Presently we have configure GRE tunnel on my switch 3650-48-TS form my HO site to Remote site-A and site-B, both the tunnels are working fine.
Last week we shifted GRE to ipsec over GRE on my Cisco 3650-48-TS switch with IOS version 16.3.3 on VIP interface (using HSRP) but facing the problem while establishing both the tunnels simultaneously.
ACLs are created with keywork any
permit 172.16.1.0 0.0.0.255 any
We have created multiple ACL for both remote sites and separate ISAkmp polices called in same crypto map.
While establishing tunnel phase 2 it creation it creates problem.
Currently we able to communicate one site at time.
Kindly find attached diagram
Your opinion about and suggestion weather my hardware device (Cisco switch 3650) with current ios support the scenario or not.
If both VPN's contain the same interesting traffic(crypto map ACL: permit 172.16.1.0 0.0.0.255 any), it is normal that only one VPN would be up at a time.
It would mean that the interesting traffic will be overlapping on both crypto maps and only one will take over.
Workaround: To define the remote networks on the crypto ACL's instead of using "any" as destination.
For further t-shooting we would need debugs to determine why the VPN would not come up:
debug crypto isakmp
debug crypto ipsec
Rate if it helps.
TAC - VPN Engineer.