Re: IPsec Redundancy Using HSRP

CHISHIUNG · ‎05-04-2026

We have configured HSRP on the LAN side of the WAN router and are using BGP and IPsec on the WAN side.
In this case, is redundancy required in the crypto map for the WAN-side interface?
Since HSRP is not used on the WAN side, I believe it is not necessary to configure redundancy. However,
for example, if HSRP switches over due to a failure on the LAN-side interface, will the IPsec tunnel remain established?

interface GigabitEthernet0/1
standby 1 name VPN
standby 1 track 10

interface GigabitEthernet0/0
crypto map ikev2-vpn redundancy VPN

M02@rt37 · ‎05-04-2026

Hello @CHISHIUNG

Failover mean the new active router must rebuild the IKE/ipdsec SA from scratch... so the tunnel will briefly drop and renegotiate !

The crypto map redudancy command (tied to the hsrp group name) enable stateful failover so the standby can take over the tunnel with minimal or no interruption, yes...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

CHISHIUNG · ‎05-06-2026

In the configuration described above, I believe the VPN source address will be the HSRP VIP on the LAN side. Is it acceptable to configure a “crypto map redundancy” on the WAN interface in this case?
I generally assume that VPNs are initiated using the WAN address or a loopback interface.

Rob Ingram · ‎05-07-2026

@CHISHIUNG you'd enable "crypto map ikev2-vpn redundancy VPN" on the WAN interface. https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-vpn-ha-enhance.html?bookSearch=true#GUID-31FE2E60-BF44-4EBA-98D8-BC815DFAAE43

FYI, crypto maps are depreciated in newer IOS-XE releases, Cisco recommends using VTI's (FlexVPN).