There are many methods of configuring redundancy and choosing the right one can sometimes be tricky. This is particularly true where security measures are involved because most firewalls block the easy methods of redundancy, like using an interior routing protocol such as OSPF. In the absence of a routing protocol through a firewall, you are often forced to resort to a local method like VRRP (Virtual Router Redundancy Protocol) or HSRP (Hot Standby Router Protocol). The problem here is that these often aren't linked to the IPSec SA.
However, if you're terminating your site-to-site IPSec tunnels on Cisco IOS-based routers you may want to look at some of the newer features. For instance, as of IOS release 12.2(8)T you can use the "redundancy" keyword in your "crypto map" interface commands which lets you use the HSRP address as a tunnel endpoint.
When you combine the "redundancy" feature with Reverse Route Injection (RRI), using the "reverse-route" keyword that also showed up in IOS release 12.2(8)T, you get a fairly robust redundancy. In this instance, RRI allows the active router in the HSRP group to advertise itself while the standby router is silent. This greatly simplifies routing.
Of course, if upgrading your IOS means buying new licenses and adding memory to your routers, then you may want to investigate other alternatives.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking
industry, focused on Internet infrastructure.
This was first published in April 2003