Detecting a Failure Using HSRP
HSRP, VRRP, and GLBP are all protocols that allow multiple routers to
share a single IP address. They are typically used for default gateway redundancy
on a local LAN. You can also use these protocols on a WAN-facing
interface. They use the shared, or virtual, IP address as the peer address for
IPsec. Then, if the physical router fails, one of the other routers in the group
takes over. The IPsec tunnel drops and is then reestablished using the same
peer IP address but a new physical router.
HSRP defines an active and a standby router, which form a standby group.
The active router answers traffic to the virtual IP address. If it fails, the
standby router takes over. HSRP routers share a virtual MAC address, too.
Determining the return path to a remote site can be a problem when using
HSRP at the headend. Either additionally configure HSRP on the internal
interfaces of the routers, or use Reverse Path Injection (RRI). RRI injects
remote networks into the internal routing protocol and is enabled with the
command reverse-route in a crypto map.