03-11-2024 10:11 PM
Hi,
I'd like to ask, could we use one Crypto ipsec profile into two different tunnels with the Shared keyword where source WAN interface is same? or we must need two different profile for two different Tunnels ?
e.g.
crypto ikev2 keyring VPN-R
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key 6 x x x x x
crypto ikev2 profile VPN-IKE-P
match fvrf Global
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local VPN-R
crypto ipsec profile VPN-IPEC-P
set transform-set VPN-TS
set pfs group16
set ikev2-profile VPN-IKE-P
Tunnul0
....
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
(Tunnel Configs)
tunnel protection ipsec profile VPN-IPEC-P Shared
.... .... ....
Tunnul100
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
(Tunnel Configs)
tunnel protection ipsec profile VPN-IPEC-P Shared
Thanks
03-11-2024 10:18 PM
As per this article, The Sharing IPsec with Tunnel Protection feature is required in some DMVPN configurations. If IPsec SA sessions are not shared within the same IPsec SADB, then an IPsec SA may get associated with the wrong IPsec SADB and therefore with the wrong tunnel interface, thereby causing duplicate IPsec SAs and tunnel interfaces to flap, which in turn results in network connectivity problems.
If you find this useful, please mark it helpful and Accept the Solution.
03-11-2024 10:36 PM
whenever you use same interface for tunnel source you need to use shared keyword with IPsec profile.
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide