Re: vpn redundancy with ipsec and hsrp problem with access lists

nhedhili · ‎08-01-2005

Hi,

I m configuring hsrp with ipsec, stateless failover as it is in the example of cisco web, I saw a starnge problem with access lists and hsrp. If I put the crypto map in the serial interface of the redundant routers the access list is working and vpn trafic is encrypted, if I put the crypto map with redundancy keyword on the standby interface the traffic bypasses this access list and it will be sent un-encrypted to the remotre router,althoug the trafic is passing by the active router.I think that the problem has a relationship with crypto maps and hsrp behaviour.

does someone encountred this problem.I m working on ios 12.2(15t)

THANKS IN ADVANCE FOR HELP

Richard Burts · ‎08-01-2005

Perhaps we can clarify some things in your question. I understand what you mean when you say that if you put the crypto map on the serial interface that it works correctly. I am not so sure what you mean when you say that if you put the crypto map on the standby interface that it does not work. Do you mean that you are putting the crypto map on the LAN interface rather than the serial interface? Perhaps you can clarify.

One thing to bear in mind is that the crypto map should be placed on the outbound interface of the router. So if you are puttting the crypto map on the LAN interface this would be why it is not working.

HTH

Rick

HTH

Rick

nhedhili · ‎08-02-2005

Thanks for your help

My configuration is based on this example in Cisco Web site :

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml.

in my configuration I have one serial interface as outbound interface Instead of the ethernet interfaces.

I agree with you that crypto map should be put on the outbound interface, but as you see in this example it is put in the standby interfaces, what I mean by putting the crypto map on the serial interfaces is putting them on the outbound interfaces, but if you follow the example for the hsrp to work it is required that you add the keyword crypto map xxxx redundancy yyyy on the standby interfaces wich are not the outbound interfaces so .

Richard Burts · ‎08-02-2005

Nizar

That is an interesting article. I do see that they place the crypto map on the HSRP LAN inteface. It also happens to be that the HSRP LAN interface is the outbound interface. So both conditions are met: the crypto map is on the HSRP interface and the crypto map is on the outbound interface. It appears that in your situation only one condition can be met, either the crypto map is on the HSRP interface or the crypto map is on the outbound interface.

As your experience shows, if the crypto map is not on the outbound interface then the traffic is not encrypted. I believe that one conclusion is that this particular feature will not work with the topology that you have, which appears to be that HSRP is running on some inside interface and IPSec needs to run on the outside interface.

HTH

Rick

HTH

Rick

johansens · ‎08-02-2005

Hi there,

HSRP is a LAN protocol and can't be used on the serial-interfaces.

If you have two VPN-routers with serial-if as the outbound interfaces, you can't setup a stateful or stateless configuration the way you are describing.

You have a couple of options though:

(I will presume you are connected to only ONE upstream provider)

Option 1)

- Let the crypto local-address be a loopback interface

- Let the loopback interface be the same in both routers

- Make sure the upstream provider route the loopback address to BOTH of your routers but with less preference on the backup-link.

- Use HSRP on the inside to make sure the correct outgoing router is used.

- Use DPD / ISAKMP keepalives in the crypto config.

Option 2)

Let the VPN-functionality be hosted in other routers than the uplink routers (and use the HSRP/redundancy feature for the failover).

Did it help?