07-13-2007 06:56 AM - edited 03-03-2019 05:51 PM
I currently have a pair of 2821s with an IPsec tunnel between them. If I wanted to have redundancy - could I add HSRP to the GigE interface (these are one-armed VPN configurations out of necessity) and a partner HSRP 2821 on each end? That is - to IPsec is an HSRP VIP just as good as a real address bound to a real interface? Thanks.
Solved! Go to Solution.
07-14-2007 08:16 AM
I would be better to use IPsec Preferred Peer and Dead peer Detection (DPD) to achieve redundancy
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part17/ch10/h_ipspp.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/gtdpmo.htm
HTH
Narayan
07-13-2007 07:10 AM
Michael
I have not done this and have not tested this so I can not speak from any experience. But I think that this would not work. The VPN IPSec Security Associations are negotiated from a specific machine to a specific machine and are an essential element of providing the security that IPSec provides. If you use the HSRP virtual address as the IPSec peer address there will be a time when the HSRP address shifts to the other router. At that point the IPSec peer address will be on a machine that does not have any security association negotiated. This would break the VPN session.
If you want to provide redundancy I think that you would be much better off to put 2 peer statements into the crypto map - 1 physical interface address for each of the routers. That way IPSec can build security associations with one of the machines and if it fails then it can negotiate security associations with the other one.
HTH
Rick
07-13-2007 08:16 AM
Interesting points on the security Rick. I didn't realize that putting in 2 peer statements could act as a sort of failover. If peer A fails associate with peer B - cool. I will have to give that a go in the lab!
07-14-2007 08:16 AM
I would be better to use IPsec Preferred Peer and Dead peer Detection (DPD) to achieve redundancy
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part17/ch10/h_ipspp.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/gtdpmo.htm
HTH
Narayan
07-14-2007 10:28 AM
Those features look like exactly what I need. Thank-you very much Narayan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide