can you share last config.

Thanks 

MHM

0 Helpful
Customers Also Viewed These Support Documents