Multiple IPSec VTI between routers

peter.matuska1 · ‎10-03-2024

Hi,

I have 2 IOS-XE routers connected to internet with /30 subnet. I want to configured three VTI tunnels between them (one one for business traffic and remaining two for guest services in vrf).

My problem is that I only have 1 public address on both locations and all 3 VTI have to have the same tunnel source and tunnel destination. When I apply tunnel protection ipsec under all of them the tunnels dont work. Is there any solution?

I temporarily configured one location as a DMVPN hub and other as spoke. In this case the VTIs could have the same tunnel source and tunnel destination. To add encryption I configured crypto map under outside interface and ACL has only permit gre any any and it works but I dont like it.

Is there any better way to accomplish it?

thanky ou

MHM Cisco World · ‎10-03-2024

Use ""shared"" keyword for ipsec profile under vti tunnel.

But Q how you make traffic pass through specific vti' you need pbr for that.

MHM

peter.matuska1 · ‎10-03-2024

I used shared but didnt work.

I use BGP for routing. First vti is in grt, second in vrf A and the third in vrf B

MHM Cisco World · ‎10-03-2024

Can I see the config of three vti

MHM

peter.matuska1 · ‎10-03-2024

I have just noticed in show crypto ipsec sa that there are mentioned all 3 VTIs. The one thing that I dont like in show crypto ikev2 sa is that under ivrf it says the name of vrf A. I will have to configure the ACL on outside to block

MHM Cisco World · ‎10-03-2024

Sorry but your config is wrong below the correct config

MHM

R1#show running-config
Building configuration...

Current configuration : 2650 bytes
!
! Last configuration change at 13:56:22 UTC Thu Oct 3 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf blue
rd 11:11
!
ip vrf red
rd 1:1
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 0.0.0.0
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile prof
set transform-set trans
!
!
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Loopback11
ip vrf forwarding red
ip address 11.11.11.11 255.255.255.255
!
interface Loopback111
ip vrf forwarding blue
ip address 111.111.111.111 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.2
tunnel key 5
tunnel protection ipsec profile prof shared
!
interface Tunnel1
ip vrf forwarding red
ip address 15.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.2
tunnel key 15
tunnel protection ipsec profile prof shared
!
interface Tunnel2
ip vrf forwarding blue
ip address 25.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.2
tunnel protection ipsec profile prof shared
!
interface Tunnel25
no ip address
tunnel key 25
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
router ospf 15 vrf red
network 11.11.11.11 0.0.0.0 area 0
network 15.0.0.0 0.0.0.255 area 0
!
router ospf 25 vrf blue
network 25.0.0.0 0.0.0.255 area 0
network 111.111.111.111 0.0.0.0 area 0
!
router ospf 5
network 1.1.1.1 0.0.0.0 area 0
network 5.0.0.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int
R1(config)#interface tu
R1(config)#interface tunnel 2
R1(config-if)#tu
R1(config-if)#tunnel k
R1(config-if)#tunnel key 25
R1(config-if)#exit
R1(config)#
R1(config)#exit
R1#
R1#
R1#
R1#
*Oct 3 13:57:04.127: %SYS-5-CONFIG_I: Configured from console by console
R1#
*Oct 3 13:57:09.143: %OSPF-5-ADJCHG: Process 25, Nbr 25.0.0.2 on Tunnel2 from LOADING to FULL, Loading Done
R1#wr
Warning: Attempting to overwrite an NVRAM configuration previously written
by a different version of the system image.
Overwrite the previous NVRAM configuration?[confirm]
Building configuration...
[OK]
R1#
R1#show run
R1#show running-config
Building configuration...

Current configuration : 2665 bytes
!
! Last configuration change at 13:57:04 UTC Thu Oct 3 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf blue
rd 11:11
!
ip vrf red
rd 1:1
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 0.0.0.0
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile prof
set transform-set trans
!
!
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Loopback11
ip vrf forwarding red
ip address 11.11.11.11 255.255.255.255
!
interface Loopback111
ip vrf forwarding blue
ip address 111.111.111.111 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.2
tunnel key 5
tunnel protection ipsec profile prof shared
!
interface Tunnel1
ip vrf forwarding red
ip address 15.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.2
tunnel key 15
tunnel protection ipsec profile prof shared
!
interface Tunnel2
ip vrf forwarding blue
ip address 25.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.2
tunnel key 25
tunnel protection ipsec profile prof shared
!
interface Tunnel25
no ip address
tunnel key 25
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
router ospf 15 vrf red
network 11.11.11.11 0.0.0.0 area 0
network 15.0.0.0 0.0.0.255 area 0
!
router ospf 25 vrf blue
network 25.0.0.0 0.0.0.255 area 0
network 111.111.111.111 0.0.0.0 area 0
!
router ospf 5
network 1.1.1.1 0.0.0.0 area 0
network 5.0.0.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R2#show run
R2#show running-config
Building configuration...

Current configuration : 2270 bytes
!
! Last configuration change at 13:54:13 UTC Thu Oct 3 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf blue
rd 22:22
!
ip vrf red
rd 2:2
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 0.0.0.0
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile prof
set transform-set trans
!
!
!
!
!
!
interface Tunnel0
ip address 5.0.0.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.1
tunnel key 5
tunnel protection ipsec profile prof shared
!
interface Tunnel1
ip vrf forwarding red
ip address 15.0.0.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.1
tunnel key 15
tunnel protection ipsec profile prof shared
!
interface Tunnel2
ip vrf forwarding blue
ip address 25.0.0.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.1
tunnel key 25
tunnel protection ipsec profile prof shared
!
interface FastEthernet0/0
ip address 100.0.0.2 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
router ospf 15 vrf red
network 15.0.0.0 0.0.0.255 area 0
!
router ospf 25 vrf blue
network 25.0.0.0 0.0.0.255 area 0
!
router ospf 5
network 5.0.0.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end