02-17-2015 05:49 AM - edited 02-21-2020 08:05 PM
Dear All ,
I am trying to build two IPSEC Tunnels from spoke to two different Hubs with overlapping interesting traffic as following :
1.The Major Subnet (1.1.1.0/25) is assigned towards Tunnel_1 while the most specific subnet (1.1.1.2/32) is assigned towards Tunnel_2
Extended IP access list TUNNEL_1
20 permit ip host 2.2.2.2 1.1.1.0 0.0.0.127 (35 matches)
Extended IP access list TUNNEL_2
10 permit ip host 2.2.2.2 host 1.1.1.2 (41 matches)
2. There is static route configured on Spoke with destination major network towards Tunnel 1 (1.1.1.0/25)while another one configured on spoke with destination network the most specific route (1.1.1.2/32)toward Tunnels 2
During Testing i found the following results:
1.When I trigger IPSEC Tunnel_1 by using ping command with destination IP Address "1.1.1.1" which is only part of interesting traffic of Tunnel_1 ,then tunnel 1 come up which is normal
2.However when I tried to trigger only IPSEC Tunnel_2 using ping command with destination IP Address "1.1.1.2" which is part of interesting traffic for both tunnels , tunnel 1 goes down while tunnel 2 doesn't come up.
Please advise if this normal for second test and how i can use overlapping of interesting traffic on two IP sec tunnels on same Spoke.
Thanks
02-17-2015 10:54 PM
is it a crypto map based tunnel or with tunnel interface ? Share the configuration.
02-18-2015 02:26 AM
Hi Raja ,
The crypto map is applied under the interface
The configurations on Spoke for both tunnels are as below
General
============
crypto ipsec transform-set PHASE2_TRANSFORM_SET esp-des esp-sha-hmac
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
!
Tunnel 1
==========
crypto keyring TUNNEL_1
pre-shared-key address 200.200.200.1 key CISCO
!
crypto isakmp profile TUNNEL_1
description match to isakmp policy-5
keyring TUNNEL_1
match identity address 200.200.200.1 255.255.255.255
!
crypto map TEST 1 ipsec-isakmp
set peer 200.200.200.1
set security-association lifetime seconds 28800
set transform-set PHASE2_TRANSFORM_SET
set pfs group2
set isakmp-profile TUNNEL_1
match address TUNNEL_1
!
Extended IP access list TUNNEL_1
20 permit ip host 2.2.2.2 1.1.1.0 0.0.0.127 (35 matches)
!
interface FastEthernet0/1
ip address 200.200.200.2 255.255.255.252
speed auto
duplex auto
crypto map TEST
!
Tunnel 2
=============
crypto keyring TUNNEL_2
pre-shared-key address 100.100.100.1 key CISCO
!
crypto isakmp profile TUNNEL_2
description match to isakmp policy-5
keyring TUNNEL_2
match identity address 100.100.100.1 255.255.255.255
!
crypto map TEST 2 ipsec-isakmp
set peer 100.100.100.1
set security-association lifetime seconds 28800
set transform-set PHASE2_TRANSFORM_SET
set pfs group2
set isakmp-profile TUNNEL_2
match address TUNNEL_2
!
Extended IP access list TUNNEL_2
10 permit ip host 2.2.2.2 host 1.1.1.2 (41 matches)
!
interface GigabitEthernet1/0
ip address 100.100.100.2 255.255.255.252
negotiation auto
crypto map TEST
05-25-2016 08:35 AM
A year too late, but I had this issue as well. I needed to create two VPN tunnels to different endpoints. The original tunnel had a /17 network on the other end, and the new one had a /24 that was a subset of the /17. I was unable to get the 2nd tunnel to come up at all, it kept putting the traffic into the first tunnel. Eventually, I changed the order of the cryptomaps, so that the /24 had a higher priority. Then both tunnels worked fine. This only worked because although the first tunnel had a /17, the /24 in the 2nd tunnel was unused in the first one.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: