Can HSRP VIP serve as an IPsec peer address?

Answered Question
Jul 13th, 2007
User Badges:

I currently have a pair of 2821s with an IPsec tunnel between them. If I wanted to have redundancy - could I add HSRP to the GigE interface (these are one-armed VPN configurations out of necessity) and a partner HSRP 2821 on each end? That is - to IPsec is an HSRP VIP just as good as a real address bound to a real interface? Thanks.

Correct Answer by royalblues about 10 years 2 weeks ago
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Richard Burts Fri, 07/13/2007 - 07:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I have not done this and have not tested this so I can not speak from any experience. But I think that this would not work. The VPN IPSec Security Associations are negotiated from a specific machine to a specific machine and are an essential element of providing the security that IPSec provides. If you use the HSRP virtual address as the IPSec peer address there will be a time when the HSRP address shifts to the other router. At that point the IPSec peer address will be on a machine that does not have any security association negotiated. This would break the VPN session.

If you want to provide redundancy I think that you would be much better off to put 2 peer statements into the crypto map - 1 physical interface address for each of the routers. That way IPSec can build security associations with one of the machines and if it fails then it can negotiate security associations with the other one.



mmedwid Fri, 07/13/2007 - 08:16
User Badges:

Interesting points on the security Rick. I didn't realize that putting in 2 peer statements could act as a sort of failover. If peer A fails associate with peer B - cool. I will have to give that a go in the lab!

mmedwid Sat, 07/14/2007 - 10:28
User Badges:

Those features look like exactly what I need. Thank-you very much Narayan.


This Discussion