Solved: Simple IOS VPN IPsec HUB and Spoke with Failover HUB

l.buschi · ‎02-03-2016

Hi all,

I have a Hub nd Spoke VPN architecture realized with sVTI, IKEv1 and IPsec.

My hub is connected to a single ISP.

I'd like to have an hardware redundancy for my hub.

Instead of creating a double tunnel in each spoke i'd like to use a failover protocol over my 4000ISR router.

Is there a way to realize it simply?

If I use IOS IPsec failover do I have to deploy my changes on both router or (like ASA) I may configure the active router and let the standby receive the chenges?

Thank you all.

Johnny

Philip D'Ath · ‎02-05-2016

If your ISP connection is one that has a routed block, and you can plug two of the same routers into it, then you can configure HSRP.

The Tunnel source becomes the HSRP address. Spokes don't have to know that there are two routers.

Easy failover.

You can also have a single tunnel with dual hubs (if you don't use HSRP). You don't to use dual tunnels.

View solution in original post

Philip D'Ath · ‎02-05-2016

If your ISP connection is one that has a routed block, and you can plug two of the same routers into it, then you can configure HSRP.

The Tunnel source becomes the HSRP address. Spokes don't have to know that there are two routers.

Easy failover.

You can also have a single tunnel with dual hubs (if you don't use HSRP). You don't to use dual tunnels.

l.buschi · ‎02-05-2016

Thank you Philip,

My ISP is unique so I can use HSRP.

How can I use single tunnel with dual HUB?

Tks again

Johnny

Philip D'Ath · ‎02-05-2016

On the spoke double up on the NHRP lines. The hubs have a couple of options. You can deploy them as plain hubs, or you can get a little more advanced, and make them NHRP clients of each other.

interface Tunnel x
 ip nhrp map multicast <hub1 public IP>
 ip nhrp map multicast <hub2 public IP>
 ip nhrp map <hub1 tunnel IP> <hub1 public IP>
 ip nhrp map <hub2 tunnel IP> <hub2 public IP>
 ip nhrp nhs <hub1 tunnel IP>
 ip nhrp nhs <hub2 tunnel IP>