cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3890
Views
5
Helpful
6
Replies

VPN ipsec on VRRP VIP

tkachour
Level 1
Level 1

Hello, 

 

I have 2 Cisco 1921 sharing a VRRP VIP and connected to a Fortigate like below : 

[Cisco]--|
               |---(ProviderNetwork)---[Fortigate]
[CIsco]--|

 

I would like to know if it's possible to set up a VPN ipsec between the fortigate and the VIP.

Did you experience such a network scenario before ? 

 

Thank you

1 Accepted Solution

Accepted Solutions

Long time ago I implemented it with HSRP instead of VRRP:

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/17826-ipsec-feat.html

I'm not aware that it's also supported with VRRP. Today I would go a different approach:

  • Configure two route-based VPNs (VTIs on IOS) from the FortiGate to the routers
  • run a routing-protocol through the tunnel to achieve your redundancy

View solution in original post

6 Replies 6

Long time ago I implemented it with HSRP instead of VRRP:

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/17826-ipsec-feat.html

I'm not aware that it's also supported with VRRP. Today I would go a different approach:

  • Configure two route-based VPNs (VTIs on IOS) from the FortiGate to the routers
  • run a routing-protocol through the tunnel to achieve your redundancy

Thank you for this answer. Could you please provide me with a reference document or some details about your suggested method ? 

Nice one - I met this HSRP IPSEC design before but never using it I forgot about it!

If you use VRRP/HSRP with crypto maps, configure VRRP group-name while
configuring it under interfaces. Then when assigning crypto-map to
interfaces use name keyword to map the VRRP group-name.

Exmaple

interface g0/0
crypto map CMAP name VRRP-Group

Thank you but the VRRP group-name configuration is not possible in the router i'm working on. That's only possible for HSRP.