Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1274
Views
0
Helpful
3
Replies

different VPN types, same interface

ciscohamid
Level 1
Level 1

ā€Ž12-03-2009 09:53 PM

I have a single multiaccess style interface on the central site from the SP and have multiple spokes.Multipoint GRE DMVPN is configured.DMVPN binding  goes to the tunnel interface(just like this http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml ).For some reason,Can I use the physical interface to form standard GRE over IPSEC VPN using another Tunnel interface.but in GRE over IPSEC crpto map will also apply to the physical interface,would it disturb other VPN (DMVPN)going throught it.Here i mention a seperate tunnel interface bcause i need to mention source and destination IP for GRE to the specific spoke.

how about Virtual tunnel interface(http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html )

Thanks for your urgent  response.

The tunnels would be something like this

========================================

 
!--- This is the first tunnel for DMVPN 
 
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 90
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
 
!--- This is the outbound interface.both encrypted tunnel use this interface.
 
interface FastEthernet0/0
ip address 209.168.202.225 255.255.255.224
duplex auto
speed auto
!
 
!--- This is the second tunnel .
 
interface Tunnel1
 ip address 10.0.51.203 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination xx.xx.xx.xx
 tunnel mode IPsec ipv4
 tunnel protection IPsec profile VTI
!

===================================================

Message was edited by: ciscohamid

Labels:
0 Helpful
3 Replies 3

Laurent Aubert
Cisco Employee
Cisco Employee

ā€Ž12-04-2009 06:14 AM

Hi,

There is no reason why it shouldn't work but avoid using crypto-map on the physical interface to keep your configuration simple and consistant.

VTI or encrypted GRE tunnel are both fine but my personal choice goes to VTI.

HTH

Laurent.

0 Helpful

fbriski10
Level 1
Level 1
In response to Laurent Aubert

ā€Ž02-01-2010 12:13 AM

   Hello.

What can I do if I have one interface facing the internet and it need to be tunell source for VTI and at the same time I should apply crypto map because

that router is easy VPN server? For example, is this configuration possible:

interface fastethernet 0/0

ip address x.x.x.x

crypto-map VPN

!

!

interface tunnel 0

ip address y.y.y.y

tunnel source fastethernet 0/0

tunnel destination z.z.z.z

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN_TO_BR

!

crypto ipsec transform-set VPN_TS esp-3des esp-sha-hmac

!

crypto ipsec profile VPN_TO_BR

set transform-set VPN_TS

!

crypto-map VPN

match address 101

set transform set VPN_TS

0 Helpful

Laurent Aubert
Cisco Employee
Cisco Employee
In response to fbriski10

ā€Ž02-01-2010 06:47 AM

Hi,

It should work. To avoid any overlapping be sure that your crypto ACL doesn't include your VTI tunnel addresses and tune your routing protocols so your EZVPN client addresses are never reachable from the tunnel.

One restriction is you can't have the same IPSec peer configured with both VTI and crypto-map.

HTH

Laurent.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents