Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

HSRP Redundancy for IPSec VTI Hub

Hi,

I am looking for a solution to provide HSRP redundancy for L2L VTI toplology.

The interesting traffic don't get encrypted while going from the IPSec Hub to the spoke if I used HSRP VIP for IPSec peering, while it do get encrypted once I used Loopback, instead.

Thanks

Sami

Appreciate your input on the issue

2 REPLIES
Community Member

Re: HSRP Redundancy for IPSec VTI Hub

Hi Sami

Configuring HSRP with IPSec

When configuring HSRP with IPSec, the following conditions may apply:

•When HSRP is applied to a crypto map on an interface, the crypto map must be reapplied if the standby IP address or the standby name is changed on that interface.

•If HSRP is applied to a crypto map on an interface, and the you delete the standby IP address or the standby name from that interface, the crypto tunnel endpoint is reinitialized to the actual IP address of that interface.

•If you add the standby IP address and the standby name to an interface with the requirement IPSec failover, the crypto map must be reapplied with the appropriate redundancy information.

•Standby priorities should be equal on active and standby routers. If they are not, the higher priority router takes over as the active router. When that occurs, the active router goes into a cycle where it continously goes down and comes back up.

•The IP addresses on the HSRP-tracked interfaces on the standby and active routers should both be either lower or higher on one router than the other. In the case of equal priorities (an HA requirement), HSRP will assign the active state-based IP address. If an addressing scheme exists so that the public IP address of router A is lower than the public IP address of router B, but the opposite is true for their private interfaces, an active/standby-stanby/active split conditon could exist which will break connectivity.

Please rate if this helps.

Regards MJ

Community Member

Re: HSRP Redundancy for IPSec VTI Hub

Thanks MJ,

what I am looking for is providing redundancy for IPSEC which is working in Virtual Tunnel Interface topology, which do no not use Crypto map.

Sami

1403
Views
0
Helpful
2
Replies
CreatePlease to create content