cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1151
Views
10
Helpful
14
Replies

Two dmvpn tunnels on router usng the same Tunnel source interface.

jomo frank
Beginner
Beginner

Hello Expert,

 

I have a router (2811)  at head office that is connected to branch office via the internet.

I am using "dmvpn" between the two locations and this works okay.

We have acquired another internet provider at the branch for redundancy I build another dmvpn tunnel at head office, but because we are using  the physical interface for the two  dmvpn  tunnels I would like shared command.

At the Branch office I have two wan interface connect to each internet provider.

 

 

I humbly request if anyone can take a look at the attached configs and make any correction where necessary.

 

Regards

14 Replies 14

Georg Pauwen
VIP Master VIP Master
VIP Master

Hello,

 

on the branch (Lethem_test) router, you need to add the 'shared' keyword to both tunnels as well, since you are using the same profile for two tunnels.

 

tunnel protection ipsec profile CiscoCP_Profile1 shared

 

Other than that, the configs look ok.

Hello Georg,

 

Thanks for you prompt response, I will modify same and do some testing .

I will update you shortly.

 

Regards

 

 

Hello Georg,

 

I modified the two tunnels on the spoke(Lethem_test)     tunnel protection ipsec profile CiscoCP_Profile1 shared

 

When I tried to enable the secondary wan interface on the spoke router ((Lethem_test) the connection drops.

If I disable the interface the connection is re-established. 

I would like to have both wan interface and both tunnels up on the spoke to allow a failover if one IPS service is disrupted.

Unsure what is causing the issue.

Regards

 

Hello @jomo frank ,

have you added

tunnel key   <value>

 

with a different value within each tunnel ?

 

Hope to help

Giuseppe

 

Hello Giuseppe,

 

I added a tunnel valve but I do not have a different value for each tunnel

 

                                   Head office     (Hub)                                                          Lethem (Spoke)

                                 ---------------------                                             ----------------------

 

Tunnel 0                       tunnel key 100000                                                        tunnel key 100000

 

Tunnel 1                       tunnel key 110000                                                         tunnel key 110000

 

This are extracts from the current configuration , should I make each tunnel key unique?

 

Regards

Hello @jomo frank ,

>> his are extracts from the current configuration , should I make each tunnel key unique?

 

on a single node for sure it is a way to demultiplex packets for dffierent tunnels with same source/destination external addresses.

 

You should be fine from this point of view.

 

Hope to help

Giuseppe

 

Hello Guiseppe,

 

I will try unique tunnel key for each tunnel.

 

Regards

Hello Giuseppe,

 

I tried putting a unique tunnel key for each tunnel, when I enable the secondary wan interface on the Lethem router no eigrp adjacency is establish and the connection is lost.

I notice when the secondary. wan interface  (lethem) is enable they are two default route showing in the routing table.

Unsure if this reason  for the connection lost when ever the secondary wan interface is enabled

 

Regards

Hello @jomo frank ,

>> I notice when the secondary. wan interface (lethem) is enable they are two default route showing in the routing table.

 

>> I tried putting a unique tunnel key for each tunnel, when I enable the secondary wan interface on the Lethem router no eigrp adjacency is establish and the connection is lost.

 

You should at least have host static routes for the public IP addresses of the HUBs one with exit WAN1 and one with exit WAN2.

The default routes should be learned in EIGRP over tunnels if you want to have a centralized exit to the internet or you need to handle it in some way ( probably using two different  Front VRFs could be a solution ie having WAN1 and WAN2 in two different VRFs so that the two default routes wll not be used in load sharing)

 

Clearly the two default static routes can be a problem if the wrong WAN interface and source IP  address is used to attempt to reach the HUB on VPN

 

Hope to help

Giuseppe

 

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

...

If you get a chance post the system logs when you attempted to enable the secondary link and the connection dropped.

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

according to your post, 

there are two default route, then you need 

Front-door VRF for each tunnel source interface and global for tunnel interface itself.

 

NOTE:- please remove IPSec to check if the IPSec or routing is issue.

Hello  MHM,

Never use Front-door VR not sure how to configure same .

 

Regards

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers