VRF aware muliple GRE tunnel over one IPSEC site to site VPN

anilrs3 · ‎11-14-2011

Hi,

I have a requirement as below,

VRF aware muliple GRE tunnel over single IPSEC tunnel.

The routing protocol will be BGP withe the other GRE endpoints and need to use seperate address-family for the teo VRF configured under GRE tunnel.

Please advice me in this as i am not sure how to configure VRF aware muliple GRE tunnel over one IPSEC Site to Site VPN.

Thanks in advance,

Sree

andrew.prince · ‎11-14-2011

This is a very complex requirement that requires specific knowledge in multiple areas. Where does the requirement come from, as running BGP over GRE inside an IPSEC tunnel as in my opinion there will probably be an easier solution.

Sent from Cisco Technical Support iPad App

anilrs3 · ‎11-14-2011

Thanks Andrew. Running BGP over GRE which is running over IPSEC tunnel is a common design. This requirement is more complex than the one mentiond.

Two VRF aware BGP session which need to run over two seperate GRE tunnels within VRF and need to run these GRE tunnels over one IPSEC VPN. I know seems to be strange requirement

Need help from you guys ..

Thanks in advance,

Thanks,

Anil.

vikz230884 · ‎11-14-2011

Hi Anil,

Correct me if I am wrong, so the IPSEC tunnel is bind to the tunnel interface (using tunnel ipsec profile) ?

If yes then you only need to specify ISAKMP profile using keyring (bind vrf there) and ipsec transform set.

Bind these 2 to ipsec profile, and then bind the profile to the tunnel interface, which practically will permit any (encrypt any) as long the traffic goes through tunnel.

Let me know if you need any help for the specific portion of configs, maybe I can help there.

HTH,

Vikram

Konstantin Dunaev · ‎11-15-2011

Hi Anil,

I agree with Vikram, what you need is just 2 GRE tunnels with IPSec aware configuration, look this link

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vrf_aware_ipsec.html#wp1055553

and after you just need to activate a BGP session in address-family for a cirtain VRF.

anilrs3 · ‎11-15-2011

Hi Vikram & Konstantin,

Thanks for your valuable suggestions. The slight difference from your solution is that i need to use one IPSEC tunnel and two GRE (VRF aware ) over that. Then i can run two BGP address-families.

The issue is how i can run two GRE tunnel sourcing from one IP address. I found a solution is to use tunnel key to differentiate two GRE tunnels so that two GRE tunnels even sourcing from same IP address and destination also to the same IP address will be different.

But i need to test it to confirm. As always suggestions and appreciated.

Regards,

Anil.

Konstantin Dunaev · ‎11-15-2011

just to be sure that we speak about the same issue - I suppose one can't use the "same" IPSec tunnel with 2 different destinations, I mean IPSec is a session specific (source-destination address), each session uses a separate IPSec tunnel. But you may _configure_ a single IPSec profile, where you define a destination and/or access-list which will be used to crypt the traffic, and apply it onto physical intraface which use to transmit the GRE traffic.

anilrs3 · ‎11-21-2011

Many thanks for all replied for my query.

I have managed to do this design by using two diffrent tunnel keys for the two GRE tunnels with source and destination as the same over IPSEC VPN . Working fine

Regards,

Anil.