Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
0
Helpful
4
Replies

IPSec Over DMVPN

KEOPUTMANO
Level 1
Level 1

‎04-08-2017 04:25 AM - edited ‎03-05-2019 08:19 AM

Dear All,

My name Mano working as network engineer, currently I do the migrating from GRE Point-to-Point VPN to DMVPN. For GRE Point-to-Point they using Crypto Map on the physical on the interface for encryption method. The connection to HUB and SPOK is dual ISP between them.I remove the crypto map on physical interface before configure DMVPN. When I move to DMVPN I created the profile to configure on each interface tunnel. The error message "All interfaces sharing this IPSec profile must be configured using the 'shared' keyword". What I understand it's not allow to use same profile with different source(ISP). However I can configured on some other router with same profile and 4 interface tunnels. I think maybe it needs some clues to configure. 

Thank before hand. I hope I can get any solution from here.

Please the configuration as below:

Existing

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key <removed> address xx.xx.12.1
crypto isakmp key <removed> address xx.xx.12.62
crypto isakmp key <removed> address xx.xx.13.62
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map OUT 10 ipsec-isakmp
set peer xx.xx.12.1
set peer xx.xx.12.62
set peer xx.xx.13.62
set transform-set ESP-AES-SHA

interface Tunnel15
ip address xx.xx.11.58 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
tunnel source xx.xx.12.16
tunnel destination xx.xx.12.1

interface GigabitEthernet0/1
description TO_SI-DPLC_LINK
ip address xx.xx.12.16 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
duplex auto
speed auto
crypto map OUT

New Configure

crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile Protect-Tunnel
set security-association lifetime seconds 86400
set transform-set TS

interface Tunnel1
ip address x.x.x.x x.x.x.x 
no ip redirects
ip mtu 1400
ip nhrp authentication 
ip nhrp map multicast dynamic
ip nhrp map x.x.x.x x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id 120
ip nhrp holdtime 600
ip nhrp nhs x.x.x.x
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 120
tunnel protection ipsec profile Protect-Tunnel

interface Tunnel2
ip address x.x.x.x x.x.x.x 
no ip redirects
ip mtu 1400
ip nhrp authentication 
ip nhrp map multicast dynamic
ip nhrp map x.x.x.x x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id 130
ip nhrp holdtime 600
ip nhrp nhs x.x.x.x
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 130
tunnel protection ipsec profile Protect-Tunnel

interface GigabitEthernet0/0
ip address xx.xx.12.16 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
duplex auto
speed auto

interface GigabitEthernet0/1
description TO_SI-DPLC_LINK
ip address xx.xx.12.16 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
duplex auto
speed auto

Labels:
0 Helpful
4 Replies 4

Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎04-08-2017 06:05 AM

Hello,

Probably, if you remove the old tunnels, you do not need to use a shared key since you use different interfaces for the tunnel source. Please check the following link for different scenarios.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-share-ipsec-w-tun-protect.pdf

"If two or more generic route encapsulation (GRE) tunnel interfaces share the same tunnel source interface and one of the GRE tunnel interface is an multipoint generic route encapsulation (mGRE) tunnel interface, all tunnels with the same tunnel source must use different tunnel keys, the same IPsec profile name, and the shared keyword with the tunnel protection command"

Masoud

0 Helpful

KEOPUTMANO
Level 1
Level 1
In response to Masoud Pourshabanian

‎04-08-2017 06:10 AM

Thank Masoud , for your information. Within new router that did't have the crypto map before I can configure 4 interface with 2 different source(ISP). I'm not sure why I cannot do that with that router.

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to KEOPUTMANO

‎04-08-2017 06:16 AM

This tunnel is using the same source as you mGre tunnel uses. Remove this tunnel and test.

interface Tunnel15
ip address xx.xx.11.58 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
tunnel source xx.xx.12.16
tunnel destination xx.xx.12.1

Masoud

0 Helpful

KEOPUTMANO
Level 1
Level 1
In response to Masoud Pourshabanian

‎04-08-2017 06:36 AM

Here is full configuration, I have tried to remove the crypto map from the interface physical and shutdown all existing interface tunnel. But it still same

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key address 10.18.12.1
crypto isakmp key address 10.18.12.62
crypto isakmp key address 10.18.13.62
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set CpbTS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile Protect-Gre-CPB
set security-association lifetime seconds 86400
set transform-set CpbTS
!
!
!
crypto map OUT 10 ipsec-isakmp
set peer 10.18.12.1
set peer 10.18.12.62
set peer 10.18.13.62
set transform-set ESP-AES-SHA
match address 101
!
!
!
!
!
interface Tunnel1
ip address 172.16.12.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp map 172.16.12.254 10.18.12.1
ip nhrp map multicast 10.18.12.1
ip nhrp network-id 12
ip nhrp holdtime 600
ip nhrp nhs 172.16.12.254
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 12
!
interface Tunnel2
ip address 172.16.13.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp map 172.16.13.254 10.18.13.1
ip nhrp map multicast 10.18.13.1
ip nhrp network-id 13
ip nhrp holdtime 600
ip nhrp nhs 172.16.13.254
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0/0
tunnel mode gre multipoint
tunnel key 13
!
interface Tunnel3
description ##TO_DR_RTR_01_SI##
ip address 172.16.120.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CPBANK
ip nhrp map multicast dynamic
ip nhrp map 172.16.120.254 10.18.12.62
ip nhrp map multicast 10.18.12.62
ip nhrp network-id 120
ip nhrp holdtime 600
ip nhrp nhs 172.16.120.254
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 120
tunnel protection ipsec profile Protect-Gre-CPB
!
interface Tunnel4
description ##TO_DR_RTR_02_METFONE##
ip address 172.16.130.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CPBANK
ip nhrp map multicast dynamic
ip nhrp map 172.16.130.254 10.18.13.62
ip nhrp map multicast 10.18.13.62
ip nhrp network-id 130
ip nhrp holdtime 600
ip nhrp nhs 172.16.130.254
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0/0
tunnel mode gre multipoint
tunnel key 130
tunnel protection ipsec profile Protect-Gre-CPB
!
interface Tunnel15
description VPN_TO_PNHCND-HQ-RT01
ip address 10.18.11.58 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
tunnel source 10.18.12.16
tunnel destination 10.18.12.1
!
interface Tunnel215
ip address 10.18.120.58 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
tunnel source 10.18.12.16
tunnel destination 10.18.12.62
!
interface Tunnel315
ip address 10.18.130.58 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
tunnel source 10.18.13.16
tunnel destination 10.18.13.62
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description TO_BKN_LAN
ip address 10.18.27.1 255.255.255.128
no ip redirects
no ip unreachables
ip verify unicast reverse-path
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description TO_SI-DPLC_LINK
ip address 10.18.12.16 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
duplex auto
speed auto
crypto map OUT

Here is another router that configure with Protected profile

crypto ipsec transform-set CpbTS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile Protect-Gre-CPB
set security-association lifetime seconds 86400
set transform-set CpbTS
!
!
!
!
!
!
!
interface Tunnel1
ip address 172.16.12.7 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp map 172.16.12.254 10.18.12.1
ip nhrp map multicast 10.18.12.1
ip nhrp network-id 12
ip nhrp holdtime 600
ip nhrp nhs 172.16.12.254
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 12
!
interface Tunnel2
ip address 172.16.13.7 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp map 172.16.13.254 10.18.13.1
ip nhrp map multicast 10.18.13.1
ip nhrp network-id 13
ip nhrp holdtime 600
ip nhrp nhs 172.16.13.254
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0/0
tunnel mode gre multipoint
tunnel key 13
!
interface Tunnel3
ip address 172.16.120.7 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp map 172.16.120.254 10.18.12.62
ip nhrp map multicast 10.18.12.62
ip nhrp network-id 120
ip nhrp holdtime 600
ip nhrp nhs 172.16.120.254
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 120
tunnel protection ipsec profile Protect-Gre-CPB
!
interface Tunnel4
ip address 172.16.130.7 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp map 172.16.130.254 10.18.13.62
ip nhrp map multicast 10.18.13.62
ip nhrp network-id 130
ip nhrp holdtime 600
ip nhrp nhs 172.16.130.254
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0/0
tunnel mode gre multipoint
tunnel key 130
tunnel protection ipsec profile Protect-Gre-CPB
!
interface Tunnel30
ip address 10.18.11.118 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
tunnel source 10.18.12.31
tunnel destination 10.18.12.1
tunnel protection ipsec profile Protect-Gre-CPB
!
interface Tunnel130
ip address 10.18.100.118 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
tunnel source 10.18.13.31
tunnel destination 10.18.13.1
!
interface Tunnel230
ip address 10.18.120.118 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
shutdown
tunnel source 10.18.12.31
tunnel destination 10.18.12.62
tunnel protection ipsec profile Protect-Gre-CPB
!
interface Tunnel330
ip address 10.18.130.118 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
shutdown
tunnel source 10.18.13.31
tunnel destination 10.18.13.62
tunnel protection ipsec profile Protect-Gre-CPB

I'm not sure why I can  use one profile with many tunnel same source.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card