cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
pta200
New Contributor

VRRP & VPN

Jump to solution

How do I get a 3448 to initiate a VPN tunnel sourced from the shared VRRP address on the interface not the actual address. This is so the remote site doesn't have to change the remote peer IP in it's policy if there is a router failure on source side.

Labels (1)
Tags (3)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: VRRP & VPN

Jump to solution

:

Thank you for asking this question in the Support Community.  The AOS unit that has the VRRP IP address assigned to it cannot initiate the VPN tunnel, it can only respond to VPN negotiations.  Therefore, for this application to function, the remote unit would have to be configured to initiate the VPN tunnel to the unit with the VRRP IP address. 

Alternatively, depending on the application requirements, another option is to follow the Configuring Redundant VPN Failover guide, which is a common solution for this network design.

I hope this makes sense, but please do not hesitate to reply to this post with any additional questions or information.  I will be happy to help in any way I can.

Levi

View solution in original post

0 Kudos
3 Replies
Anonymous
Not applicable

Re: VRRP & VPN

Jump to solution

:

Thank you for asking this question in the Support Community.  The AOS unit that has the VRRP IP address assigned to it cannot initiate the VPN tunnel, it can only respond to VPN negotiations.  Therefore, for this application to function, the remote unit would have to be configured to initiate the VPN tunnel to the unit with the VRRP IP address. 

Alternatively, depending on the application requirements, another option is to follow the Configuring Redundant VPN Failover guide, which is a common solution for this network design.

I hope this makes sense, but please do not hesitate to reply to this post with any additional questions or information.  I will be happy to help in any way I can.

Levi

View solution in original post

0 Kudos
pta200
New Contributor

Re: VRRP & VPN

Jump to solution

Hi Levi,

Thanks for the update. Unfortunately this tunnel is to an NYC government service so we don't control the remote end, they never initiate the tunnel, and won't configure a policy for a back up IP address. For this reason I was hoping to use the VRRP address on the Netvanta in case one router fails (obviously rare case) without having to reconfigure the back up router.

Anonymous
Not applicable

Re: VRRP & VPN

Jump to solution

:

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Levi