12-02-2020 11:02 PM
We recently launched CSRv instance on Oracle cloud. This router is configured to join DMVPN cloud. Everything is working as We expected . Underlay communication is secured through IKEv2 tunnels.
But, We noticed that when We tried to create another policy based IPSec tunnel with IKEv2 and apply the crypto map on egress interface, existing IKEv2 tunnels for DMVPN also got disconnected. This behavior is seen after We applied crypto map on egress interface with IKEv2 settings in it. But, When We changed the policy based tunnel to IKEv1 , DMVPN IKEv2 tunnels and IKEv1 crypto map tunnels both worked.
Attached is the rough diagram.
The following config-scenario didn't work:-
Interface tunnel 1
tunnel source Gi2
tunnel mode gre multipoint
tunnel protection ipsec profile <profilename>
crypto map VPNMAP 10 ipsec-isakmp
set peer <peeerIP>
set transform-set <TS>
match address <encryption>
set ikev2 profile <IKEv2 profile>
interface gi1
crypto map VPNMAP
It worked when We changed it to IKev1 (ISAKMP)
As it's CSRv on cloud, We didn't configure any front-door VRFs for DMVPN. Could someone advise if you are aware of this behavior. Thank you in advance
12-02-2020 11:42 PM
Hello,
as I understand it, one IPSec ikev2 and one IPSec ikev1 work, but two ikev2 tunnels together don't work ? Are you using different profiles for the ikev2 tunnels ? Or are you sharing the ikev2 profile (tunnel protection ipsec profile <profilename> shared) ?
12-03-2020 01:05 AM
IPsec profile is applied to Tunnel interface. In IPsec profile, We called Ikev2 profile which has Keyring, policy.
where as Crypto Map for policy based VPN is applied to egress interface ( Gi1) . Gi1 interface is outgoing interface for default route and to internet.
12-03-2020 01:19 AM
Hello,
post the full running config of a working config and a non-working config.
12-03-2020 01:24 AM
This config didn't work.
crypto ikev2 keyring kr1
peer CUST1
address <peerIP>
identity address 10.76.15.226
pre-shared-key <presharedkey>
crypto ikev2 proposal pro
encryption aes-cbc-256
integrity sha256
group 5
crypto ikev2 policy cryptopolicy
proposal pro
ip access-list extended cust1vpn
10 permit ip <sourceIP> <DestinationIP>
crypto ikev2 profile profile1
match address local 10.76.15.226
match identity remote address <peerIP> 255.255.255.255
identity local address 10.76.15.226
authentication remote pre-share
authentication local pre-share
keyring local kr1
crypto ipsec transform-set ts1 esp-aes 256 esp-md5-hmac
mode tunnel
crypto map VPNMAP 10 ipsec-isakmp
set peer <peerIP>
set transform-set ts1
set pfs group19
set ikev2 profile profile1
match address cust1vpn
interface gi1
crypto map VPNMAP
DMVPN parameters
crypto ikev2 proposal dmvpn
encryption aes-gcm-256
prf sha256
group 20
crypto ikev2 policy dmvpn
proposal dmvpn
crypto ikev2 keyring dmvpn
peer any-ikev2
address 0.0.0.0 0.0.0.0
pre-shared-key <preshared-key>
crypto ikev2 profile dmvpn-ikev2
match address local 10.76.15.226
match identity remote address 0.0.0.0
identity local address 10.76.15.226
authentication remote pre-share
authentication local pre-share
keyring local dmvpn
lifetime 28800
interface tun101
tunnel source gi1
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
We modified crypto map entry to Ikev1 and added isakm policies , then , it met our requirement.
12-03-2020 02:45 AM
Hello,
got it.
I am pretty sure the problem is that you mix VTIs and crypto maps. Try and configure two VTIs instead (don't configure the crypto map, which is considered legacy anyway.)
12-03-2020 04:05 AM
I just found one link and see that crypto map on physical interface which is source for another tunnel interface with ipsec profile protection is not supported
https://community.cisco.com/t5/vpn/site-to-site-vpn-and-dmvpn-on-same-router/td-p/2010012
12-03-2020 04:11 AM
Hello,
that would mean Ikev1 would not work either I suppose.
Have you tried two VTIs with Ikev2, as suggested ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide