Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Redundant VPN Connections Using RRI and HSRP

Hi, I have a few questions regarding RRI and HSRP. I think I have the jist of this, but would like to run it by someone.

In the attached diagram, I simply have two Internet connected routers (Router A and Router B) that will establish IPSEC tunnels to PIX A.

The inside interfaces on Router A and Router B will be part of the HSRP group to provide the IP as the default gateway on PIX B.

I can establish the IPSEC tunnels to PIX A, as well as configure HSRP on the network.

I guess my question is:

How do I configure RRI on Router A and Router B to get this solution working?

Also, is this the recommended configuration for this type of redundant IPSEC connectivity?


Re: Redundant VPN Connections Using RRI and HSRP

Router (config)# crypto map map-name seq-num ipsec-isakmp

Adds a dynamic crypto map set to a static crypto map set and enters interface configuration mode.

Step 2

Router (config-if)# set peer ip address

Specifies an IPSec peer IP address in a crypto map entry.

Step 3

Router (config-if)# reverse-route

Creates dynamically static routes based on crypto access control lists (ACLs).

Step 4

Router (config-if)# match address

Specifies an extended access list for a crypto map entry.

Step 5

Router (config-if)# set transform-set

Specifies which transform sets are allowed for the crypto map entry. Lists multiple transform sets in order of priority (highest priority first).

Configuring HSRP with IPSEC

step 1

Router (config)# interface type slot/port

Specifies an interface and enters interface configuration mode.

Step 2

Router (config-if)# standby name group-name

Specifies the standby group name (required).

Step 3

Router (config-if)# standby ip ip-address

Specifies the IP address of the standby groups (required for one device in the group).

Step 4

Router (config-if)# crypto map map-name redundancy [standby-name]

Specifies IP redundancy address as the tunnel endpoint for IPSec.