Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
303
Views
0
Helpful
2
Replies

IPSec high availability and HSRP (IOS 12.2(8)T) - broken by design ?

ovt
Level 4
Level 4

‎01-16-2003 09:46 AM - edited ‎02-21-2020 12:17 PM

Hi all!

We have two routers with ethernet (to our LAN) and serial interfaces (each

router goes to a different ISP). HSRP is used on the ethernet interfaces

and both routers accept IPSec tunnels from remote sites on the serial

interfaces.

The question is: how can we integrate HSRP and IPSec, so that if a tunnel

fails and remote site reconnects to the second router (they use DPD)

HSRP also swaps active and standby for a given HSRP group?

Note, that outside interface is a serial interfaces and the following

config does not apply:

http://www.cisco.com/warp/public/707/ipsec_feat.html

Also, is there a way to load balance IPSec tunnels between two routers?

Oleg Tipisov,

REDCENTER,

Moscow

Labels:
0 Helpful
2 Replies 2

gmiiller
Level 1
Level 1

‎01-16-2003 01:53 PM

Change your IPSec configuration to GRE multipoint/NHRP and make each of your 2 HSRP routers nodes on the GRE multipoint mesh, using the public Ip addresses of their serial interfaces as the endpoints.

On your spoke routers, add floating static routes to forward the necessary traffic through the VPN to the STANDBY router. Run a routing protocol from your active router to the spoke sites.

In the normal course of operation, the spoke sites will use the dynamically learnt routing information to forward traffic to the active router. Should the active router fail, the dynamically learnt routes will be withdrawn and the spokes will forward to the standby router.

I'm not a fan of load-balancing with 2 devices, as either one of the devices will have to cope with full load anyway should the other fail. If you really want to go down that path you can do this by running a routing protocol between your HSRP routers, dividing your spoke sites into two groups, and having half route to 1 router normally with routing failover to the other etc etc.

I have seen people try to load balance using combinations of cef, RRI multiple crypto routers and IPSec/TED tunnel mode - don't go there

Using GRE and a routing protocol means that you can rely on the routing protocol to detect a dead peer and avoid using isakmp keepalives.

0 Helpful

ovt
Level 4
Level 4
In response to gmiiller

‎01-17-2003 01:01 AM

Thank you for the replay.

Are there any advantages of using multipoint

GRE with floating-static routes over

point-to-point GRE + EIGRP (OSPF) +

administrative distance to select next hop?

Is it possible to avoid GRE? (I heared that

IPSec+GRE = unreliable in latest IOSes.)

Why do you think that detecting a tunnel

failure with dynamic routing protocol is

better (more reliable?) than with IKE

keepalives?

Why cisco didn't implement the simplest

solution for failover: IKE keepalives +

the command: "standby track "?

(I know, IPsec lacks virtual interface, but...)

Thank you again,

Oleg Tipisov,

REDCENTER,

Moscow

0 Helpful
Customers Also Viewed These Support Documents