GRE over IPSEC redundancy

Unanswered Question
Dec 8th, 2007

I have two cisco routers connected to internet ,is it possile to build GRE tunnel using a virtual IP tunnel source is the virual IP in my side and tunnel destination is a virtual IP in the other side.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Massimo Baschieri Sat, 12/08/2007 - 23:07

I often use loopback ip addresses for tunnel sources and destinations, however they need to be visible to each other.

Security apart, you can even use private ip addresses statically natted to public ip's as tunnel source and destination.



mohammady Sun, 12/09/2007 - 04:43

thanks massimo.baschieri for your cooperation

but I want to know if it is possible to use virtual IP address(HSRP VIP) as tunnel source and destination at both ends....

Massimo Baschieri Sun, 12/09/2007 - 22:07

Never tried, but in my mind is not a good exercise, what in the world is suggesting you not to use real ip adresses for high availability ?



mohammady Sun, 12/09/2007 - 22:21

so what you suggest to build redundancy for GRE over IPSEC????

Massimo Baschieri Mon, 12/10/2007 - 00:13

Each router has it's own ipsec tunnell and it's own gre tunnel terminated on internal interfaces real addresses or loopback ones, hsrp and eigrp/ospf by themselves takes care of high availability.



Richard Burts Tue, 12/11/2007 - 13:35


I think that trying to do GRE IPSec using the HSRP VIP would not work. In particular it would lead to a situation where the router had negotiated IPSec SA with its peer, and suddenly the HSRP VIP moves to the other router and now the router that has the peer address does not have the IPSec SA.

If you want redundancy I would suggest that a better aproach is to specify two peer addresses in the crypto map. It might look something like this:

crypto map sample-map 10 ipsec-isakmp

set peer

set peer

set transform-set some-transform

match address some-acl

If you do this the router would attempt to establish a session with and if that failed it would attempt to establish a session with That seems to me to give the redundancy that you want to achieve without the complexity of trying to use the HSRP VIP.



mohammady Tue, 12/11/2007 - 22:24

thanks rburts ,

but what if the router fail??this give redundancy for peer side but not in my side.??

Richard Burts Wed, 12/12/2007 - 09:28


For redundancy on your side you would need 2 routers with each router configured to run GRE/IPSec.



dphills18 Thu, 08/21/2008 - 08:52

what happens when the initial peer comes back up. does it automatically switch back to the 1st peer, or does the 2nd peer have to drop for it to look back at the first one.

mgischernsnw Thu, 08/21/2008 - 21:38

It is in fact possible to use HSRP and IPSec tunnels.

More info on that specific configuration is available at

In regard to the initial peer coming back, this particular configuration should follow the rules of your HSRP standby group. If you have preemption enabled, it should come back and become active again.

There is one very important note in that document:

"Each time an active device relinquishes control to become the standby device, the active device will reload. This functionality ensures that the state of the new standby device synchronizes correctly with the new active device."


This Discussion