HSRP Redundancy for IPSec VTI Hub

Unanswered Question
Feb 29th, 2008
User Badges:

Hi,

I am looking for a solution to provide HSRP redundancy for L2L VTI toplology.


The interesting traffic don't get encrypted while going from the IPSec Hub to the spoke if I used HSRP VIP for IPSec peering, while it do get encrypted once I used Loopback, instead.


Thanks


Sami



Appreciate your input on the issue

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Hi Sami


Configuring HSRP with IPSec

When configuring HSRP with IPSec, the following conditions may apply:


•When HSRP is applied to a crypto map on an interface, the crypto map must be reapplied if the standby IP address or the standby name is changed on that interface.


•If HSRP is applied to a crypto map on an interface, and the you delete the standby IP address or the standby name from that interface, the crypto tunnel endpoint is reinitialized to the actual IP address of that interface.


•If you add the standby IP address and the standby name to an interface with the requirement IPSec failover, the crypto map must be reapplied with the appropriate redundancy information.


•Standby priorities should be equal on active and standby routers. If they are not, the higher priority router takes over as the active router. When that occurs, the active router goes into a cycle where it continously goes down and comes back up.


•The IP addresses on the HSRP-tracked interfaces on the standby and active routers should both be either lower or higher on one router than the other. In the case of equal priorities (an HA requirement), HSRP will assign the active state-based IP address. If an addressing scheme exists so that the public IP address of router A is lower than the public IP address of router B, but the opposite is true for their private interfaces, an active/standby-stanby/active split conditon could exist which will break connectivity.


Please rate if this helps.


Regards MJ

ccie16351 Sat, 03/01/2008 - 00:34
User Badges:

Thanks MJ,

what I am looking for is providing redundancy for IPSEC which is working in Virtual Tunnel Interface topology, which do no not use Crypto map.


Sami


Actions

This Discussion