Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ipsec VPN redundancy with two routers by using GLBP

Hi,

Is it possible to configure  ipsec vpn  (site to site)  redundancy with two routers by using GLBP instead of HSRP. i am not finding any doucuments related to GLBP vpn redundancy.

1. if we are using HSRP for vpn redundancy, the ipsec traffic will always hitts single router and the second router will always be in standby state.

2. i want to use GLBP for vpn redundancy so that i could able to use both routers for the ipsec traffic.

can anyone help me...

Regards,

Hariharan k

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: ipsec VPN redundancy with two routers by using GLBP

Hello Hariharan,

GLBP load balancing works based on the fact that the router with AVG role replies to ARP request for the VIP with the MAC address of virtual forwarder1 then with that of virtual forwader2.

Unless your remote sites are connected with VPLS, they arrive to one device (a router of a firewall) that will perfom a SINGLE Arp request for VIP and will use it for all packets coming from all remote sites.

if they are connected with VPLS you could gain from using GLBP but when ARP entry times out the remote site will ARP again with the risk to receive the MAC address of the other virtual forwarder making IPSec to fail.

So you should have IPSec security associtions lifetime less then ARP table timeout but even this does not provide easy transition,

Ideally you would need persistency to have a remote site bound to same virtual MAC address all the time. But then if one router fails the other router should be informed of IPSec connections that were present in other device.

There is stateful IPSec but it is combined with HSRP and not with GLBP as far as I know.

Stateful communication is built on internal interface and the two boxes have two HSRP groups one inside and one outside.

see

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/white_paper_c11_472859.html

Hope to help

Giuseppe

4 REPLIES
Cisco Employee

Re: ipsec VPN redundancy with two routers by using GLBP

Because with GLBP, both routers are always in an "active" state, meaning that they are always potentially the active gateway for any client on the lan side, you must create two ipsec tunnels, as opposed to having just one ipsec tunnel that flaps between the two hsrp routers.

So from local lan to remote lan, traffic will go from clienta to "clienta-gateway"(that clients specific glbp gateway), and then out over a vpn tunnel to the remote site.  Traffic back from the remote site would then potentially take either tunnel, based on the vpn traffic profiles that you set up on that remote site.

So, with this in mind, make sure you do not have any stateful inspection or anything being done on the local site (where your two glbp routers are located), or else return traffic may fail.

Hope this helps!

New Member

Re: ipsec VPN redundancy with two routers by using GLBP

hi,

kindly find the attach file for my network set up and  let me know is it possible for me to configure ipsec vpn redundancy in VPN routers by using glbp.

currently i am using HSRP for vpn redundancy. so always all the branches will Establish the tunnel with single router. and one router will be utilised at all the time . and my configuration as below.

vpn router 1

===========

interface GigabitEthernet0/1

ip address 10.251.240.2 255.255.255.0

duplex auto

speed auto

media-type rj45

standby 0 ip 10.251.240.1

standby 0 priority 105

standby 0 name group1

standby 0 track GigabitEthernet0/0

crypto map FED redundancy group1

vpn router 2

===========

interface GigabitEthernet0/1

ip address 10.251.240.3 255.255.255.0

duplex auto

speed auto

media-type rj45

standby 0 ip 10.251.240.1

standby 0 name group1

crypto map FED redundancy group1

All my branches will have the set peer ip address as my vip of HSRP.  now i am planing to configure GLBP. can anyone help me in configuring glbp.

Regards,

Hariharan k

Hall of Fame Super Silver

Re: ipsec VPN redundancy with two routers by using GLBP

Hello Hariharan,

GLBP load balancing works based on the fact that the router with AVG role replies to ARP request for the VIP with the MAC address of virtual forwarder1 then with that of virtual forwader2.

Unless your remote sites are connected with VPLS, they arrive to one device (a router of a firewall) that will perfom a SINGLE Arp request for VIP and will use it for all packets coming from all remote sites.

if they are connected with VPLS you could gain from using GLBP but when ARP entry times out the remote site will ARP again with the risk to receive the MAC address of the other virtual forwarder making IPSec to fail.

So you should have IPSec security associtions lifetime less then ARP table timeout but even this does not provide easy transition,

Ideally you would need persistency to have a remote site bound to same virtual MAC address all the time. But then if one router fails the other router should be informed of IPSec connections that were present in other device.

There is stateful IPSec but it is combined with HSRP and not with GLBP as far as I know.

Stateful communication is built on internal interface and the two boxes have two HSRP groups one inside and one outside.

see

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/white_paper_c11_472859.html

Hope to help

Giuseppe

New Member

Re: ipsec VPN redundancy with two routers by using GLBP

hi giuslar,

thanks a lot for your reply.

i understood that   "There is stateful IPSec but it is combined with HSRP and not with GLBP as far as I know."

Regards,

Hariharan k

2227
Views
10
Helpful
4
Replies
CreatePlease to create content