cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1428
Views
0
Helpful
3
Replies

IPSEC VPN overlapping interesting traffic

amr mubarak
Level 1
Level 1

Dear All ,

 

I am trying to build two IPSEC Tunnels from spoke to two different Hubs with overlapping interesting traffic as following :

1.The Major Subnet (1.1.1.0/25) is assigned towards Tunnel_1 while the most specific subnet (1.1.1.2/32) is assigned towards Tunnel_2

Extended IP access list TUNNEL_1
    20 permit ip host 2.2.2.2 1.1.1.0 0.0.0.127 (35 matches)
Extended IP access list TUNNEL_2
    10 permit ip host 2.2.2.2 host 1.1.1.2 (41 matches)


2. There is static route configured on Spoke with destination major network towards Tunnel 1 (1.1.1.0/25)while another one configured on spoke with destination network the most specific route (1.1.1.2/32)toward Tunnels 2

During Testing i found the following results:

1.When I trigger IPSEC Tunnel_1 by using ping command with destination IP Address "1.1.1.1" which is only part of interesting traffic of Tunnel_1 ,then tunnel 1 come up which is normal
2.However when I tried to trigger only IPSEC Tunnel_2 using ping command with destination IP Address "1.1.1.2" which is part of interesting traffic for both tunnels , tunnel 1 goes down while tunnel 2 doesn't come up.

Please advise if this normal for second test and how i can use overlapping of interesting traffic on two IP sec tunnels on same Spoke.

Thanks

3 Replies 3

Raja Periyasamy
Level 1
Level 1

is it a crypto map based tunnel or with tunnel interface ? Share the configuration.

Hi Raja ,

The crypto map is applied under the interface

The configurations on Spoke for both tunnels are as below

General
============
crypto ipsec transform-set PHASE2_TRANSFORM_SET esp-des esp-sha-hmac
!
crypto isakmp policy 5
 encr 3des
 hash md5
 authentication pre-share
 group 2
!


Tunnel 1
==========
crypto keyring TUNNEL_1
  pre-shared-key address 200.200.200.1 key CISCO
!
crypto isakmp profile TUNNEL_1
   description match to isakmp policy-5
   keyring TUNNEL_1
   match identity address 200.200.200.1 255.255.255.255
!
crypto map TEST 1 ipsec-isakmp
 set peer 200.200.200.1
 set security-association lifetime seconds 28800
 set transform-set PHASE2_TRANSFORM_SET
 set pfs group2
 set isakmp-profile TUNNEL_1
 match address TUNNEL_1
!
Extended IP access list TUNNEL_1
    20 permit ip host 2.2.2.2 1.1.1.0 0.0.0.127 (35 matches)
!
interface FastEthernet0/1
 ip address 200.200.200.2 255.255.255.252
 speed auto
 duplex auto
 crypto map TEST
!


Tunnel 2
=============

crypto keyring TUNNEL_2
  pre-shared-key address 100.100.100.1 key CISCO
!

crypto isakmp profile TUNNEL_2
   description match to isakmp policy-5
   keyring TUNNEL_2
   match identity address 100.100.100.1 255.255.255.255
!
crypto map TEST 2 ipsec-isakmp
 set peer 100.100.100.1
 set security-association lifetime seconds 28800
 set transform-set PHASE2_TRANSFORM_SET
 set pfs group2
 set isakmp-profile TUNNEL_2
 match address TUNNEL_2
!
Extended IP access list TUNNEL_2
    10 permit ip host 2.2.2.2 host 1.1.1.2 (41 matches)
!
interface GigabitEthernet1/0
 ip address 100.100.100.2 255.255.255.252
 negotiation auto
 crypto map TEST

Steve Talbert
Level 1
Level 1

A year too late, but I had this issue as well.  I needed to create two VPN tunnels to different endpoints.  The original tunnel had a /17 network on the other end, and the new one had a /24 that was a subset of the /17.  I was unable to get the 2nd tunnel to come up at all, it kept putting the traffic into the first tunnel.  Eventually, I changed the order of the cryptomaps, so that the /24 had a higher priority.  Then both tunnels worked fine.  This only worked because although the first tunnel had a /17, the /24 in the 2nd tunnel was unused in the first one.