Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VRF aware muliple GRE tunnel over one IPSEC site to site VPN

Unanswered Question
Nov 14th, 2011
User Badges:


I have a requirement as below,

VRF aware muliple GRE tunnel over single IPSEC tunnel.

The routing protocol will be BGP withe the other GRE endpoints and need to use seperate address-family for the teo VRF configured under GRE tunnel.

Please advice me in this as i am not sure how to configure VRF aware muliple GRE tunnel over one IPSEC Site to Site VPN.

Thanks in advance,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
anilrs3 Mon, 11/14/2011 - 11:49
User Badges:

Thanks Andrew. Running BGP over GRE which is running over IPSEC tunnel is a common design. This requirement is more complex than the one mentiond.

Two VRF aware BGP session which need to run over two seperate GRE tunnels within VRF and need to run these GRE tunnels over one IPSEC VPN. I know seems to be strange requirement

Need help from you guys ..

Thanks in advance,



vikz230884 Mon, 11/14/2011 - 21:17
User Badges:

Hi Anil,

Correct me if I am wrong, so the IPSEC tunnel is bind to the tunnel interface (using tunnel ipsec profile) ?

If yes then you only need to specify ISAKMP profile using keyring (bind vrf there) and ipsec transform set.

Bind these 2 to ipsec profile, and then bind the profile to the tunnel interface, which practically will permit any (encrypt any) as long the traffic goes through tunnel.

Let me know if you need any help for the specific portion of configs, maybe I can help there.



anilrs3 Tue, 11/15/2011 - 01:21
User Badges:

Hi Vikram & Konstantin,

Thanks for your valuable suggestions. The slight difference from your solution is that i need to use one IPSEC tunnel and two GRE (VRF aware ) over that. Then i can run two BGP address-families.

The issue is how i can run two GRE tunnel sourcing from one IP address. I found a solution is to use tunnel key to differentiate two GRE tunnels so that two GRE tunnels even sourcing from same IP address and destination also to the same IP address will be different.

But i need to test it to confirm. As always suggestions and appreciated.



Konstantin Dunaev Tue, 11/15/2011 - 01:32
User Badges:
  • Bronze, 100 points or more

just to be sure that we speak about the same issue - I suppose one can't use the "same" IPSec tunnel with 2 different destinations, I mean IPSec is a session specific (source-destination address), each session uses a separate IPSec tunnel. But you may _configure_ a single IPSec  profile, where you define a destination and/or access-list which will be used to crypt the traffic, and apply it onto physical intraface which use to transmit the GRE traffic.

anilrs3 Mon, 11/21/2011 - 15:00
User Badges:

Many thanks for all replied for my query.

I have managed to do this design by using two diffrent tunnel keys for the two GRE tunnels with source and destination as the same over IPSEC VPN . Working fine




This Discussion