01-12-2016 04:23 PM - edited 02-21-2020 08:37 PM
Hi All,
I have an internet facing router that I need to run vrf aware ipsec. I will have primary and secondary tunnels to remote end. I will be using public ip addresses on the loopbacks to source traffic .They will be peering BGP over the tunnels. Please advise on attached configs. I don't have the option to run VTI currently with the remote client.
Thanks in Advance
Solved! Go to Solution.
01-12-2016 05:03 PM
You are using pre-shared keys based on IP addresses, so get rid of:
crypto isakmp identity hostname
You don't need to use lookback's. You can make the tunnel source the outside IP address (in the "internet" vrf). Then just add a "tunnel key x" on each tunnel, where "x" uniquely identifies the tunnel.
01-14-2016 12:43 PM
Yes to adding in sequentially numbered access lists.
Probably not for isakmp profile. Just add more keys to your keyring, and more "match" clauses.
Yes to using unique tunnel keys.
Try and move to VTI as soon as you can. Much less time involved setting up and supporting it.
01-12-2016 05:03 PM
You are using pre-shared keys based on IP addresses, so get rid of:
crypto isakmp identity hostname
You don't need to use lookback's. You can make the tunnel source the outside IP address (in the "internet" vrf). Then just add a "tunnel key x" on each tunnel, where "x" uniquely identifies the tunnel.
01-14-2016 08:34 AM
Thanks Phillip. And if you want to scale up for multiple connections/ipsec terminations if you have a crypto map on the outside interface you can just keep adding multiple crypto maps with sequential numbering. Then you'd need to build out seperate isakmp profiles and you could also add tunnel keys per tunnel ?
01-14-2016 12:43 PM
Yes to adding in sequentially numbered access lists.
Probably not for isakmp profile. Just add more keys to your keyring, and more "match" clauses.
Yes to using unique tunnel keys.
Try and move to VTI as soon as you can. Much less time involved setting up and supporting it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide