Hi

As far as I know, the spokes can only have one identity and it gets uses for both DMVPN clouds

This means they have common attributes for both tunnels

1. The same domain name (ie br1.something.com)
2. The same email domain (br1@something.com)
3. Random Tunnel IP addresses (For the external/Internet Iface)
4. The same FVRF
5. And the same Certificate authority

I'm really stumped on how one would ever have a spoke use this profile based tunnel selection feature to identify which profile should be used for an incoming ike request.

Hi, Wes.

At each branch you have 2 different PKI Certificates (i think you have :) ). Each for every cloud. At first certificate you can make a OU=RED and at the second OU=BLUE.

And at the each hub router you can add lines:

crypto ca certificate map CERF_MAP_RED 10
 subject-name attr ou eq RED
exit

crypto ca certificate map CERF_MAP_BLUE 10
 subject-name attr ou eq BLUE
exit

crypto isakmp profile RED

 match certificate CERF_MAP_RED

exit

crypto isakmp profile BLUE

 match certificate CERF_MAP_BLUE

exit

crypto ipsec profile BLUE
 set isakmp-profile BLUE

exit

crypto ipsec profile RED
 set isakmp-profile RED

exit

But I haven't tested this solution on the routers (only at ASA).

And OU is not only 1 field that you can use at certificates.

There is a common CA and the routers only have 1 cert each.

I don't think I can have two certs from the same CA?

I think the crux of this problem is how to make the routers identify themselves uniquely depending on the tunnel interface used.

It would be great if the we could use the NHRP or Tunnel key.. but that isn't part of the IKE setup.  

Still Stumped

Hi, Wes Smith.

I found this solution: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/27860-ios-enhanced-enrollment.html

But at this solution they tryed to use different CA servers. So my suggestion is this: can you try create 2 different trust points with the same server url but different subject-name? And enroll a certificate from each trustpoint.

I wanted to test it before sending you information but I don't have spare router with me right now.

Turns out you can specify a unique identity in the IKEV2 profile.

I used two different email identities.   spoke@tunnel10.com and spoke@tunnel11.com.   Using fqdn for identity works as well.

The match statement uses the email 'domain' keyword so it's only looking for the tunnel10.com or tunnel11.com

I think your suggestion of using different OU's may work as well.  I will try later.
 

Looks like this

crypto ikev2 profile CRY_IKE_PROFILE_TUNNEL10
 match fvrf INET
 match identity remote email domain tunnel10.com
 identity local email spoke@tunnel10.com
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint blahblah
 dpd 30 5 on-demand

crypto ikev2 profile CRY_IKE_PROFILE_TUNNEL11
 match fvrf INET
 match identity remote email domain tunnel11.com
 identity local email spoke@tunnel11.com
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint blahblah
 dpd 30 5 on-demand

! !! Ikev2 profile removed from the IPsec profile

crypto ipsec profile CRY_IPSEC_PROFILE1
 set transform-set CRY_IPSEC_TRANSFORM1
 set pfs group14

Specify the ike profile to use on the tunnel protection command

Int tunnel10

 tunnel protection ipsec profile CRY_IPSEC_PROFILE1 ikev2-profile CRY_IKE_PROFILE_TUNNEL10

Int tunnel10
 tunnel protection ipsec profile CRY_IPSEC_PROFILE1 ikev2-profile CRY_IKE_PROFILE_TUNNEL11

Forgot to add.

I get this message now.

 %CRYPTO-6-IKMP_NO_ID_CERT_USER_FQDN_MATCH: ID of spoke@tunnel10.com (type 3) and certificate user fqdn with empty.

I think this is a result of changing the identity to something other than the fqdn in the certificate.  

It doesn't seem to affect anything.

Hi, Wes Smith.

Yes, it's as you told. Your VPN server is checking fqdn of your router and fqdn in the certificate and see that they don't match. And by this reason it gives you error.

I'm glad that all works well.

Best Regards.