Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4999
Views
0
Helpful
6
Replies

DMVPN isakmp profile

emergismsh
Level 1
Level 1

‎06-15-2010 12:40 PM - edited ‎02-21-2020 04:41 PM

Hi, I use the following DMVPN Setup: I have 2 Hub configure in MGRE and every Spoke has 2 tunnel to each Hub, one from a primary link (like cable modem or DSL) and a secondary from an dialup link for redundancy.  All the spoke are in MGRE because they're doing Spoke to Spoke
Here is the tunnel configuration from one of ny hub:

crypto keyring DMVPNKEY
  pre-shared-key address 0.0.0.0 0.0.0.0 key ???????

crypto isakmp profile DMVPNISAKMP
   keyring DMVPNKEY
   match identity address 0.0.0.0
   keepalive 20 retry 3

crypto ipsec transform-set DMVPNSEC esp-3des esp-sha-hmac
mode transport

crypto ipsec profile IPSECPROFILE
set transform-set DMVPNSEC
set isakmp-profile DMVPNISAKMP

interface Tunnel0
bandwidth 5000
ip address x.x.x.x x.x.x.x
no ip redirects
no ip proxy-arp
ip mtu 1436
no ip next-hop-self eigrp 110
ip nhrp authentication NHRPKEY
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 600
ip nhrp cache non-authoritative
no ip split-horizon eigrp 110
no ip mroute-cache
delay 1000
qos pre-classify
keepalive 5 3
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile IPSECPROFILE shared

interface Tunnel1
bandwidth 1000
ip address y.y.y.y y.y.y.y
no ip redirects
no ip proxy-arp
ip mtu 1436
no ip next-hop-self eigrp 110
ip nhrp authentication NHRPKEY1
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp cache non-authoritative
no ip split-horizon eigrp 110
no ip mroute-cache
delay 5000
qos pre-classify
keepalive 5 3
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 200000
tunnel protection ipsec profile IPSECPROFILE shared

My problem is that I have another DMVPN on the same HUB that use another keyring.  I want to know if it is possible to configure different tunnel protection ipsec profile IPSECPROFILE shared with different Tunnel interfaces with the same tunnel source?

Thanks

Labels:
0 Helpful
6 Replies 6

adhar
Level 1
Level 1

‎06-18-2010 04:51 PM

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/share_ipsec_w_tun_protect.html#wp1081269

All tunnels with the same tunnel source interface must use the same IPsec profile and the shared keyword with the tunnel protection command on all  such tunnels. The only exception is a scenario when there are only  peer-to-peer (P2P) GRE tunnel interfaces configured with the same tunnel  source in the system all with unique tunnel destination IP addresses.

0 Helpful

emergismsh
Level 1
Level 1
In response to adhar

‎06-22-2010 08:01 AM

Thanks for the answer.  Its seems to be clear but i've been able to have multiple ISAKMP profile with MGRE by doing the following:

I boot the cisco routeur with 1 tunnel interface in MGRE with 1 ISAKMP profile.  After un add mannually another Key with ISAKMP Profile associated with another tunnel interface and its working.  But if I save the config and I reboot, there's only one of the tunnel that's working.  If I remove the non-working tunnel/ISAKMP profile and add it back, it working!!!!

Is it normal or is a kind of a bug in the IOS? I use the folliwing: c3745-advsecurityk9-mz.124-15.T1.bin

0 Helpful

adhar
Level 1
Level 1
In response to emergismsh

‎06-22-2010 04:38 PM

Please add the configuration for the second profile?

0 Helpful

emergismsh
Level 1
Level 1
In response to adhar

‎06-23-2010 08:28 AM

Here is the real configuration of my primary hub

68188-CONFIG.txt.zip
0 Helpful

adhar
Level 1
Level 1
In response to emergismsh

‎06-23-2010 03:52 PM

I looked at your config and clearly this is not supported per my previous link. Precisely, that is why you are having issues with this configuration. When you have a production network scalability and reliability is a goal in a proper design. Not to mention supportability issue in case you contact Cisco TAC/Support forums.

When something is not supported you will get inconsistent results and that is exactly what you are seeing. Kudos for trying though.

You will either need to have a unique source interface to have multiple profiles on tunnels ( e.g using unique loopbacks per tunnel source interface - challenge is to have those loopbacks routable)  or you need to have gre ptp instead of gre multipoint and in that case using "shared" keyword is not required.

Hopefully this helps.

0 Helpful

emergismsh
Level 1
Level 1
In response to adhar

‎06-28-2010 06:48 AM

Thank you very much, your answer wa helpfull

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents