Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
595
Views
0
Helpful
3
Replies

VTI use HSRP as source

wabbot22
Level 1
Level 1

‎11-09-2023 04:15 AM

Hi guys,

I hope that someone can give me an answer or better a solution.
We run actualy crypto map based VPN´s which are using a virtual HSRP address
(between 2 2921) as source. It works fine since several years, but the
2921 are old and so we want to move the VPN´s to 2 4451 which are terminate many other route based
VPN´s but actually no policy based VPN´s. The redundancy for the route based VPN´s is realized on the routing layer via OSPF/BGP.

So our idea was to remove the crypto map and uses VTI for the policy based VPN´s also
and I´ve found a Howto on the CISCO side. This works as expected, as long as we use the
IP on the physical source interface. For redundancy purposes we want to use a virtual HSRP
address as the source for the "policy" based VTI´s, because we have no chance to use a dynamic routing protocol.

I´ve build a LAB on CML to simulate this. If I use the HSRP address as the source of the VTI, I can see that the router sends Packets out with the right IP, and the other side answer of course, but it looks like that our router don´t recognized the answer packets....


So does anyone know if this is possible....?

 

many thanks....

Labels:
0 Helpful
3 Replies 3

gajownik
Cisco Employee
Cisco Employee

‎11-09-2023 04:35 AM

HSRP VIP address as a tunnel source is supported and should be working fine. Please make sure that you don't use some old software as in the past we had bugs related to HSRP VIP address like
CSCvg36598 ISAKMP Fails When Multiple HSRP tunnel/SVTI Interfaces Configured

0 Helpful

wabbot22
Level 1
Level 1
In response to gajownik

‎11-09-2023 07:29 AM

Thanks for your answer.

I Use an csr1000v under CML with iOS 17.3.4.
So the bug will be fixes with that version….

Br m
0 Helpful

gajownik
Cisco Employee
Cisco Employee

‎11-09-2023 11:16 PM

Could you please share configs and debugs?

IKEv1:
debug crypto condition peer ipv4 <IP_of_the_peer>
debug crypto isakmp
debug crypto ipsec
debug crypto ipsec message
debug crypto ipsec states
debug crypto ipsec hw-request

IKEv2:
debug crypto condition peer ipv4 <IP_of_the_peer>
debug crypto ikev2
debug crypto ikev2 error
debug crypto ikev2 internal
debug crypto ikev2 packet
debug crypto ipsec
debug crypto ipsec error
debug crypto ipsec message
debug crypto ipsec states
debug crypto ipsec hw-request

0 Helpful
Customers Also Viewed These Support Documents