Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1564
Views
5
Helpful
10
Replies

Two GRE over IPsec tunnels with the same local and remote addresses

Difan Zhao
Level 5
Level 5

‎11-05-2020 10:28 AM

I was always wondering what "shared" means in the tunnel interface config "tunnel protection ipsec profile myProfile shared". Now I have this scenario and I am wondering if it is what it is for

 

I am building two tunnels 11 and 12 between the two routers with the same source and destination addresses for the tunnel termination. It is the GRE over IPSec tunnel. The two tunnels are in their own VRF with different internal /30 addresses. Is this possible? I will use a tunnel key to separate the tunnels. Here is the example config. Both tunnels share the same ISAKMP policy and preshared key and IPSec profile. 

 

 

interface Tunnel11
 vrf forwarding vrf1
 ip address 10.0.0.1 255.255.255.252
 ip tcp adjust-mss 1360
 tunnel source 1.2.3.4
 tunnel destination 4.3.2.1
 tunnel key 11
 tunnel protection ipsec profile Same-IPSec-Profile shared


interface Tunnel12
 vrf forwarding vrf2
 ip address 10.0.0.1 255.255.255.252
 ip tcp adjust-mss 1360
 tunnel source 1.2.3.4
 tunnel destination 4.3.2.1
 tunnel key 12
 tunnel protection ipsec profile Same-IPSec-Profile shared

 

I don't have the network ready yet so I can't test this. I am just seeking advice at this moment. 

Thanks,

Difan

 

Labels:
0 Helpful
10 Replies 10

MHM Cisco World
VIP
VIP

‎11-05-2020 10:37 AM

two tunnel 
different in it ip address
different in it destination 
same in it source 
need shared for ipsec profile.

0 Helpful

Difan Zhao
Level 5
Level 5
In response to MHM Cisco World

‎11-05-2020 01:33 PM

Thanks MHM. In my case, they are all P2P tunnels. I have only one public IP so I can't have different IP for the tunnel destination. And I think you only need the "shared" profile if your destination is the same. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Difan Zhao

‎11-05-2020 02:20 PM

Peer have one public ip, connect to two peer.

we want tunnel to both peer with different destination of tunnel. That ok,

but other side is issue,

ipsec proxy is define from local and remote IP address.

so hence they are different destination that will cause flip.

 

we use share in spoke of dmvpn, where we have dual hub and we want to connect to them as backup and primary here we use share ipsec profile BUT this use in two tunnel toward two different hub using same source and tunnel destination multipoint gre.

 

here we use ipsec and it will not flip.

0 Helpful

Rob Ingram
VIP
VIP

‎11-05-2020 10:39 AM

Hi @Difan Zhao 

 

"All tunnels with the same tunnel source interface must use the same IPsec profile and must have the tunnel protection shared command configured. The only exception is a scenario when there are only peer-to-peer (P2P) GRE tunnel interfaces configured with the same tunnel source in the system, all with unique tunnel destination IP addresses."

 

"The tunnel protection ipsec profile shared command is used to create a single IPsec SADB for all the tunnel interfaces that use the same profile and tunnel source interface. This configuration allows a single IPsec SA to be used for all GRE tunnels (same tunnel source and destination, but different tunnel keys) between two endpoints of the same type. The tunnel protection ipsec profile shared command also makes IPsec QM processing unambiguous because there is one SADB to process the incoming IPsec QM request for all shared tunnel interfaces as opposed to multiple SADBs (one for each tunnel interface when not shared)."

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-16/sec-conn-dmvpn-xe-16-book/sec-conn-dmvpn-share-ipsec-w-tun-protect.html

 

HTH

Difan Zhao
Level 5
Level 5
In response to Rob Ingram

‎11-05-2020 01:37 PM

Hi Rob, thanks for the details. I just tried in my virl lab and I proved that it must be with the source of an interface instead of an IP to use this feature.

I also tried with a different IPSec profile with just a different name but with essentially the same config (e.g same key for the same destination IP, same transform-set setting but just a different name, ...), the tunnels would flap up/down due to conflict on the two tunnels. 

So, is it possible to still use the "tunnel source x.x.x.x" with the IP, but somehow use the shared profile or any other feature to build the two tunnels?

Thanks!

0 Helpful

Rob Ingram
VIP
VIP

‎11-05-2020 01:47 PM

Can you define 2 loopback interfaces and use them to peer with? That would distinguish between the 2 individual tunnels.

0 Helpful

Difan Zhao
Level 5
Level 5
In response to Rob Ingram

‎11-06-2020 08:04 AM

Hi Rob, could you elaborate more? I can create loopbacks but they will have private addresses. Can they be used for peering over the Internet? If so, could you send me an example config? Thanks!

0 Helpful

Rob Ingram
VIP
VIP

‎11-06-2020 09:38 AM - edited ‎11-06-2020 09:39 AM

No, I was referring to public IP addresses....I'd not seen your post above replying to the other comment about you only having only 1 public IP address.

 

What identity are you sending to identify each tunnel? You'd obviously not be able to match on IP address.

0 Helpful

Difan Zhao
Level 5
Level 5
In response to Rob Ingram

‎11-06-2020 01:25 PM

Hi Rob, I am using the address as the identity. Is it possible to use something else like a name for the identity? Will that allow me to use different IPSec profiles for the tunnels that use the same IP for the tunnel termination? Thanks.

0 Helpful
Customers Also Viewed These Support Documents