Thanks for the reply. What if

aeroliteflyer · ‎04-05-2016

Hello all. I have been searching Cisco docs and threads but can't find a clear answer to my specific scenario. Basically, can I have multiple tunnels, with different IPSec profiles, on a single DMVPN hub utilize the same WAN interface & IP. My scenario is a hub/spoke DMVPN setup, single router and single WAN IP. I want to migrate new end points or ones I replace routers on to a higher encryption standard and switch to a strong shared secret for NHRP and ISAKMP along with EIGRP authentication. I don't want to affect current end points. So, I thought the best way would be to create a seperate ISAKMP policy, IPSec profile and a second tunnel interface. The new tunnel will utilize a separate mGRE network of course. The second tunnel will point to the same interface that the old tunnel is currently using, with the same external IP. Thank you for any inputs.

Chris

Philip D'Ath · ‎04-05-2016

You can have lots of mGRE tunnel interfaces. You need a unique "tunnel key" for each one, so the router can tell which traffic is for which tunnel, and for iWAN/DMVPN you also want a unique "ip nhrp network-id" for each tunnel.

You can have all the same crypto profiles.

interface tunnel x
  ip nhrp network-id xx
  tunnel key xx

aeroliteflyer · ‎04-06-2016

Thanks for the reply. What if I want separate ISAKAMP and IPSec profiles for the new tunnel, in addition to the network ID and tunnel key. I read about IPSec shared, but I don't really want to share the IPSec profile, and it is completely ok for traffic to come back to the hub to route back down while transitioning.

Philip D'Ath · ‎04-06-2016

80% likely you will be fine. Perhaps this might be a good time to transition from IKEv1 to IKEv2, if you have not already. Then it is very separate.

Multiple DMVPN Tunnels, Single HUB/WAN