different VPN types, same interface

Unanswered Question
Dec 3rd, 2009

I have a single multiaccess style interface on the central site from the SP and have multiple spokes.Multipoint GRE DMVPN is configured.DMVPN binding  goes to the tunnel interface(just like this http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml ).For some reason,Can I use the physical interface to form standard GRE over IPSEC VPN using another Tunnel interface.but in GRE over IPSEC crpto map will also apply to the physical interface,would it disturb other VPN (DMVPN)going throught it.Here i mention a seperate tunnel interface bcause i need to mention source and destination IP for GRE to the specific spoke.

how about Virtual tunnel interface(http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html )

Thanks for your urgent  response.

The tunnels would be something like this


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

!--- This is the first tunnel for DMVPN 
interface Tunnel0
ip address
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 90
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!--- This is the outbound interface.both encrypted tunnel use this interface.
interface FastEthernet0/0
ip address
duplex auto
speed auto
!--- This is the second tunnel .
interface Tunnel1
 ip address
 tunnel source FastEthernet0/0
 tunnel destination xx.xx.xx.xx
 tunnel mode IPsec ipv4
 tunnel protection IPsec profile VTI


Message was edited by: ciscohamid

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Laurent Aubert Fri, 12/04/2009 - 06:14


There is no reason why it shouldn't work but avoid using crypto-map on the physical interface to keep your configuration simple and consistant.

VTI or encrypted GRE tunnel are both fine but my personal choice goes to VTI.



fbriski10 Mon, 02/01/2010 - 00:13


What can I do if I have one interface facing the internet and it need to be tunell source for VTI and at the same time I should apply crypto map because

that router is easy VPN server? For example, is this configuration possible:

interface fastethernet 0/0

ip address x.x.x.x

crypto-map VPN



interface tunnel 0

ip address y.y.y.y

tunnel source fastethernet 0/0

tunnel destination z.z.z.z

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN_TO_BR


crypto ipsec transform-set VPN_TS esp-3des esp-sha-hmac


crypto ipsec profile VPN_TO_BR

set transform-set VPN_TS


crypto-map VPN

match address 101

set transform set VPN_TS

Laurent Aubert Mon, 02/01/2010 - 06:47


It should work. To avoid any overlapping be sure that your crypto ACL doesn't include your VTI tunnel addresses and tune your routing protocols so your EZVPN client addresses are never reachable from the tunnel.

One restriction is you can't have the same IPSec peer configured with both VTI and crypto-map.




This Discussion