Re: Redundant VPN Connections Using RRI and HSRP

jgiardina · ‎10-26-2005

Hi, I have a few questions regarding RRI and HSRP. I think I have the jist of this, but would like to run it by someone.

In the attached diagram, I simply have two Internet connected routers (Router A and Router B) that will establish IPSEC tunnels to PIX A.

The inside interfaces on Router A and Router B will be part of the HSRP group to provide the IP 172.16.1.1 as the default gateway on PIX B.

I can establish the IPSEC tunnels to PIX A, as well as configure HSRP on the 172.16.1.0 network.

I guess my question is:

How do I configure RRI on Router A and Router B to get this solution working?

Also, is this the recommended configuration for this type of redundant IPSEC connectivity?

thomas.chen · ‎11-02-2005

Router (config)# crypto map map-name seq-num ipsec-isakmp

Adds a dynamic crypto map set to a static crypto map set and enters interface configuration mode.

Step 2

Router (config-if)# set peer ip address

Specifies an IPSec peer IP address in a crypto map entry.

Step 3

Router (config-if)# reverse-route

Creates dynamically static routes based on crypto access control lists (ACLs).

Step 4

Router (config-if)# match address

Specifies an extended access list for a crypto map entry.

Step 5

Router (config-if)# set transform-set

Specifies which transform sets are allowed for the crypto map entry. Lists multiple transform sets in order of priority (highest priority first).

Configuring HSRP with IPSEC

step 1

Router (config)# interface type slot/port

Specifies an interface and enters interface configuration mode.

Step 2

Router (config-if)# standby name group-name

Specifies the standby group name (required).

Step 3

Router (config-if)# standby ip ip-address

Specifies the IP address of the standby groups (required for one device in the group).

Step 4

Router (config-if)# crypto map map-name redundancy [standby-name]

Specifies IP redundancy address as the tunnel endpoint for IPSec.