GRE over IPSEC redundancy

Unanswered Question
Dec 8th, 2007
User Badges:

I have two cisco routers connected to internet ,is it possile to build GRE tunnel using a virtual IP address.like tunnel source is the virual IP in my side and tunnel destination is a virtual IP in the other side.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Massimo Baschieri Sat, 12/08/2007 - 23:07
User Badges:

I often use loopback ip addresses for tunnel sources and destinations, however they need to be visible to each other.

Security apart, you can even use private ip addresses statically natted to public ip's as tunnel source and destination.

Bye,

Max.

mohammady Sun, 12/09/2007 - 04:43
User Badges:

thanks massimo.baschieri for your cooperation

but I want to know if it is possible to use virtual IP address(HSRP VIP) as tunnel source and destination at both ends....

Massimo Baschieri Sun, 12/09/2007 - 22:07
User Badges:

Never tried, but in my mind is not a good exercise, what in the world is suggesting you not to use real ip adresses for high availability ?

Bye,

Tosh.

mohammady Sun, 12/09/2007 - 22:21
User Badges:

so what you suggest to build redundancy for GRE over IPSEC????

Massimo Baschieri Mon, 12/10/2007 - 00:13
User Badges:

Each router has it's own ipsec tunnell and it's own gre tunnel terminated on internal interfaces real addresses or loopback ones, hsrp and eigrp/ospf by themselves takes care of high availability.

Bye,

Max.

Richard Burts Tue, 12/11/2007 - 13:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

mohammad


I think that trying to do GRE IPSec using the HSRP VIP would not work. In particular it would lead to a situation where the router had negotiated IPSec SA with its peer, and suddenly the HSRP VIP moves to the other router and now the router that has the peer address does not have the IPSec SA.


If you want redundancy I would suggest that a better aproach is to specify two peer addresses in the crypto map. It might look something like this:

crypto map sample-map 10 ipsec-isakmp

set peer 1.1.1.1

set peer 1.1.1.2

set transform-set some-transform

match address some-acl


If you do this the router would attempt to establish a session with 1.1.1.1 and if that failed it would attempt to establish a session with 1.1.1.2. That seems to me to give the redundancy that you want to achieve without the complexity of trying to use the HSRP VIP.


HTH


Rick

mohammady Tue, 12/11/2007 - 22:24
User Badges:

thanks rburts ,


but what if the router fail??this give redundancy for peer side but not in my side.??

Richard Burts Wed, 12/12/2007 - 09:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

mohammad


For redundancy on your side you would need 2 routers with each router configured to run GRE/IPSec.


HTH


Rick

dphills18 Thu, 08/21/2008 - 08:52
User Badges:

what happens when the initial peer comes back up. does it automatically switch back to the 1st peer, or does the 2nd peer have to drop for it to look back at the first one.

mgischernsnw Thu, 08/21/2008 - 21:38
User Badges:

It is in fact possible to use HSRP and IPSec tunnels.


More info on that specific configuration is available at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_failover_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html


In regard to the initial peer coming back, this particular configuration should follow the rules of your HSRP standby group. If you have preemption enabled, it should come back and become active again.


There is one very important note in that document:

"Each time an active device relinquishes control to become the standby device, the active device will reload. This functionality ensures that the state of the new standby device synchronizes correctly with the new active device."



Actions

This Discussion