Example: Tunnel 1 - 10.10.10.0/30 Tunnel Source lo111 Tunnel Destination int lo111 ip add Int Te1.x description WAN PUBLIC LOCAL Tunnel 2 - 10.10.0.4/30 Tunnel Source lo222 Tunnel Destination int lo222 ip add --------------------------------------------------------------- Router-01 Primary Tunnel --------------------------------------------------------------- ip vrf IVRF description inside vrf ip vrf Internet description front door vrf crypto keyring EE-Keyring vrf Internet pre-shared-key address key TEST crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 crypto isakmp identity hostname crypto isakmp profile ISAKMP keyring EE-Keyring match identity host < WAN 1 FAR END > keepalive 10 retry 2 crypto ipsec security-association lifetime kilobytes 500000000 crypto ipsec security-association lifetime seconds 86400 crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac mode transport require crypto ipsec profile IPSEC-PROFILE set transform-set AES256 set isakmp-profile ISAKMP crypto map CRYPTO-MAP 1 ipsec-isakmp description IPSec set peer set transform-set AES256 set pfs group2 set isakmp-profile ISAKMP match address ACL:GRE ip access-list extended ACL:GRE permit gre host host permit gre host host interface loopback 111 ip add ip vrf forwarding IVRF interface Te1.x.x description Internet facing ip vrf forwarding Internet interface Tunnel1 ip vrf forwarding IVRF ip address 10.10.10.1 255.255.255.252 ip mtu 1400 ip tcp mss-adjust 1360 tunnel source lo111 tunnel destination tunnel path-mtu-discovery tunnel vrf Internet interface gi0/0.x descriptioni Indside interface encap dot1q xxx ip vrf forwarding IVRF ------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------- Router-01 Secondary Tunnel --------------------------------------------------------------- interface loopback 222 ip add ip vrf forwarding IVRF interface Tex.x.x encap dot1q xxx description Internet facing ip vrf forwarding Internet interface Tunnel2 ip vrf forwarding IVRF ip address 10.10.10.5 255.255.255.252 ip mtu 1400 ip tcp mss-adjust 1360 tunnel source lo222 tunnel destination tunnel path-mtu-discovery tunnel vrf Internet interface gi0/0.x descriptioni Indside interface encap dot1q xxx ip vrf forwarding IVRF