Re: GRE high availability with HSRP routers

profile0104 wrote:
Though very useful, the presentation does not completely cover my case.
To sum it up:

1) Main site has 2 routers in HSRP, with one external VIP and one
internal VIP.

When you write VIP, do you mean virtual IP? What you mean by
external/internal VIPs?

The two routers running HSRP are one end of the IPSec connection.
What's at the other end?

2) I want to set up GRE over IPSec.
3) Documentation I found suggests to use the external VIP as the tunnel
source

The tunnel source will be the IP address of the physical interface the
tunnel is bound to at the local end, and the tunnel destination will be
the IP address of the physical interface that is the destination of the
tunnel. Note that these tunnel source and destination IP addresses are
not the HSRP virtual IP addresses.

4) But what's the tunnel's interface (the one I will use with dynamic
routing)? Can (must) I configure two different tunnel interfaces?

You will have to configure one tunnel interface on each of the HSRP
routers, and two tunnel interfaces (pointing at each of the HSRP
routers) on the far end router. Then you will run transport mode IPSec
on the GRE tunnels and also run a routing protocol over the tunnels.
The routing protocol will allow you load-balance over the two GRE
tunnels. When one HSRP router goes down, the routing protocol will
converge and stop using the GRE tunnel pointing at the HSRP router that
is now down. Note carefully the config of the routing protocol in the
example with passive interface commands that makes sure using the
routing protocol that the tunnel of the HSRP router that goes down is
no longer used by the far-end router.

Cisco da Gama
http://ciscostudy.blogspot.com

.

Relevant Pages

  • Re: Cisco ASA IPSEC Tunnelling
    ... I suggest creating a GRE tunnel between the MPLS connecting routers. ... Configure the GRE tunnel to go from a loopback IP address on one router ... DS-1/T-1 or similar connection. ...
    (comp.dcom.sys.cisco)
  • Re: IPSec/GRE & NAT/PAT
    ... router behind a NAT Firewall... ... Since it is inside the crypto tunnel (sorry, ... NOT the GRE tunnel). ...
    (comp.dcom.sys.cisco)
  • Re: I-Net und VPN über LANCOM-Router
    ... Der ISA hat mit dem VPN Tunnel eigentlich gar nichts zu tun, ... auf der 2.Netzwerkkarte ist der Router angeschlossen. ...
    (microsoft.public.de.german.isaserver)
  • Re: OpenSwan - Linux VPN to Linux VPN
    ... I want to be able to use all the resources on the host network. ... I can get some of it to work changing the routes manually. ... There are 4 IP addresses associated with a VPN tunnel: ... The left router knows that the packet in destined via the tunnel, ...
    (comp.os.linux.networking)
  • RE: NIDS/NIPS implications on HSRP
    ... Another event that may trigger HSRP to send out packets outside of your ... primary and secondary router is another router coming online. ... HSRP/VRRP/whatever packets should be the determing ... FREE Network Security Webinar - How to implement IPSec security into VPN ...
    (Focus-IDS)