Setting up a VPN through a HSRP secondary

Toggle sidebar Toggle sidebar
C

cross6

Senior member
Jun 16, 2005
508
0
0
we are trying to restore our vendor connections via vpn since our frame relay circuits are dead


can a vpn go through a HSRP secondary pix and router? - or will I have to split up the hsrp group?

I'm in LA, and it't not pretty :(
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Sorry to hear.

I don't believe it can. IPsec has to verify the endpoints of the tunnel.

I'm not sure though.

So you have two pixes on one side running HSRP? And that is the endpoint of some tunnels - a HSRP enabled interface?
 
C

cross6

Senior member
Jun 16, 2005
508
0
0
Originally posted by: spidey07
Sorry to hear.

I don't believe it can. IPsec has to verify the endpoints of the tunnel.

I'm not sure though.

So you have two pixes on one side running HSRP? And that is the endpoint of some tunnels - a HSRP enabled interface?
Click to expand...



HSRP Primary Connection -------- PIX----------Primary HSRP Router

Secondary--------------PIX2-----------------Secondary HSRP Router

we currently use vpn through the primary, but now we will need several more setup and I'm trying to use the bandwidth of our backup dsl connection
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
well you could use the actualy IP address of the routers instead of HSRP.

HSRP is really only useful to hosts on the local network. Doesn't care about traffic moving through it.

What device are you using the terminate the tunnels? I'd just split them up between your two internal routers, using the real IP address of the interface.

Conversly if the two pixes are not in a failover scenario the tunnels could be terminated on their external addresses.
 
C

cross6

Senior member
Jun 16, 2005
508
0
0
the primary pix is terminating our VPN's we use, which go through the pri router
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
well then if it isn't a in a failover mode (meaning the other pix is fully licensed and not a redundancy pair), you could just move some of the tunnels over to the other pix. At that point your routing would be responsible.

But now that I think about it, this is a mix of routing and your tunnels. Without having a full diagram and knowing the routing its difficult to guess what would happen.

We need a dang whiteboard.
 
C

cross6

Senior member
Jun 16, 2005
508
0
0
Originally posted by: spidey07
well then if it isn't a in a failover mode (meaning the other pix is fully licensed and not a redundancy pair), you could just move some of the tunnels over to the other pix. At that point your routing would be responsible.

But now that I think about it, this is a mix of routing and your tunnels. Without having a full diagram and knowing the routing its difficult to guess what would happen.

We need a dang whiteboard.
Click to expand...



yes the two pix's are entirely seperate
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
well move one of the tunnels over and see what happens.

but still, underlying routing is going to dictate what happens. I'm assuming you have two ISPs and hence, two ranges of public address space?
 
C

cross6

Senior member
Jun 16, 2005
508
0
0
we need to create new vpn connections - and we them to go through the secondary pair

 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: cross6
we need to create new vpn connections - and we them to go through the secondary pair
Click to expand...

Make new VPN tunnel to secondary pix.
Add static route (for the far end network on the other side of the tunnel) on primary HSRP router to point to secondary HSRP router "real" ip address.

That will do what you require with little change/configuration. Do backup all configs of all devices before doing so though. That way it will be easy to get to the state you are at today.
 
C

cross6

Senior member
Jun 16, 2005
508
0
0
Originally posted by: spidey07
Originally posted by: cross6
we need to create new vpn connections - and we them to go through the secondary pair
Click to expand...

Make new VPN tunnel to secondary pix.
Add static route (for the far end network on the other side of the tunnel) on primary HSRP router to point to secondary HSRP router "real" ip address.

That will do what you require with little change/configuration. Do backup all configs of all devices before doing so though. That way it will be easy to get to the state you are at today.
Click to expand...



ok, so just to clarify, I need to add the routes to the Primary HSRP router, even thought the 2nd pix plugs into the secondary router?
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
That's correct.

All the hosts on the LAN network of the primary router (unless you have other routers inside) will be using the default gateway of the HSPR virtual IP address.

So all traffic is going to go to the HSRP primary router and it has to decide what to do with it. Putting a static route, pointing to the secondary routers "REAL" internal IP address will force the traffic to use the newly created tunnel/path. Of course that is provided the secondary router has a route (it probably just has a single default of 0.0.0.0 pointing to the pix).

Once the pix picks it up it will match the security association of your tunnel, wrap it up in IPsec and send it on its way.

You may want to enable "ip redirects" on the primary router's LAN interface so it will tell hosts "hey dummy! Send your stuff this way" There are security implications with this, but in your case I wouldn't be too concerned.
 
C

cross6

Senior member
Jun 16, 2005
508
0
0
Ok, one of our t1 routers that also does a few vlans is our gateway - don't ask me why, it's how it was setup when I got here

I should probably add the routes to that one then right?
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom