| James ran into this one the other day, and I found it interesting. If you have routers configured for high availability(HA) using hot stand-by routing protocol(HSRP) and you are doing straight IPSec tunnels, how would one go about terminating the tunnel on the virtual HSRP IP address? First, why would you want to do this?
You would most likely want to do this so that you can create a policy at remote sites that won’t break. With straight IPSec tunnels, you can’t specify multiple crypto maps that leverage identical address space in the match ACLs. An easy fix in the scenario is to peer your IPSec tunnel with the HSRP address of your hub site. This way when the routers fail over, your VPN tunnel will failover also.
How do we configure all of this goodness?
Remote Config:
- !apply the crypto map to the outside interface
- interface Fa0/0
- ip address 1.1.1.1 255.255.255.252
- crypto map to-hub
- desc outside
- interface Fa0/1
- ip address 192.168.1.1 255.255.255.0
- desc inside
- !route map to clear the do not fragment bit on tunnel traffic
- ip policy route-map clear-df
- !our policy
- crypto isakmp policy 1
- encr 3des
- authentication pre-share
- group 2
- lifetime 14400
- !key for hub
- crypto isakmp key test address 2.2.2.4
- !transform set
- crypto ipsec transform-set to-hub esp-3des esp-sha-hmac
- !the actual crypto map
- crypto map to-hub 10 ipsec-isakmp
- set peer 2.2.2.4
- set transform-set to-hub
- match address hub
- !interesting traffic ACL
- ip access-list extended hub
- remark Allow access though tunnel to hub
- permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
- !nat acl. We are denying access to tunnel traffic
- ip access-list extended NAT
- deny ip any 192.168.0.0 0.0.255.255
- permit ip any any
- !this is the ACL for the clear DF routemap
- ip access-list extended clear-df
- permit tcp any 192.168.0.0 0.0.255.255
- !nat statement
- ip nat inside source list NAT interface FastEthernet0/0 overload
- !clear DF route map
- route-map clear-df permit 10
- match ip address clear-df
- set ip df 0
The remote config is straight forward.
RTR-1 Config:
- !apply the crypto map to the outside interface
- interface Fa0/0
- ip address 2.2.2.2 255.255.255.248
- !notice that the crypto map is using the redundancy command
- ! we specify the name of the standby group
- ! this will source the tunnel from the standby address
- crypto map to-remote redundancy ha-out
- desc outside
- !here's the HSRP config info
- standby delay minimum 30 reload 60
- standby 1 ip 2.2.2.4
- standby 1 timers 1 10
- standby 1 preempt
- !name of the hsrp group reference by the crypto map
- standby 1 name ha-out
- standby 1 track fa0/1
- interface Fa0/1
- ip address 192.168.2.1 255.255.255.0
- desc inside
- !route map to clear the do not fragment bit on tunnel traffic
- ip policy route-map clear-df
- !our policy
- crypto isakmp policy 1
- encr 3des
- authentication pre-share
- group 2
- lifetime 14400
- !key for remote
- crypto isakmp key test address 1.1.1.1
- !transform set
- crypto ipsec transform-set to-remote esp-3des esp-sha-hmac
- !the actual crypto map
- crypto map to-remote 10 ipsec-isakmp
- set peer 1.1.1.1
- set transform-set to-remote
- match address remote
- !interesting traffic ACL
- ip access-list extended remote
- remark Allow access though tunnel to remote
- permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
- !nat acl. We are denying access to tunnel traffic
- ip access-list extended NAT
- deny ip any 192.168.0.0 0.0.255.255
- permit ip any any
- !this is the ACL for the clear DF routemap
- ip access-list extended clear-df
- permit tcp any 192.168.0.0 0.0.255.255
- !nat statement
- ip nat inside source list NAT interface FastEthernet0/0 overload
- !clear DF route map
- route-map clear-df permit 10
- match ip address clear-df
- set ip df 0
RTR-2 Config:
- !apply the crypto map to the outside interface
- interface Fa0/0
- ip address 2.2.2.3 255.255.255.248
- !notice that the crypto map is using the redundancy command
- ! we specify the name of the standby group
- ! this will source the tunnel from the standby address
- crypto map to-remote redundancy ha-out
- desc outside
- !here's the HSRP config info
- standby delay minimum 30 reload 60
- standby 1 ip 2.2.2.4
- standby 1 timers 1 10
- standby 1 preempt
- !name of the hsrp group reference by the crypto map
- standby 1 name ha-out
- standby 1 track fa0/1
- interface Fa0/1
- ip address 192.168.2.2 255.255.255.0
- desc inside
- !route map to clear the do not fragment bit on tunnel traffic
- ip policy route-map clear-df
- !our policy
- crypto isakmp policy 1
- encr 3des
- authentication pre-share
- group 2
- lifetime 14400
- !key for remote
- crypto isakmp key test address 1.1.1.1
- !transform set
- crypto ipsec transform-set to-remote esp-3des esp-sha-hmac
- !the actual crypto map
- crypto map to-remote 10 ipsec-isakmp
- set peer 1.1.1.1
- set transform-set to-remote
- match address remote
- !interesting traffic ACL
- ip access-list extended remote
- remark Allow access though tunnel to remote
- permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
- !nat acl. We are denying access to tunnel traffic
- ip access-list extended NAT
- deny ip any 192.168.0.0 0.0.255.255
- permit ip any any
- !this is the ACL for the clear DF routemap
- ip access-list extended clear-df
- permit tcp any 192.168.0.0 0.0.255.255
- !nat statement
- ip nat inside source list NAT interface FastEthernet0/0 overload
- !clear DF route map
- route-map clear-df permit 10
- match ip address clear-df
- set ip df 0
Here in the HSRP router configs you will notice that there are two new commands. The redundancy command was added to the cyrpto map interface command and the name command was used on the standby group. You name the standby group and then reference this in the crypto statement. What this does is source the IPSec tunnel from the HSRP virtual IP.
|
