04-05-2016 07:02 PM - edited 02-21-2020 08:45 PM
Hello all. I have been searching Cisco docs and threads but can't find a clear answer to my specific scenario. Basically, can I have multiple tunnels, with different IPSec profiles, on a single DMVPN hub utilize the same WAN interface & IP. My scenario is a hub/spoke DMVPN setup, single router and single WAN IP. I want to migrate new end points or ones I replace routers on to a higher encryption standard and switch to a strong shared secret for NHRP and ISAKMP along with EIGRP authentication. I don't want to affect current end points. So, I thought the best way would be to create a seperate ISAKMP policy, IPSec profile and a second tunnel interface. The new tunnel will utilize a separate mGRE network of course. The second tunnel will point to the same interface that the old tunnel is currently using, with the same external IP. Thank you for any inputs.
Chris
04-05-2016 07:54 PM
You can have lots of mGRE tunnel interfaces. You need a unique "tunnel key" for each one, so the router can tell which traffic is for which tunnel, and for iWAN/DMVPN you also want a unique "ip nhrp network-id" for each tunnel.
You can have all the same crypto profiles.
interface tunnel x
ip nhrp network-id xx
tunnel key xx
04-06-2016 05:44 AM
Thanks for the reply. What if I want separate ISAKAMP and IPSec profiles for the new tunnel, in addition to the network ID and tunnel key. I read about IPSec shared, but I don't really want to share the IPSec profile, and it is completely ok for traffic to come back to the hub to route back down while transitioning.
04-06-2016 12:22 PM
80% likely you will be fine. Perhaps this might be a good time to transition from IKEv1 to IKEv2, if you have not already. Then it is very separate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide