05-19-2023 01:29 PM - edited 05-19-2023 01:30 PM
Hello.
INTENT: Implement correct DMVPN configs.
GIVEN: Hub has DMVPN instances Tu1, and Tu5. They use the same interface g0/0.
...at Hub I am using same config line for both tunnels-- "tunnel protection ipsec profile ENTERPRISE1 shared"
As instructed at above link...
"Different IPsec profile names must be used for shared and unshared tunnels. For example, if "tunnel 1" is configured with the tunnel source loopback0 command, and "tunnel 2" and "tunnel 3" are shared using the tunnel source loopback1 command, then define IPsec_profile_1 for tunnel 1 and IPsec_profile_2 for tunnels 2 and 3."
Now, spoke also uses both tunnels, but spoke uses DIFFERENT interfaces for these tunnels (using different ISPs for redundancy). So above instruction demands that I use different IPsec profile.
QUESTIONS:
1. Are the DMVPN IPsec profiles only relevant to each router, or does each DMVPN IPsec profile affect its peer DMVPN routers?
2. If the transform sets are the same, can a hub use for Tu1 "tunnel protection ipsec profile ENTERPRISE-ONE shared", and its spoke use for Tu1 "tunnel protection ipsec profile ENTERPRISE-TWO" ?
Thank you.
Solved! Go to Solution.
05-20-2023 02:29 PM
Hello @jmaxwellUSAF,
DMVPN IPsec profiles are only relevant to each individual router and do not directly affect its peer DMVPN routers. Each router in a DMVPN network has its own IPsec profile configuration, which defines the specific parameters for securing the IPsec tunnels on that router. The IPsec profiles are locally configured and applied to the individual router's interfaces participating in the DMVPN network. The IPsec profiles on one router do not impact or affect the IPsec configurations on other DMVPN routers.
As concerned question 2, if the transform sets are the same, it's generally recommended to use the same IPsec profile for the same tunnel interface between the hub and the spoke routers. Consistency in IPsec profile configurations ensures compatibility and proper functioning of the IPsec tunnels between the hub and the spoke. Using different IPsec profiles for the same tunnel interface can lead to configuration inconsistencies and potential issues with tunnel establishment and secure communication. It is best practice to maintain consistency in IPsec profiles across participating routers in a DMVPN network to ensure seamless and secure communication.
05-22-2023 09:56 AM
@jmaxwellUSAF the name of the IPSec profile on the spokes does not need to match the name of the IPSec profile on the hubs, however general settings like these are usually named consistently. The most important thing is the IPSec profile must reference a transform set and IKE profile which matches the peers in regard to the crypto settings etc. So to answer your question, yes.
05-20-2023 02:29 PM
Hello @jmaxwellUSAF,
DMVPN IPsec profiles are only relevant to each individual router and do not directly affect its peer DMVPN routers. Each router in a DMVPN network has its own IPsec profile configuration, which defines the specific parameters for securing the IPsec tunnels on that router. The IPsec profiles are locally configured and applied to the individual router's interfaces participating in the DMVPN network. The IPsec profiles on one router do not impact or affect the IPsec configurations on other DMVPN routers.
As concerned question 2, if the transform sets are the same, it's generally recommended to use the same IPsec profile for the same tunnel interface between the hub and the spoke routers. Consistency in IPsec profile configurations ensures compatibility and proper functioning of the IPsec tunnels between the hub and the spoke. Using different IPsec profiles for the same tunnel interface can lead to configuration inconsistencies and potential issues with tunnel establishment and secure communication. It is best practice to maintain consistency in IPsec profiles across participating routers in a DMVPN network to ensure seamless and secure communication.
05-22-2023 08:09 AM
Thank you for your reply, MO2.
Your paragraph 1 is clear.
Paragraph 2 does not address my specific situation-- As explained, It is not feasible to maintain the same "tunnel protection ipsec profile ENTERPRISE1 shared" on the spoke. Thus, may you or others let me know the answer to below?...
2. If the transform sets are the same for both IPsec profiles, can a hub soundly use for Tu1 "tunnel protection ipsec profile ENTERPRISE-ONE shared", and its spoke use for Tu1 "tunnel protection ipsec profile ENTERPRISE-TWO" ?
Thank you.
05-22-2023 09:56 AM
@jmaxwellUSAF the name of the IPSec profile on the spokes does not need to match the name of the IPSec profile on the hubs, however general settings like these are usually named consistently. The most important thing is the IPSec profile must reference a transform set and IKE profile which matches the peers in regard to the crypto settings etc. So to answer your question, yes.
05-22-2023 10:40 AM - edited 05-22-2023 11:48 AM
the shared is used when one side use two tunnel with same tunnel source
the below lab
the crypto map tag (profile name + number of tunnel where in DMVPN you can use one tunnel to connect to Hub and spoke )
and local add (local address is the tunnel source share between two or more tunnel )
BUT how IPsec know this for this tunnel or that tunnel ?
the local Ident is same for any tunnel share the same source
but the remote ident is different each point to different IP
05-22-2023 11:47 AM
NOTE:-
crypto map tag is not increase with each entry under it, I test is there ONLY one profile called mhm-head-1 use for connection to hub and other spokes
thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide