IPSec VTI support for Same Tunnel Source and Destination?

mhiyoshi · ‎12-06-2018

Dear all,

Currently I am investigating the following restriction more detail.

In my understanding if this restriction is for GRE Tunnels, IPSec VTI is exception right? because VTI does not use GRE header and so on.

###################

[Cisco IOS Interface and Hardware Component Command Reference ]
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/command/ir-cr-book/ir-t2.html#wp1398569350

tunnel source { ip-address | ipv6-address | interface-type interface-number | dynamic }

*You cannot have two tunnels using the same encapsulation mode with exactly the same source and destination addresses. The workaround is to create a loopback interface and source packets from the loopback interface. This restriction is applicable only for generic routing encapsulation (GRE) tunnels. You can have more than one TE tunnel with the same source and destination addresses.

###################

So I have verified the following configuration, the result is below

1. tunnel mode gre ip : OK

2. tunnel mode ipsec ipv4 : NG *Two tunnels does not up

interface Tunnel1
ip vrf forwarding VRF-A
ip address 10.0.10.1
tunnel source FastEthernet0
tunnel mode ipsec ipv4 or tunnel mode ipsec ipv4
tunnel destination 10.0.10.2
tunnel protection ipsec profile VTI shared
tunnel key 1

!

interface Tunnel2
ip vrf forwarding VRF-B
ip address 10.0.10.1
tunnel source FastEthernet0
tunnel mode ipsec ipv4 or tunnel mode ipsec ipv4
tunnel destination 10.0.10.2
tunnel protection ipsec profile VTI shared
tunnel key 2
!

I appreciate if you can let me know any comment or CCO URL if any.

Best Regards,

Masanobu Hiyoshi