I'm trying to configure a Cisco 1941 to connect to multiple Amazon VPC instances. Each VPC instance brings up 2 x IPsec over GRE tunnels with BGP in to the EC2 cloud and enables flat extension of the corporate LAN. Basically. you can spin up EC2 instances in a private subnet and route to them across the VPC link from the corporate LAN.
The Amazon configuration is templated and not designed to support multiple instances on one customer access gateway - however, I want to overcome this and find a technical solution around bringing up a second physical router. I've got VRF configured and working for the first instance, but when we add a second VRF to the configuration IPsec fails. The second VRF is essentially identical to the first.
I've had someone I trust look at this and the only explanation they've been able to turn is that we're potentially looking at a licensing issue with IOS 15.x, the version we're running is...
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
data None None None
When we bring the second VRF online the IPsec errors seen in the logs are...
*May 4 02:09:57.807: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 220.127.116.11
*May 4 02:10:02.807: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 18.104.22.168 was not encrypted and it should've been.
*May 4 02:10:02.835: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 22.214.171.124 was not encrypted and it should've been.
However, the IPsec configuration is complete and all keychains etc. are in place as they should be. If anyone could provide guidance I'd greatly appreciate it.