Cisco Support Community
Community Member

IPsec tunnel terminating on HSRP address with certificate authentication

I want so setup a hub and spoke ipsec tunnel topology with a redundant hub (hsrp based). I wonder how to implement certificate based authentication in this case as both router share the same ip address?

Do they need to have the same keys and certificate or what is the best practise in this situation?




Re: IPsec tunnel terminating on HSRP address with certificate au

I am unable to see as to how use of HSRP will poses a problem. Even thought the hosts on your hub are configured to forward their traffic to the HSRP virtual address which all the routers in the group will hear on, the routers by themselves do not share the same interface address. Note that the virtual address is an address that the HSRP routers hear but are not actually configured on their interfaces. The interfaces over which they are forwarding traffic are addressed independantly. For more information on HSRP, please visit the HSRP support page at In fact, you could deploy HSRP for load sharing as shown in the document Load Sharing with HSRP at

Community Member

Re: IPsec tunnel terminating on HSRP address with certificate au

The point is that certificates are bound to ip addresses or names. As there is no way to transfer private keys from one router to another, both router will have different certificates. From the remote site's point of view there is only one ip address and therefore only one certificate. So authentication will be a problem as I would have to configure two certificates on the remote site router for one single identifier (ip address).

CreatePlease to create content