Re: IPSec high availability and HSRP (IOS 12.2(8)T) - broken by
Change your IPSec configuration to GRE multipoint/NHRP and make each of your 2 HSRP routers nodes on the GRE multipoint mesh, using the public Ip addresses of their serial interfaces as the endpoints.
On your spoke routers, add floating static routes to forward the necessary traffic through the VPN to the STANDBY router. Run a routing protocol from your active router to the spoke sites.
In the normal course of operation, the spoke sites will use the dynamically learnt routing information to forward traffic to the active router. Should the active router fail, the dynamically learnt routes will be withdrawn and the spokes will forward to the standby router.
I'm not a fan of load-balancing with 2 devices, as either one of the devices will have to cope with full load anyway should the other fail. If you really want to go down that path you can do this by running a routing protocol between your HSRP routers, dividing your spoke sites into two groups, and having half route to 1 router normally with routing failover to the other etc etc.
I have seen people try to load balance using combinations of cef, RRI multiple crypto routers and IPSec/TED tunnel mode - don't go there
Using GRE and a routing protocol means that you can rely on the routing protocol to detect a dead peer and avoid using isakmp keepalives.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...