Was going over the configuration of IOS site to site VPN using HSRP and RRI. It is a relatively easy thing to configure. I ran into a few snags though. I used 3 routers, two for HSRP AKA “VPN Hub” and one to represent my remote site. I had a few items that were easy to fix mistakes once I realized I had made a mistake

I’ll label the first router I configured in the HSRP pair as “Site A”. In the config you see below I made a few lines bold to point out key or mistaken items. I started by doing my config first in notepad so I could just copy, edit and then paste the config to the other 2 routers. The typical IPSEC config comes into play here.

1. Configure isakmp policy

2. Configure the isakmp pre-share key

3. Configure the Crypto Map

4. Apply the crypto map the interface

The first item in bold is “reverse-route”. For redundancy this is important. This tells the router to create a static route in the routing table for the networks defined in the crypto maps match ACL. The static can then be redistributed via a routing protocol. This tells the network how to get to the remote site. When used with HSRP and the crypto map redundancy command the route will be created when the interface in the HSRP pair is in a active state. The route is removed when the state changed. Up to this point I was good to go.

The next bold item is the HSRP config and the crypto map being applied to the interface. I wasnt tracking any other interface so when testing I was just doing a shut on the fa0/1 interface. The items that got me in a snag was the default route and then the routing protocol.

Why would the default route be a problem? Well Im kind of embarrased, I spent a good hour of time trying to get my test VPN working. I kpet checking my VPN config several times, comparing each peer. Everything looked good. I ping’d all the physical interfaces with no issues. ANy traffic that was deemed “interesting” was not triggering the tunnel. I had my debugs on (debug cry isa, debug cry ipsec) and nothing. I then took a break and came back. I started thinking, Why is my matching ACL not working? It then hit me. The traffic was getting dropped because there was no route to the destination. Nothing to push the packet toward the interface that the crypto map was applied. I went back in and added default routes to all my routers then BAM! My pings yielded tunnel building results!

Everything looked good. Now I had to test the failed condition to ensure my config worked if the fa0/1 interface on Site A were to go down. On Site C I set up a constant ping to Site A’s fa0/0 interface. I did a shut on the Site A’s int fa0/1 and HSRP successfully changed state and Site B was now the active HSRP router. The new tunnels were setup but my ping was failing. This was a little it easier to figure out. A quick “sh ip route” on Router A showed that no route existed back to Site C’s internal network. Since the HSRP state had changed the static router was removed. I realized I needed a routing protocol to propagate the static route added by the crypto map reverse route and redundancy commands. I configured RIP because it is quick and easy. Instantly my traffic started seeing replies again. The main problem is I always seem to want to rush and in doing that I forget the basics. If I could learn one lesson it would be to always start at layer 1 and work my way up although most environments are in somewhat of a working condition. Configs are listed below. Important to note, keepalives are critical here. If you dont configure keepalives or DPD the remote sites SA will not get renegotiated promptly and will be forced to wait the lifetime defined. Keepalives or DPD will check to see if the peer is still there. If the peer is unresponsive the SA will be torn down and a new one can be negotiated to the new active vpn router.

Site A:

cry isakmp policy 10
auth pre
encr 3des
group 2
hash sha
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto isakmp key password address 192.168.55.1
!
access-list 101 permit ip 192.168.56.0 0.0.0.255 192.168.54.0 0.0.0.255
!
cry isakmp keep 10 2
crypto map vpnmap 10 ipsec-isakmp
set peer 192.168.55.1
set transform-set 3DES-MD5
match address 101
reverse-route
!
int fa0/0
ip addr 192.168.56.1 255.255.255.0
no shut
!
int fa0/1
ip address 192.168.55.2 255.255.255.0
no shut
standby name vpnpair
standby ip 192.168.55.5
crypto map vpnmap redundancy vpnpair
!
ip route 0.0.0.0 0.0.0.0 192.168.55.1
!
router rip
no auto-summ
network 192.168.56.0
redist static

Site B:

cry isakmp policy 10
auth pre
encr 3des
group 2
hash sha
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto isakmp key password address 192.168.55.1
!
access-list 101 permit ip 192.168.56.0 0.0.0.255 192.168.54.0 0.0.0.255
!
cry isakmp keep 10 2
crypto map vpnmap 10 ipsec-isakmp
set peer 192.168.55.1
set transform-set 3DES-MD5
match address 101
reverse-route
!
int fa0/0
ip addr 192.168.56.2 255.255.255.0
no shut
!
int fa0/1
ip address 192.168.55.3 255.255.255.0
no shut
standby name vpnpair
standby ip 192.168.55.5
crypto map vpnmap red vpnpair
!
ip route 0.0.0.0 0.0.0.0 192.168.55.1
!
!
router rip
no auto-summ
network 192.168.56.0
redist static

Site C: (Remote Site)

cry isakmp policy 10
auth pre
encr 3des
group 2
hash sha
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto isakmp key password address 192.168.55.5
!
access-list 101 permit ip 192.168.54.0 0.0.0.255 192.168.56.0 0.0.0.255
!
cry isakmp keep 10 2
crypto map vpnmap 10 ipsec-isakmp
set peer 192.168.55.5
set transform-set 3DES-MD5
match address 101
!
int fa0/0
no shut
ip address 192.168.55.1 255.255.255.0
crypto map vpnmap
!
int l0
ip address 192.168.54.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.55.5
!