Cisco documentation about IPSec stateful failover shows it IS possible to use gre tunnels with a couple of HSRP configured routers as one of the endpoints. The tunnels from the remote peers connect to the active router. But how do I configure the GRE/IPSec tunnel on the HSRP routers? I mean, in this case what's the "interface tunnel" IP address and what's the "tunnel source" IP address ?
There is an old networkers presentation from 2000 at
Cisco da Gama
Though very useful, the presentation does not completely cover my case. To sum it up:
1) Main site has 2 routers in HSRP, with one external VIP and one internal VIP. 2) I want to set up GRE over IPSec. 3) Documentation I found suggests to use the external VIP as the tunnel source4) But what's the tunnel's interface (the one I will use with dynamic routing)? Can (must) I configure two different tunnel interfaces?
When you write VIP, do you mean virtual IP? What you mean by external/internal VIPs?
The two routers running HSRP are one end of the IPSec connection. What's at the other end?
The tunnel source will be the IP address of the physical interface the tunnel is bound to at the local end, and the tunnel destination will be the IP address of the physical interface that is the destination of the tunnel. Note that these tunnel source and destination IP addresses are not the HSRP virtual IP addresses.
You will have to configure one tunnel interface on each of the HSRP routers, and two tunnel interfaces (pointing at each of the HSRP routers) on the far end router. Then you will run transport mode IPSec on the GRE tunnels and also run a routing protocol over the tunnels. The routing protocol will allow you load-balance over the two GRE tunnels. When one HSRP router goes down, the routing protocol will converge and stop using the GRE tunnel pointing at the HSRP router that is now down. Note carefully the config of the routing protocol in the example with passive interface commands that makes sure using the routing protocol that the tunnel of the HSRP router that goes down is no longer used by the far-end router.
Cisco da Gama
The configuration I'm interested in is exactly this (#4):
On the headquarters side what is the gre tunnel IP source? What is the tunnel interface IP address ? Does every peer set up two separate gre tunnels to both HSRP routers as you say? And if so, what's the use of having a virtual IP facing the internet?
Every post I found said the tunnel source can not be the virtual address, but then I also found a config snippet from cisco stating that the tunnel source can actually be the virtual address. I must confess I'm a bit confused. Thank you for your answers.
Looks like you are trying to use the IPSec Stateful Failover feature. Sorry, I am not familiar enough with that feature to answer your questions. I did see the document you gave the link to and had the same question regarding the usefulness of the virtual IP facing the internet.
Cisco da Gama
Thank you anyway, I'll bother you with one last question then ;-)
In the configuration you're more familiar with, scenario 4 from the networkers presentation, how are the routing updates coming from remote peers through GRE tunnels propagated by the HSRP routers? I mean: will a router with one interface on the same network segment as the two HSRP routers (.67 in that diagram), and which needs to reach a network behind the remote peer, find in its routing tables entries pointing to the GRE tunnels or to the virtual IP ? I want all of my traffic to exit through the active router, but If I find myself with two routes with next hops = the two tunnels what happens?
I believe it willbe neither. The routing table for a router on the same network segment as the pair of HSRP routers will have next-hops pointing at the physical IP addresses of the interfaces of the HSRP routers in the segment (.65 and .66 in this case).
You should see equal cost paths through the two HSRP routers with .65 and .66 as the next-hops and taffic to the remote peer will be load balanced over the two equal cost paths.
Cisco da Gama
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.