11-14-2011 09:39 AM - edited 03-04-2019 02:16 PM
Hi,
I have a requirement as below,
VRF aware muliple GRE tunnel over single IPSEC tunnel.
The routing protocol will be BGP withe the other GRE endpoints and need to use seperate address-family for the teo VRF configured under GRE tunnel.
Please advice me in this as i am not sure how to configure VRF aware muliple GRE tunnel over one IPSEC Site to Site VPN.
Thanks in advance,
Sree
11-14-2011 11:40 AM
This is a very complex requirement that requires specific knowledge in multiple areas. Where does the requirement come from, as running BGP over GRE inside an IPSEC tunnel as in my opinion there will probably be an easier solution.
Sent from Cisco Technical Support iPad App
11-14-2011 11:49 AM
Thanks Andrew. Running BGP over GRE which is running over IPSEC tunnel is a common design. This requirement is more complex than the one mentiond.
Two VRF aware BGP session which need to run over two seperate GRE tunnels within VRF and need to run these GRE tunnels over one IPSEC VPN. I know seems to be strange requirement
Need help from you guys ..
Thanks in advance,
Thanks,
Anil.
11-14-2011 09:17 PM
Hi Anil,
Correct me if I am wrong, so the IPSEC tunnel is bind to the tunnel interface (using tunnel ipsec profile) ?
If yes then you only need to specify ISAKMP profile using keyring (bind vrf there) and ipsec transform set.
Bind these 2 to ipsec profile, and then bind the profile to the tunnel interface, which practically will permit any (encrypt any) as long the traffic goes through tunnel.
Let me know if you need any help for the specific portion of configs, maybe I can help there.
HTH,
Vikram
11-15-2011 12:56 AM
Hi Anil,
I agree with Vikram, what you need is just 2 GRE tunnels with IPSec aware configuration, look this link
and after you just need to activate a BGP session in address-family for a cirtain VRF.
11-15-2011 01:21 AM
Hi Vikram & Konstantin,
Thanks for your valuable suggestions. The slight difference from your solution is that i need to use one IPSEC tunnel and two GRE (VRF aware ) over that. Then i can run two BGP address-families.
The issue is how i can run two GRE tunnel sourcing from one IP address. I found a solution is to use tunnel key to differentiate two GRE tunnels so that two GRE tunnels even sourcing from same IP address and destination also to the same IP address will be different.
But i need to test it to confirm. As always suggestions and appreciated.
Regards,
Anil.
11-15-2011 01:32 AM
just to be sure that we speak about the same issue - I suppose one can't use the "same" IPSec tunnel with 2 different destinations, I mean IPSec is a session specific (source-destination address), each session uses a separate IPSec tunnel. But you may _configure_ a single IPSec profile, where you define a destination and/or access-list which will be used to crypt the traffic, and apply it onto physical intraface which use to transmit the GRE traffic.
11-21-2011 03:00 PM
Many thanks for all replied for my query.
I have managed to do this design by using two diffrent tunnel keys for the two GRE tunnels with source and destination as the same over IPSEC VPN . Working fine
Regards,
Anil.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide