06-15-2010 12:40 PM - edited 02-21-2020 04:41 PM
Hi, I use the following DMVPN Setup: I have 2 Hub configure in MGRE and every Spoke has 2 tunnel to each Hub, one from a primary link (like cable modem or DSL) and a secondary from an dialup link for redundancy. All the spoke are in MGRE because they're doing Spoke to Spoke
Here is the tunnel configuration from one of ny hub:
crypto keyring DMVPNKEY
pre-shared-key address 0.0.0.0 0.0.0.0 key ???????
crypto isakmp profile DMVPNISAKMP
keyring DMVPNKEY
match identity address 0.0.0.0
keepalive 20 retry 3
crypto ipsec transform-set DMVPNSEC esp-3des esp-sha-hmac
mode transport
crypto ipsec profile IPSECPROFILE
set transform-set DMVPNSEC
set isakmp-profile DMVPNISAKMP
interface Tunnel0
bandwidth 5000
ip address x.x.x.x x.x.x.x
no ip redirects
no ip proxy-arp
ip mtu 1436
no ip next-hop-self eigrp 110
ip nhrp authentication NHRPKEY
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 600
ip nhrp cache non-authoritative
no ip split-horizon eigrp 110
no ip mroute-cache
delay 1000
qos pre-classify
keepalive 5 3
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile IPSECPROFILE shared
interface Tunnel1
bandwidth 1000
ip address y.y.y.y y.y.y.y
no ip redirects
no ip proxy-arp
ip mtu 1436
no ip next-hop-self eigrp 110
ip nhrp authentication NHRPKEY1
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp cache non-authoritative
no ip split-horizon eigrp 110
no ip mroute-cache
delay 5000
qos pre-classify
keepalive 5 3
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 200000
tunnel protection ipsec profile IPSECPROFILE shared
My problem is that I have another DMVPN on the same HUB that use another keyring. I want to know if it is possible to configure different tunnel protection ipsec profile IPSECPROFILE shared with different Tunnel interfaces with the same tunnel source?
Thanks
06-18-2010 04:51 PM
All tunnels with the same tunnel source interface must use the same IPsec profile and the shared keyword with the tunnel protection command on all such tunnels. The only exception is a scenario when there are only peer-to-peer (P2P) GRE tunnel interfaces configured with the same tunnel source in the system all with unique tunnel destination IP addresses.
06-22-2010 08:01 AM
Thanks for the answer. Its seems to be clear but i've been able to have multiple ISAKMP profile with MGRE by doing the following:
I boot the cisco routeur with 1 tunnel interface in MGRE with 1 ISAKMP profile. After un add mannually another Key with ISAKMP Profile associated with another tunnel interface and its working. But if I save the config and I reboot, there's only one of the tunnel that's working. If I remove the non-working tunnel/ISAKMP profile and add it back, it working!!!!
Is it normal or is a kind of a bug in the IOS? I use the folliwing: c3745-advsecurityk9-mz.124-15.T1.bin
06-22-2010 04:38 PM
Please add the configuration for the second profile?
06-23-2010 08:28 AM
06-23-2010 03:52 PM
I looked at your config and clearly this is not supported per my previous link. Precisely, that is why you are having issues with this configuration. When you have a production network scalability and reliability is a goal in a proper design. Not to mention supportability issue in case you contact Cisco TAC/Support forums.
When something is not supported you will get inconsistent results and that is exactly what you are seeing. Kudos for trying though.
You will either need to have a unique source interface to have multiple profiles on tunnels ( e.g using unique loopbacks per tunnel source interface - challenge is to have those loopbacks routable) or you need to have gre ptp instead of gre multipoint and in that case using "shared" keyword is not required.
Hopefully this helps.
06-28-2010 06:48 AM
Thank you very much, your answer wa helpfull
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: