IPSEC VPN overlapping interesting traffic

amr mubarak · ‎02-17-2015

Dear All ,

I am trying to build two IPSEC Tunnels from spoke to two different Hubs with overlapping interesting traffic as following :

1.The Major Subnet (1.1.1.0/25) is assigned towards Tunnel_1 while the most specific subnet (1.1.1.2/32) is assigned towards Tunnel_2

Extended IP access list TUNNEL_1
20 permit ip host 2.2.2.2 1.1.1.0 0.0.0.127 (35 matches)
Extended IP access list TUNNEL_2
10 permit ip host 2.2.2.2 host 1.1.1.2 (41 matches)

2. There is static route configured on Spoke with destination major network towards Tunnel 1 (1.1.1.0/25)while another one configured on spoke with destination network the most specific route (1.1.1.2/32)toward Tunnels 2

During Testing i found the following results:

1.When I trigger IPSEC Tunnel_1 by using ping command with destination IP Address "1.1.1.1" which is only part of interesting traffic of Tunnel_1 ,then tunnel 1 come up which is normal
2.However when I tried to trigger only IPSEC Tunnel_2 using ping command with destination IP Address "1.1.1.2" which is part of interesting traffic for both tunnels , tunnel 1 goes down while tunnel 2 doesn't come up.

Please advise if this normal for second test and how i can use overlapping of interesting traffic on two IP sec tunnels on same Spoke.

Thanks

Raja Periyasamy · ‎02-17-2015

is it a crypto map based tunnel or with tunnel interface ? Share the configuration.

amr mubarak · ‎02-18-2015

Hi Raja ,

The crypto map is applied under the interface

The configurations on Spoke for both tunnels are as below

General
============
crypto ipsec transform-set PHASE2_TRANSFORM_SET esp-des esp-sha-hmac
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
!

Tunnel 1
==========
crypto keyring TUNNEL_1
pre-shared-key address 200.200.200.1 key CISCO
!
crypto isakmp profile TUNNEL_1
description match to isakmp policy-5
keyring TUNNEL_1
match identity address 200.200.200.1 255.255.255.255
!
crypto map TEST 1 ipsec-isakmp
set peer 200.200.200.1
set security-association lifetime seconds 28800
set transform-set PHASE2_TRANSFORM_SET
set pfs group2
set isakmp-profile TUNNEL_1
match address TUNNEL_1
!
Extended IP access list TUNNEL_1
20 permit ip host 2.2.2.2 1.1.1.0 0.0.0.127 (35 matches)
!
interface FastEthernet0/1
ip address 200.200.200.2 255.255.255.252
speed auto
duplex auto
crypto map TEST
!

Tunnel 2
=============

crypto keyring TUNNEL_2
pre-shared-key address 100.100.100.1 key CISCO
!

crypto isakmp profile TUNNEL_2
description match to isakmp policy-5
keyring TUNNEL_2
match identity address 100.100.100.1 255.255.255.255
!
crypto map TEST 2 ipsec-isakmp
set peer 100.100.100.1
set security-association lifetime seconds 28800
set transform-set PHASE2_TRANSFORM_SET
set pfs group2
set isakmp-profile TUNNEL_2
match address TUNNEL_2
!
Extended IP access list TUNNEL_2
10 permit ip host 2.2.2.2 host 1.1.1.2 (41 matches)
!
interface GigabitEthernet1/0
ip address 100.100.100.2 255.255.255.252
negotiation auto
crypto map TEST

Steve Talbert · ‎05-25-2016

A year too late, but I had this issue as well. I needed to create two VPN tunnels to different endpoints. The original tunnel had a /17 network on the other end, and the new one had a /24 that was a subset of the /17. I was unable to get the 2nd tunnel to come up at all, it kept putting the traffic into the first tunnel. Eventually, I changed the order of the cryptomaps, so that the /24 had a higher priority. Then both tunnels worked fine. This only worked because although the first tunnel had a /17, the /24 in the 2nd tunnel was unused in the first one.