{"id":835,"date":"2009-10-12T19:26:31","date_gmt":"2009-10-13T01:26:31","guid":{"rendered":"http:\/\/gregsowell.com\/?p=835"},"modified":"2009-10-12T19:26:31","modified_gmt":"2009-10-13T01:26:31","slug":"cisco-%e2%80%93-ipsec-tunnel-termination-via-hsrp","status":"publish","type":"post","link":"https:\/\/gregsowell.com\/?p=835","title":{"rendered":"Cisco \u2013 IPSec Tunnel Termination via HSRP"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-836\" title=\"hsrpIpsec\" src=\"http:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/hsrpIpsec.JPG\" alt=\"hsrpIpsec\" width=\"1042\" height=\"292\" srcset=\"https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/hsrpIpsec.JPG 1042w, https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/hsrpIpsec-300x84.jpg 300w, https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/hsrpIpsec-1024x286.jpg 1024w\" sizes=\"auto, (max-width: 1042px) 100vw, 1042px\" \/><\/p>\n<table border=\"0\">\n<tbody>\n<tr>\n<td>James ran into this one the other day, and I found it interesting.  If you have routers configured for high availability(HA) using hot stand-by routing protocol(HSRP) and you are doing straight IPSec tunnels, how would one go about terminating the tunnel on the virtual HSRP IP address?  First, why would you want to do this?<\/p>\n<p>You would most likely want to do this so that you can create a policy at remote sites that won\u2019t break.  With straight IPSec tunnels, you can\u2019t specify multiple crypto maps that leverage identical address space in the match ACLs.  An easy fix in the scenario is to peer your IPSec tunnel with the HSRP address of your hub site.  This way when the routers fail over, your VPN tunnel will failover also.<\/p>\n<p>How do we configure all of this goodness?<\/p>\n<p>Remote Config:<br \/>\n<!--DEVFMTCODE--><\/p>\n<pre title=\"Text\">\r\n<div>\r\n<ol>\r\n\t<li>!apply the crypto map to the outside interface<\/li>\r\n\t<li>interface Fa0\/0<\/li>\r\n\t<li>ip address 1.1.1.1 255.255.255.252<\/li>\r\n\t<li>crypto map to-hub<\/li>\r\n\t<li>desc outside<\/li>\r\n\t<li><\/li>\r\n\t<li>interface Fa0\/1<\/li>\r\n\t<li>ip address 192.168.1.1 255.255.255.0<\/li>\r\n\t<li>desc inside<\/li>\r\n\t<li>!route map to clear the do not fragment bit on tunnel traffic<\/li>\r\n\t<li>ip policy route-map clear-df<\/li>\r\n\t<li><\/li>\r\n\t<li>!our policy<\/li>\r\n\t<li>crypto isakmp policy 1<\/li>\r\n\t<li> encr 3des<\/li>\r\n\t<li> authentication pre-share<\/li>\r\n\t<li> group 2<\/li>\r\n\t<li> lifetime 14400<\/li>\r\n\t<li><\/li>\r\n\t<li>!key for hub<\/li>\r\n\t<li>crypto isakmp key test address 2.2.2.4<\/li>\r\n\t<li>!transform set<\/li>\r\n\t<li>crypto ipsec transform-set to-hub esp-3des esp-sha-hmac<\/li>\r\n\t<li><\/li>\r\n\t<li>!the actual crypto map<\/li>\r\n\t<li>crypto map to-hub 10 ipsec-isakmp<\/li>\r\n\t<li> set peer 2.2.2.4<\/li>\r\n\t<li> set transform-set to-hub<\/li>\r\n\t<li> match address hub<\/li>\r\n\t<li><\/li>\r\n\t<li>!interesting traffic ACL<\/li>\r\n\t<li>ip access-list extended hub<\/li>\r\n\t<li> remark Allow access though tunnel to hub<\/li>\r\n\t<li> permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255<\/li>\r\n\t<li><\/li>\r\n\t<li>!nat acl.  We are denying access to tunnel traffic<\/li>\r\n\t<li>ip access-list extended NAT<\/li>\r\n\t<li> deny   ip any 192.168.0.0 0.0.255.255<\/li>\r\n\t<li> permit ip any any<\/li>\r\n\t<li><\/li>\r\n\t<li>!this is the ACL for the clear DF routemap<\/li>\r\n\t<li>ip access-list extended clear-df<\/li>\r\n\t<li> permit tcp any 192.168.0.0 0.0.255.255<\/li>\r\n\t<li><\/li>\r\n\t<li>!nat statement<\/li>\r\n\t<li>ip nat inside source list NAT interface FastEthernet0\/0 overload<\/li>\r\n\t<li><\/li>\r\n\t<li>!clear DF route map<\/li>\r\n\t<li>route-map clear-df permit 10<\/li>\r\n\t<li> match ip address clear-df<\/li>\r\n\t<li> set ip df 0<\/li>\r\n<\/ol>\r\n<\/div><\/pre>\n<p><!--END_DEVFMTCODE--><br \/>\nThe remote config is straight forward. <\/p>\n<p>RTR-1 Config:<br \/>\n<!--DEVFMTCODE--><\/p>\n<pre title=\"Text\">\r\n<div>\r\n<ol>\r\n\t<li>!apply the crypto map to the outside interface<\/li>\r\n\t<li>interface Fa0\/0<\/li>\r\n\t<li>ip address 2.2.2.2 255.255.255.248<\/li>\r\n\t<li>!notice that the crypto map is using the redundancy command<\/li>\r\n\t<li>! we specify the name of the standby group<\/li>\r\n\t<li>! this will source the tunnel from the standby address<\/li>\r\n\t<li>crypto map to-remote redundancy ha-out<\/li>\r\n\t<li>desc outside<\/li>\r\n\t<li>!here's the HSRP config info<\/li>\r\n\t<li>standby delay minimum 30 reload 60<\/li>\r\n\t<li>standby 1 ip 2.2.2.4<\/li>\r\n\t<li>standby 1 timers 1 10<\/li>\r\n\t<li>standby 1 preempt<\/li>\r\n\t<li>!name of the hsrp group reference by the crypto map<\/li>\r\n\t<li>standby 1 name ha-out<\/li>\r\n\t<li>standby 1 track fa0\/1<\/li>\r\n\t<li><\/li>\r\n\t<li>interface Fa0\/1<\/li>\r\n\t<li>ip address 192.168.2.1 255.255.255.0<\/li>\r\n\t<li>desc inside<\/li>\r\n\t<li>!route map to clear the do not fragment bit on tunnel traffic<\/li>\r\n\t<li>ip policy route-map clear-df<\/li>\r\n\t<li><\/li>\r\n\t<li>!our policy<\/li>\r\n\t<li>crypto isakmp policy 1<\/li>\r\n\t<li> encr 3des<\/li>\r\n\t<li> authentication pre-share<\/li>\r\n\t<li> group 2<\/li>\r\n\t<li> lifetime 14400<\/li>\r\n\t<li><\/li>\r\n\t<li>!key for remote<\/li>\r\n\t<li>crypto isakmp key test address 1.1.1.1<\/li>\r\n\t<li>!transform set<\/li>\r\n\t<li>crypto ipsec transform-set to-remote esp-3des esp-sha-hmac<\/li>\r\n\t<li><\/li>\r\n\t<li>!the actual crypto map<\/li>\r\n\t<li>crypto map to-remote 10 ipsec-isakmp<\/li>\r\n\t<li> set peer 1.1.1.1<\/li>\r\n\t<li> set transform-set to-remote<\/li>\r\n\t<li> match address remote<\/li>\r\n\t<li><\/li>\r\n\t<li>!interesting traffic ACL<\/li>\r\n\t<li>ip access-list extended remote<\/li>\r\n\t<li> remark Allow access though tunnel to remote<\/li>\r\n\t<li> permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255<\/li>\r\n\t<li><\/li>\r\n\t<li>!nat acl.  We are denying access to tunnel traffic<\/li>\r\n\t<li>ip access-list extended NAT<\/li>\r\n\t<li> deny   ip any 192.168.0.0 0.0.255.255<\/li>\r\n\t<li> permit ip any any<\/li>\r\n\t<li><\/li>\r\n\t<li>!this is the ACL for the clear DF routemap<\/li>\r\n\t<li>ip access-list extended clear-df<\/li>\r\n\t<li> permit tcp any 192.168.0.0 0.0.255.255<\/li>\r\n\t<li><\/li>\r\n\t<li>!nat statement<\/li>\r\n\t<li>ip nat inside source list NAT interface FastEthernet0\/0 overload<\/li>\r\n\t<li><\/li>\r\n\t<li>!clear DF route map<\/li>\r\n\t<li>route-map clear-df permit 10<\/li>\r\n\t<li> match ip address clear-df<\/li>\r\n\t<li> set ip df 0<\/li>\r\n<\/ol>\r\n<\/div><\/pre>\n<p><!--END_DEVFMTCODE--> <\/p>\n<p>RTR-2 Config:<br \/>\n<!--DEVFMTCODE--><\/p>\n<pre title=\"Text\">\r\n<div>\r\n<ol>\r\n\t<li>!apply the crypto map to the outside interface<\/li>\r\n\t<li>interface Fa0\/0<\/li>\r\n\t<li>ip address 2.2.2.3 255.255.255.248<\/li>\r\n\t<li>!notice that the crypto map is using the redundancy command<\/li>\r\n\t<li>! we specify the name of the standby group<\/li>\r\n\t<li>! this will source the tunnel from the standby address<\/li>\r\n\t<li>crypto map to-remote redundancy ha-out<\/li>\r\n\t<li>desc outside<\/li>\r\n\t<li>!here's the HSRP config info<\/li>\r\n\t<li>standby delay minimum 30 reload 60<\/li>\r\n\t<li>standby 1 ip 2.2.2.4<\/li>\r\n\t<li>standby 1 timers 1 10<\/li>\r\n\t<li>standby 1 preempt<\/li>\r\n\t<li>!name of the hsrp group reference by the crypto map<\/li>\r\n\t<li>standby 1 name ha-out<\/li>\r\n\t<li>standby 1 track fa0\/1<\/li>\r\n\t<li><\/li>\r\n\t<li>interface Fa0\/1<\/li>\r\n\t<li>ip address 192.168.2.2 255.255.255.0<\/li>\r\n\t<li>desc inside<\/li>\r\n\t<li>!route map to clear the do not fragment bit on tunnel traffic<\/li>\r\n\t<li>ip policy route-map clear-df<\/li>\r\n\t<li><\/li>\r\n\t<li>!our policy<\/li>\r\n\t<li>crypto isakmp policy 1<\/li>\r\n\t<li> encr 3des<\/li>\r\n\t<li> authentication pre-share<\/li>\r\n\t<li> group 2<\/li>\r\n\t<li> lifetime 14400<\/li>\r\n\t<li><\/li>\r\n\t<li>!key for remote<\/li>\r\n\t<li>crypto isakmp key test address 1.1.1.1<\/li>\r\n\t<li>!transform set<\/li>\r\n\t<li>crypto ipsec transform-set to-remote esp-3des esp-sha-hmac<\/li>\r\n\t<li><\/li>\r\n\t<li>!the actual crypto map<\/li>\r\n\t<li>crypto map to-remote 10 ipsec-isakmp<\/li>\r\n\t<li> set peer 1.1.1.1<\/li>\r\n\t<li> set transform-set to-remote<\/li>\r\n\t<li> match address remote<\/li>\r\n\t<li><\/li>\r\n\t<li>!interesting traffic ACL<\/li>\r\n\t<li>ip access-list extended remote<\/li>\r\n\t<li> remark Allow access though tunnel to remote<\/li>\r\n\t<li> permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255<\/li>\r\n\t<li><\/li>\r\n\t<li>!nat acl.  We are denying access to tunnel traffic<\/li>\r\n\t<li>ip access-list extended NAT<\/li>\r\n\t<li> deny   ip any 192.168.0.0 0.0.255.255<\/li>\r\n\t<li> permit ip any any<\/li>\r\n\t<li><\/li>\r\n\t<li>!this is the ACL for the clear DF routemap<\/li>\r\n\t<li>ip access-list extended clear-df<\/li>\r\n\t<li> permit tcp any 192.168.0.0 0.0.255.255<\/li>\r\n\t<li><\/li>\r\n\t<li>!nat statement<\/li>\r\n\t<li>ip nat inside source list NAT interface FastEthernet0\/0 overload<\/li>\r\n\t<li><\/li>\r\n\t<li>!clear DF route map<\/li>\r\n\t<li>route-map clear-df permit 10<\/li>\r\n\t<li> match ip address clear-df<\/li>\r\n\t<li> set ip df 0<\/li>\r\n<\/ol>\r\n<\/div><\/pre>\n<p><!--END_DEVFMTCODE--><br \/>\nHere in the HSRP router configs you will notice that there are two new commands. The redundancy command was added to the cyrpto map interface command and the name command was used on the standby group. You name the standby group and then reference this in the crypto statement. What this does is source the IPSec tunnel from the HSRP virtual IP.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>James ran into this one the other day, and I found it interesting. If you have routers configured for high availability(HA) using hot stand-by\u2026<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,8],"tags":[],"class_list":["post-835","post","type-post","status-publish","format-standard","hentry","category-cisco","category-networking"],"_links":{"self":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts\/835","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=835"}],"version-history":[{"count":1,"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts\/835\/revisions"}],"predecessor-version":[{"id":837,"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts\/835\/revisions\/837"}],"wp:attachment":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}