DMVPN - One Crypto Profile Use for Two Tunnels (Under VRF)

bravealikhan · ‎03-11-2024

Hi,

I'd like to ask, could we use one Crypto ipsec profile into two different tunnels with the Shared keyword where source WAN interface is same? or we must need two different profile for two different Tunnels ?

e.g.

crypto ikev2 keyring VPN-R
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key 6 x x x x x

crypto ikev2 profile VPN-IKE-P
match fvrf Global
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local VPN-R

crypto ipsec profile VPN-IPEC-P
set transform-set VPN-TS
set pfs group16
set ikev2-profile VPN-IKE-P

Tunnul0
....
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
(Tunnel Configs)
tunnel protection ipsec profile VPN-IPEC-P Shared

.... .... ....

Tunnul100
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
(Tunnel Configs)
tunnel protection ipsec profile VPN-IPEC-P Shared

Thanks

Pulkit Mittal · ‎03-11-2024

As per this article, The Sharing IPsec with Tunnel Protection feature is required in some DMVPN configurations. If IPsec SA sessions are not shared within the same IPsec SADB, then an IPsec SA may get associated with the wrong IPsec SADB and therefore with the wrong tunnel interface, thereby causing duplicate IPsec SAs and tunnel interfaces to flap, which in turn results in network connectivity problems.

If you find this useful, please mark it helpful and Accept the Solution.

MHM Cisco World · ‎03-11-2024

whenever you use same interface for tunnel source you need to use shared keyword with IPsec profile.
MHM