11-05-2020 10:28 AM
I was always wondering what "shared" means in the tunnel interface config "tunnel protection ipsec profile myProfile shared". Now I have this scenario and I am wondering if it is what it is for
I am building two tunnels 11 and 12 between the two routers with the same source and destination addresses for the tunnel termination. It is the GRE over IPSec tunnel. The two tunnels are in their own VRF with different internal /30 addresses. Is this possible? I will use a tunnel key to separate the tunnels. Here is the example config. Both tunnels share the same ISAKMP policy and preshared key and IPSec profile.
interface Tunnel11
vrf forwarding vrf1 ip address 10.0.0.1 255.255.255.252 ip tcp adjust-mss 1360 tunnel source 1.2.3.4 tunnel destination 4.3.2.1 tunnel key 11 tunnel protection ipsec profile Same-IPSec-Profile shared interface Tunnel12 vrf forwarding vrf2
ip address 10.0.0.1 255.255.255.252 ip tcp adjust-mss 1360 tunnel source 1.2.3.4 tunnel destination 4.3.2.1 tunnel key 12 tunnel protection ipsec profile Same-IPSec-Profile shared
I don't have the network ready yet so I can't test this. I am just seeking advice at this moment.
Thanks,
Difan
11-05-2020 10:37 AM
two tunnel
different in it ip address
different in it destination
same in it source
need shared for ipsec profile.
11-05-2020 01:33 PM
Thanks MHM. In my case, they are all P2P tunnels. I have only one public IP so I can't have different IP for the tunnel destination. And I think you only need the "shared" profile if your destination is the same.
11-05-2020 02:20 PM
Peer have one public ip, connect to two peer.
we want tunnel to both peer with different destination of tunnel. That ok,
but other side is issue,
ipsec proxy is define from local and remote IP address.
so hence they are different destination that will cause flip.
we use share in spoke of dmvpn, where we have dual hub and we want to connect to them as backup and primary here we use share ipsec profile BUT this use in two tunnel toward two different hub using same source and tunnel destination multipoint gre.
here we use ipsec and it will not flip.
11-06-2020 06:42 AM
I depend on this example for many case i see in dmvpn.
11-05-2020 10:39 AM
Hi @Difan Zhao
"All tunnels with the same tunnel source interface must use the same IPsec profile and must have the tunnel protection shared command configured. The only exception is a scenario when there are only peer-to-peer (P2P) GRE tunnel interfaces configured with the same tunnel source in the system, all with unique tunnel destination IP addresses."
"The tunnel protection ipsec profile shared command is used to create a single IPsec SADB for all the tunnel interfaces that use the same profile and tunnel source interface. This configuration allows a single IPsec SA to be used for all GRE tunnels (same tunnel source and destination, but different tunnel keys) between two endpoints of the same type. The tunnel protection ipsec profile shared command also makes IPsec QM processing unambiguous because there is one SADB to process the incoming IPsec QM request for all shared tunnel interfaces as opposed to multiple SADBs (one for each tunnel interface when not shared)."
HTH
11-05-2020 01:37 PM
Hi Rob, thanks for the details. I just tried in my virl lab and I proved that it must be with the source of an interface instead of an IP to use this feature.
I also tried with a different IPSec profile with just a different name but with essentially the same config (e.g same key for the same destination IP, same transform-set setting but just a different name, ...), the tunnels would flap up/down due to conflict on the two tunnels.
So, is it possible to still use the "tunnel source x.x.x.x" with the IP, but somehow use the shared profile or any other feature to build the two tunnels?
Thanks!
11-05-2020 01:47 PM
Can you define 2 loopback interfaces and use them to peer with? That would distinguish between the 2 individual tunnels.
11-06-2020 08:04 AM
Hi Rob, could you elaborate more? I can create loopbacks but they will have private addresses. Can they be used for peering over the Internet? If so, could you send me an example config? Thanks!
11-06-2020 09:38 AM - edited 11-06-2020 09:39 AM
No, I was referring to public IP addresses....I'd not seen your post above replying to the other comment about you only having only 1 public IP address.
What identity are you sending to identify each tunnel? You'd obviously not be able to match on IP address.
11-06-2020 01:25 PM
Hi Rob, I am using the address as the identity. Is it possible to use something else like a name for the identity? Will that allow me to use different IPSec profiles for the tunnels that use the same IP for the tunnel termination? Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide