cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1101
Views
0
Helpful
2
Replies

DMVPN + IPSec protected VRFs; IPSec SAs established only on one tunnel interface

wellu
Level 1
Level 1

Hello folks!

I have a setup between two Cisco ISR routers, running IOS 15.1(4)M3. I have tried to establish DMVPN connectivity with two VRFs (ie. two tunnel interfaces per router) between the routers and it mostly seems to be working as I expected. But... IPSec SAs seem to get tied to only one of the tunnel interface, not two (one per direction) per tunnel interface as they should. There's no MPLS backbone in between the routers, only "global VRF", routed IP network.

Command "show crypto ipsec sa" or indirectly a missing OSPF neighborhood between the routers verifies the erroneuous situation. Occasionally, after an "interface tunnel[ 0 or 1] shut, no shut" or "clear crypto sa" command I seem to get it up and running, two SAs per tunnel interface, but if I reboot either one of the routers or just clear the IPSec SA, they most likely will appear under either one of two tunnel interfaces. So, what should I change to instruct the router setup SAs correctly, two SAs (one per direction) per tunnel interface?

I'll enclose appropriate parts of the configurations and output of command "show crypto ipsec sa".

2 Replies 2

mstreb1585
Level 1
Level 1

wellu - Did you ever find a solution to this problem? I'm experiencing the same issue on a new implementation. This is the first thing I've found so far that describes the exact problem I have.

I think I figured it out, for anyone who might stumble across this post in the future. It looks like you need to add the shared keyword to the tunnel protection command. ie...

 

interface tunnel 0

 ...

 tunnel protection ipsec profile MyProfile shared

end

 

I should note that one of the first things I tried was to created a separate IPSec profile for each unique tunnel interface. It ended up not fixing the problem and I had to go with the solution above.