Multiple IPSec tunnels between the same IP addresses

peter.matuska1 · ‎03-02-2023

Hi,

there is an IKEv2 IPSec tunnel using VTI between router and ASA. All works well. Now, the device which create IPSec to the same ASA (using dynamic crypto map on the ASA) is connected to the LAN behind this router. The VTI IPSec works but crypto map IPSec doesn't. In the show crypto ipsec sa peer <ip address> I can see the following for the VTI IPsec in use settings ={L2L, Tunnel, PFS Group 24, IKEv2, VTI, } and in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 24, IKEv2, VTI, } for the dynamic crypto map IPSec (notice the VTI for both of them which is not correct). When I shut down the VTI and clear the session, the crypto map IPSec starts to work because it doesn't use VTI anymore: in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 5, IKEv2, }. Then I enable VTI and it works as well. But this is only temporary solution. Is there anything fix this? I can't use the VTI tunnel for all traffic towards ASA. Two tunnels are needed.

thank you

MHM Cisco World · ‎03-03-2023

you want two VTI
one for edge router
other from router behind edge router
and both VTI toward same ASA ?

peter.matuska1 · ‎03-03-2023

Hi, the device in the LAN doesnt support VTI so crypto map is the only way. So edge router uses VTI and router behind it has to use crypto map. And I want it to work at the same time. (both of them creates VPN to the same ASA)

MHM Cisco World · ‎03-03-2023

understood, I will check solution and share here.

MHM Cisco World · ‎03-06-2023

I try yesterday and I failed but I think I found the solution
the trick is in route through VTI and traffic hit the ACL of IPSec.

peter.matuska1 · ‎03-06-2023

Hi,

I am routing 10.42.0.0/16 via VTI (on the ASA) and 10.0.0.0/8 on the router

and the dynamic crypto map has this subnet:

10.0.0.0/8 (behind the ASA) <->10.32.1.1/32 (behind the router)

10.0.0.0/8 (behind the ASA) <->10.32.2.0/28 (behind the router)