Solved: Re: DMVPN use of "# tunnel protection ipsec profile [name] [share

jmaxwellUSAF · ‎05-19-2023

Hello.

INTENT: Implement correct DMVPN configs.

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-2mt/sec-conn-dmvpn-share-ipsec-w-tun-protect.html#GUID-2B448241-FD10-4F3B-BFF8-DFD44982D235

GIVEN: Hub has DMVPN instances Tu1, and Tu5. They use the same interface g0/0.

...at Hub I am using same config line for both tunnels-- "tunnel protection ipsec profile ENTERPRISE1 shared"

As instructed at above link...
"Different IPsec profile names must be used for shared and unshared tunnels. For example, if "tunnel 1" is configured with the tunnel source loopback0 command, and "tunnel 2" and "tunnel 3" are shared using the tunnel source loopback1 command, then define IPsec_profile_1 for tunnel 1 and IPsec_profile_2 for tunnels 2 and 3."

Now, spoke also uses both tunnels, but spoke uses DIFFERENT interfaces for these tunnels (using different ISPs for redundancy). So above instruction demands that I use different IPsec profile.

QUESTIONS:

1. Are the DMVPN IPsec profiles only relevant to each router, or does each DMVPN IPsec profile affect its peer DMVPN routers?
2. If the transform sets are the same, can a hub use for Tu1 "tunnel protection ipsec profile ENTERPRISE-ONE shared", and its spoke use for Tu1 "tunnel protection ipsec profile ENTERPRISE-TWO" ?

Thank you.

M02@rt37 · ‎05-20-2023

Hello @jmaxwellUSAF,

DMVPN IPsec profiles are only relevant to each individual router and do not directly affect its peer DMVPN routers. Each router in a DMVPN network has its own IPsec profile configuration, which defines the specific parameters for securing the IPsec tunnels on that router. The IPsec profiles are locally configured and applied to the individual router's interfaces participating in the DMVPN network. The IPsec profiles on one router do not impact or affect the IPsec configurations on other DMVPN routers.

As concerned question 2, if the transform sets are the same, it's generally recommended to use the same IPsec profile for the same tunnel interface between the hub and the spoke routers. Consistency in IPsec profile configurations ensures compatibility and proper functioning of the IPsec tunnels between the hub and the spoke. Using different IPsec profiles for the same tunnel interface can lead to configuration inconsistencies and potential issues with tunnel establishment and secure communication. It is best practice to maintain consistency in IPsec profiles across participating routers in a DMVPN network to ensure seamless and secure communication.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

Rob Ingram · ‎05-22-2023

@jmaxwellUSAF the name of the IPSec profile on the spokes does not need to match the name of the IPSec profile on the hubs, however general settings like these are usually named consistently. The most important thing is the IPSec profile must reference a transform set and IKE profile which matches the peers in regard to the crypto settings etc. So to answer your question, yes.

View solution in original post

M02@rt37 · ‎05-20-2023

Hello @jmaxwellUSAF,

DMVPN IPsec profiles are only relevant to each individual router and do not directly affect its peer DMVPN routers. Each router in a DMVPN network has its own IPsec profile configuration, which defines the specific parameters for securing the IPsec tunnels on that router. The IPsec profiles are locally configured and applied to the individual router's interfaces participating in the DMVPN network. The IPsec profiles on one router do not impact or affect the IPsec configurations on other DMVPN routers.

As concerned question 2, if the transform sets are the same, it's generally recommended to use the same IPsec profile for the same tunnel interface between the hub and the spoke routers. Consistency in IPsec profile configurations ensures compatibility and proper functioning of the IPsec tunnels between the hub and the spoke. Using different IPsec profiles for the same tunnel interface can lead to configuration inconsistencies and potential issues with tunnel establishment and secure communication. It is best practice to maintain consistency in IPsec profiles across participating routers in a DMVPN network to ensure seamless and secure communication.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

jmaxwellUSAF · ‎05-22-2023

Thank you for your reply, MO2.

Your paragraph 1 is clear.

Paragraph 2 does not address my specific situation-- As explained, It is not feasible to maintain the same "tunnel protection ipsec profile ENTERPRISE1 shared" on the spoke. Thus, may you or others let me know the answer to below?...

2. If the transform sets are the same for both IPsec profiles, can a hub soundly use for Tu1 "tunnel protection ipsec profile ENTERPRISE-ONE shared", and its spoke use for Tu1 "tunnel protection ipsec profile ENTERPRISE-TWO" ?

Thank you.

Rob Ingram · ‎05-22-2023

@jmaxwellUSAF the name of the IPSec profile on the spokes does not need to match the name of the IPSec profile on the hubs, however general settings like these are usually named consistently. The most important thing is the IPSec profile must reference a transform set and IKE profile which matches the peers in regard to the crypto settings etc. So to answer your question, yes.

MHM Cisco World · ‎05-22-2023

the shared is used when one side use two tunnel with same tunnel source
the below lab
the crypto map tag (~~profile name + number of tunnel where in DMVPN you can use one tunnel to connect to Hub and spoke~~ )
and local add (local address is the tunnel source share between two or more tunnel )
BUT how IPsec know this for this tunnel or that tunnel ?
the local Ident is same for any tunnel share the same source
but the remote ident is different each point to different IP

MHM Cisco World · ‎05-22-2023

NOTE:-
crypto map tag is not increase with each entry under it, I test is there ONLY one profile called mhm-head-1 use for connection to hub and other spokes
thanks
MHM

DMVPN use of "# tunnel protection ipsec profile [name] [shared]"