November 9th 2011

Cisco IPSEC tunnel using HSRP address

A technical update this morning. We’ve been asked by a client how to configure high availability for IPSEC tunnels on Cisco routers. Situation is that the customer had a single ISR Router terminating VPN tunnels at their head office and wanted to add a second router for redundancy.

The question that was asked: what’s the best way of achieving this?

There are a few ways you could go about this – including backup VPN peers, Dead Peer Detection, Reverse Route Injection etc, however in our experience, the easiest way of doing this is to use HSRP across the two routers, and configure IPSEC to use the HSRP address. Note that this will not load balance connections across both gateways (therein lines a completely separate discussion) however provides a seamless failover connection in the event that the primary gateway fails.

A brief snapshot of the relevant parts of the config (please note that the standard crypto commands for building a VPN tunnel are not shown – these are identical to any other site to site VPN config).

Interface f0/1
desc outside interface
ip address 1.1.1.2 255.255.255.255.0
standby 1 1.1.1.1
standby 1 preempt
standby 1 pri 255
standby 1 name ha_address
crypto map crypto_map_name redundancy ha_address

The key here is the “redundancy” keyword on the crypto map that is bound to the external interface. This allows you to specify the name of the standby group – and therefore forces the gateway to use the HSRP address as the source and destination of all IPSEC packets. In this example, the gateway will use “1.1.1.1” which will be the tunnel endpoint for the remote connections.

Hope this is useful.

Barry Hesk