cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2820
Views
0
Helpful
4
Replies

GRE Tunnel Termination on HSRP VIP

m-haddad
Level 5
Level 5

Hello,

I have two routers with HSRP running on the external Public interface. I would like to know if the HSRP VIP address can be used as GRE tunnel source. Over this GRE IPSEC will be encrypting those packets from the tunnel source (VIP) to the other peer.

I know a router never uses VIP to forward traffic but need to know if the GRE tunnel can be sourced by the VIP address and IPSEC encrypting this traffic over the tunnel.

Regards,

4 Replies 4

felixjai
Level 1
Level 1

I don't think it can be done using HSRP with GRE over IPSec. If your question is asking HSRP with IPSec, then it is supported.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122y/122ye/1229ye/12yipsec.htm

If GRE over IPSec is needed to your HSRP routers, you might as well make TWO IPSec tunnels to each HSRP router's physical IP. And then use dynamic routing over GRE to detect failover or lequal-cost oad-balancing.

The problem is that these two HSRP routers are multihomed to two ISPs. This means I have to create four tunnels from each branch two to each router. This will make the configuration on the spoke routers too big + IPSEC. I have also VPN clients and this would cause the user to have four profiles. I wonder if there is any other better idea. DMVPN is not an option because spoke routers do not need to communicate to each others.

I wonder if anybody has tested this scenario before using the HSRP VIP for GRE tunnel source??? Target is to minmize config on the spoke and provides ISP failover with HSRP to routers.

Regards,

Hello,

I did a test LAB and the tunnel was UP with using the VIP as head end of the IPSEC and GRE Tunnel. However, the first GRE tunnel was UP only. The second tunnel the router was not at all trying to generate GRE traffic for the second tunnel UNLESS I set the default route to the second ISP.

Therefore, if the default route is to the first ISP, the GRE having the first interface VIP as source opens the tunnel. The second tunnel won't even generate GRE packets!! This is wierd.

When I put the default route to the second ISP, where it is on the same subnet of the second interface the router generated GRE packets and the tunnel opened sucessfully!

Any ideas would really appreciate,

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: