Can HSRP VIP serve as an IPsec peer address?

Answered Question
Jul 13th, 2007

I currently have a pair of 2821s with an IPsec tunnel between them. If I wanted to have redundancy - could I add HSRP to the GigE interface (these are one-armed VPN configurations out of necessity) and a partner HSRP 2821 on each end? That is - to IPsec is an HSRP VIP just as good as a real address bound to a real interface? Thanks.

I have this problem too.
0 votes
Correct Answer by royalblues about 9 years 4 months ago
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Richard Burts Fri, 07/13/2007 - 07:10

Michael

I have not done this and have not tested this so I can not speak from any experience. But I think that this would not work. The VPN IPSec Security Associations are negotiated from a specific machine to a specific machine and are an essential element of providing the security that IPSec provides. If you use the HSRP virtual address as the IPSec peer address there will be a time when the HSRP address shifts to the other router. At that point the IPSec peer address will be on a machine that does not have any security association negotiated. This would break the VPN session.

If you want to provide redundancy I think that you would be much better off to put 2 peer statements into the crypto map - 1 physical interface address for each of the routers. That way IPSec can build security associations with one of the machines and if it fails then it can negotiate security associations with the other one.

HTH

Rick

mmedwid Fri, 07/13/2007 - 08:16

Interesting points on the security Rick. I didn't realize that putting in 2 peer statements could act as a sort of failover. If peer A fails associate with peer B - cool. I will have to give that a go in the lab!

mmedwid Sat, 07/14/2007 - 10:28

Those features look like exactly what I need. Thank-you very much Narayan.

Actions

This Discussion