Paolo,

Paolo Marchiori · ‎08-01-2016

Hi all,

I configured a site-to-site IPsec IKEv2 route-based (not policy-based!) VPNs. Works perfectly (well, that is easy if you follow sample configurations from Microsoft website...)

Now I want to add redundancy using HSRP. But once I added HSRP the SA goes well, but the tunnel interface goes up for 10 seconds (and everything work) then goes down (and nothing works). As soon as I restore the headend address as native, without HSRP, the tunnel interface goes up again.

What am I missing here?

Configuration:

! It's an 881 so I'm using Fe4
!
crypto ikev2 proposal azure-proposal
 encryption aes-cbc-256 aes-cbc-128 3des
 integrity sha1
 group 2
!
crypto ikev2 policy azure-policy
 proposal azure-proposal
!
crypto ikev2 keyring azure-PRD-keyring
 peer x.x.x.x
 address x.x.x.x
 pre-shared-key tttttttttttttttttttttttttt
 !
crypto ikev2 profile azure-PRD-profile
 match address local z.z.z.z
 match identity remote address y.y.y.y 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local azure-PRD-keyring
!
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto ipsec profile azure-PRD-vti
 set transform-set azure-ipsec-proposal-set
 set ikev2-profile azure-PRD-profile
 redundancy HSRP stateful
!
interface Tunnel1
 ip address 169.254.10.1 255.255.255.0
 ip tcp adjust-mss 1350
 tunnel source z.z.z.z
 tunnel mode ipsec ipv4
 tunnel destination y.y.y.y
 tunnel protection ipsec profile azure-PRD-vti
!
interface FastEthernet4
 ! this is the non-hsrp config, which is working.
 ip address z.z.z.z 255.255.255.224
 ! replace previous line with the following uncommented two:
 ! ip address z.z.z.q 255.255.255.224
 ! standby 1 ip z.z.z.z
 standby 1 priority 200
 standby 1 preempt
 standby 1 name HSRP
 duplex auto
 speed auto
!
ip route 10.m.n.0 255.255.254.0 Tunnel1

MarcusSjogren · ‎06-28-2017

Paolo,

Did you ever get this resolved?

Paolo Marchiori · ‎06-29-2017

Hi Marcus,

yes and no :) It's not possible to do it with HSRP. I can't really remember the long explanation but it doesn't work. You have to set it up in a totally different way - basically you set up one tunnel for each on-premises router (each with its different public IP address), using BGP to establish routing, and HSRP on the inside interface to provide HA. The two tunnels are both up all the time but the traffic only goes thru the HSRP active one.

Starting from the configuration stated above, the differences are:

interface FastEthernet4
ip address z.z.z.n 255.255.255.0
standby x ip z.z.z.z
standby x preempt
standby x name inside

! this next line must be on the primary router ONLY

standby x track 1 decrement 95

!

duplex auto
speed auto

! the BGP setup needs some attention as the BGP behaviour on the Azure side is a bit tricky:

! you need to use private-space AS numbers

router bgp 65050
bgp log-neighbor-changes
!
scope global

! q.q.q.q is the private IP address of the Azure side router
neighbor q.q.q.q remote-as 65000
neighbor q.q.q.q ebgp-multihop 10

!
address-family ipv4

! local network where this router's LAN interface lies

network z.z.z.z mask m.m.m.m

! any other local networks we want to be talking with the Azure side

network c.c.c.c mask m.m.m.m

neighbor q.q.q.q activate

! we don't want to receive any route from the remote router as it would mess things up

neighbor q.q.q.q distribute-list NOTHING in
!

! instead we route explicitly thru it

ip route q.q.q.z m.m.m.m Tunnel1

! of course this must be defined

ip access-list standard NOTHING
deny any

This should do the trick, hope the obfuscations don't make it difficult to understand.

Route-Based VPN (to Azure) with HSRP won't work