Parallel IPSec tunnels to one remote ip address

Unanswered Question
Mar 18th, 2010

I have a 2821 with 2 dsl links and a main WAN link. I am off-loading non-prio traffic over a ipsec tunnel to our data center (via Policy Based routing) Prio traffic is routed over the MPLS network.

Now I want to use the seconf dsl link aswell. But is there a way to setup a ipsec tunnel over the second dsl link to the same remote gateway (the same ip address I used for the first dsl link)?

I can't find anything on this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 03/18/2010 - 13:56


On the 2821, just configure the two VPN peers under the crypto map (the first one will take precedence).

crypto map TEST 10 set peer

The 2821 will attempt to establish the tunnel to and if not receiving a response will try

The other side of the tunnel, should have the routing correctly to route traffic either way.


rplenter Thu, 03/18/2010 - 14:21

they indeed need to work at the same time

I will try this vrf option (although I have little vrf experience :-).

jan.nielsen Thu, 03/18/2010 - 14:09

If you need them both to work at the same time towards the same peer address in the other end, you can use a fvrf to assign a default route that points out that dsl interface, and then use that vrf in your ipsec profile.

so something like this :

ip vrf dsl

interface dsl-something-or-other

ip forwarding vrf dsl


ip route vrf dsl x.x.x.x


crypto keyring test vrf dsl
  pre-shared-key address x.x.x.x x.x.x.x key xxxx


crypto isakmp profile test
   keyring test
   match identity address x.x.x.x dsl


crypto ipsec transform-set test esp-aes 256 esp-sha-hmac
crypto ipsec profile test
set transform-set test
set isakmp-profile test

interface tunnelx
tunnel vrf dsl
tunnel protection ipsec profile test

This should make a new tunnel interface, so you will probably need either a new dmvpn on the hub as well, or you could try the same dmvpn config, just with another GRE address, not sure if that will work. But the config will allow you to have both your regular dmvpn and one using the dsl, by seperating the routing table into a global that handles your regular dmvpn and the dsl one that handles the dmvpn over dsl.

rplenter Thu, 03/18/2010 - 14:24

Hmm, I replied to the wrong


See my reply on previous message :-)


This Discussion