I am facing a quite interesting problem with VPN and HSRP.
Attached you can find a draft topology of the scenario.
Every office has two routers: Main and secondary. All routers have fixed IP address.
The Central Site main router has a VPN Site-to-Site connection with the main routers of the Branch offices. The idea is to have Secondary routers VPN set, by the time they become active in their HSRP domain.
HSRP is being used on all sites. At all sites, the object tracked (VPN Network) is being used to decrement the HSRP values and change it to the secondary router.
At the Central Site, Reverse Route Injection is being used to inject the VPN route into the OSPF domain, so the firewall can route correctly to the branch offices, in case the secondary router becomes active in HSRP.
At the remote site, I am tracking the reachability of the VPN Network at the routing table, so if the main router does not have this route, it decrements by 10 its priority and in theory the secondary router becomes active. And here resides my problem for the following reasons:
- if I decrement by 10 (default), the secondary router will also be tracking the VPN Network reachability and since its VPN will not be up, it will have the same priority of the main router (90) at the time of the VPN of the main router fails. The main router has the highest IP address and will be active always and the secondary router wont preempt and the VPN will not be set using the secondary router.
- if I use other values greater than the default, the secondary routers become active, however if their VPN fails at the secondary router, the main router will never become active again, because they will have a lower priority than the main router.
Any further information, please, let me know.
Any idea is deeply appreciated.
Thanks in advance,