Showing results for 
Search instead for 
Did you mean: 

Multiple IPSEC tunnels between 2 end devices

I have a scenario where we need to establish multiple IPSEC tunnels between 2 devices of which One is Cisco ASR(IPSEC initiator).

In the scenario attached, ASR has multiple VRFs and we want to create IPSEC tunnel for each VRF and the other end is the same VIP. Because of this we are considering to use Certificates instead of PSK.

One certificate(Will be using different CN) will be used for each tunnel which will help in identifying which tunnel is from which VRF(Customer).

I'm thinking of VRF aware IPSEC should work in this scenario. But my concern is If ASR public interface does the NATing and what will happen to the Source PORTs(500/4500). I understand when there are multiple flows with same source port, NAT will change the Source PORT number and maintain in its table. Please help me in confirming/'with configs' If this scenario works or there are any better way to do it.

PS: F5 load balancer in our topology can only look into Layer 3 & 4 headers. I have multiple IPSEC terminators and I need load balalncing. So assuming Source PORT will be different for each tunnel initiated from ASR.


If the NAT occurs on the public interface and the tunnels are originated from the public interface NAT will not occur on the tunnel itself, only on the tunnel passengers.

IPsec (to my knowledge) allows only one ISAKMP/IKEv2 SA between two IPs. I can't think of a solution, having two ISAKMP/IKEv2 SAs in parallel between to IPs. GRE could support that by configuring a tunnel-ID but ISAKMP/IKEv2 doesn't support this.

In my eyes the cleanest solution would be to use VTIs on the ASR and associate each tunnel interface with a vrf. Specify a loopback as a tunnel source so the ISAKMP/IKEv2 SAs have distinctive IPs and use tunnel-mode IPsec with a tunnel protection profile.

Draw-back: you would need at least one additional public address If one of the VTIs uses the public interface IP and the other uses a loopback as a tunnel source.

My 2 cents, hope it helps a little.

Rgds, MiKa

Recognize Your Peers
Content for Community-Ad