DMVPN isakmp profile

Unanswered Question
Jun 15th, 2010

Hi, I use the following DMVPN Setup: I have 2 Hub configure in MGRE and every Spoke has 2 tunnel to each Hub, one from a primary link (like cable modem or DSL) and a secondary from an dialup link for redundancy.  All the spoke are in MGRE because they're doing Spoke to Spoke
Here is the tunnel configuration from one of ny hub:

crypto keyring DMVPNKEY
  pre-shared-key address 0.0.0.0 0.0.0.0 key ???????

crypto isakmp profile DMVPNISAKMP
   keyring DMVPNKEY
   match identity address 0.0.0.0
   keepalive 20 retry 3

crypto ipsec transform-set DMVPNSEC esp-3des esp-sha-hmac
mode transport

crypto ipsec profile IPSECPROFILE
set transform-set DMVPNSEC
set isakmp-profile DMVPNISAKMP

interface Tunnel0
bandwidth 5000
ip address x.x.x.x x.x.x.x
no ip redirects
no ip proxy-arp
ip mtu 1436
no ip next-hop-self eigrp 110
ip nhrp authentication NHRPKEY
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 600
ip nhrp cache non-authoritative
no ip split-horizon eigrp 110
no ip mroute-cache
delay 1000
qos pre-classify
keepalive 5 3
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile IPSECPROFILE shared

interface Tunnel1
bandwidth 1000
ip address y.y.y.y y.y.y.y
no ip redirects
no ip proxy-arp
ip mtu 1436
no ip next-hop-self eigrp 110
ip nhrp authentication NHRPKEY1
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 600
ip nhrp cache non-authoritative
no ip split-horizon eigrp 110
no ip mroute-cache
delay 5000
qos pre-classify
keepalive 5 3
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 200000
tunnel protection ipsec profile IPSECPROFILE shared

My problem is that I have another DMVPN on the same HUB that use another keyring.  I want to know if it is possible to configure different tunnel protection ipsec profile IPSECPROFILE shared with different Tunnel interfaces with the same tunnel source?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
adhar Fri, 06/18/2010 - 16:51

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/share_ipsec_w_tun_protect.html#wp1081269

All tunnels with the same tunnel source interface must use the same IPsec profile and the shared keyword with the tunnel protection command on all  such tunnels. The only exception is a scenario when there are only  peer-to-peer (P2P) GRE tunnel interfaces configured with the same tunnel  source in the system all with unique tunnel destination IP addresses.

emergismsh Tue, 06/22/2010 - 08:01

Thanks for the answer.  Its seems to be clear but i've been able to have multiple ISAKMP profile with MGRE by doing the following:

I boot the cisco routeur with 1 tunnel interface in MGRE with 1 ISAKMP profile.  After un add mannually another Key with ISAKMP Profile associated with another tunnel interface and its working.  But if I save the config and I reboot, there's only one of the tunnel that's working.  If I remove the non-working tunnel/ISAKMP profile and add it back, it working!!!!

Is it normal or is a kind of a bug in the IOS? I use the folliwing: c3745-advsecurityk9-mz.124-15.T1.bin

adhar Tue, 06/22/2010 - 16:38

Please add the configuration for the second profile?

adhar Wed, 06/23/2010 - 15:52

I looked at your config and clearly this is not supported per my previous link. Precisely, that is why you are having issues with this configuration. When you have a production network scalability and reliability is a goal in a proper design. Not to mention supportability issue in case you contact Cisco TAC/Support forums.

When something is not supported you will get inconsistent results and that is exactly what you are seeing. Kudos for trying though.

You will either need to have a unique source interface to have multiple profiles on tunnels ( e.g using unique loopbacks per tunnel source interface - challenge is to have those loopbacks routable)  or you need to have gre ptp instead of gre multipoint and in that case using "shared" keyword is not required.

Hopefully this helps.

Actions

This Discussion

Related Content