Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
3
Replies

DMVPN with dual tunnel and dual interfaces on hub router

doug_3002
Level 1
Level 1

‎12-27-2014 04:19 PM - edited ‎03-05-2019 12:27 AM

I have a hub router that with 3 interfaces.

int 1 is used for DMVPN and so is int 3.  They are also used for IPSec RA VPN. webvpn, and port forwarding to inside servers.

int 2 is used for internet traffic.

I used VRF's to seperate int 1 and int 3 in the passed but i had issues.  So that I didnt have use inter VRF routing to solve it, i removed the VRF's and used static routes to reach the spokes for interface 1 and interface 3.  This is ok, because all the spokes use static IP's.

The spoke also have two tunnels and is sharing the ipsec profile as so:

int tun 1

tunnel protection ipsec profile PROFILE shared

!

int tun 2

tunnel protection ipsec profile PROFILE shared

 

The Circuit for WAN int 3 was not in yet so that interface is down.  I had issues with phase 1 and got the following debug error:

isakmp:(6803):key not found in keyrings of profile , aborting exchange

My understanding is that it was using the key, for keyring 2 and not for keyring 1...even though they are the same key.

When i removed the configs for keyring 2, phase 1 came online.

My question is, will i have issues when once the second WAN interface come online?  should i change the preshared key in keyring 2? 

Labels:
0 Helpful
3 Replies 3

Vasilii Mikhailovskii
Level 7
Level 7

‎12-28-2014 11:03 AM

Hello.

Please share your configuration on the hub router and all the debug output you gathered.

I would say, that the solution with 2 VRFs was much better, than static routes. I think if you revert the configuration back to VRF, it should work fine.

0 Helpful

doug_3002
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎12-28-2014 02:18 PM

I was having issues with routing and didnt want to configure inter VRF routing to communicate between the two sites.  I dont think it will work without inter VRF routing with BGP, and i didnt want to configure that. 

0 Helpful

Vasilii Mikhailovskii
Level 7
Level 7
In response to doug_3002

‎12-28-2014 11:01 PM

Hello.

If you are using both Internet links as DMVPN transport only, then there is no need for routing between them.

Could you share your [previous] configuration with VRFs?

PS: if you want an answer for the question, I think [current] running configuration is needed here.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card