Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

different VPN types, same interface

I have a single multiaccess style interface on the central site from the SP and have multiple spokes.Multipoint GRE DMVPN is configured.DMVPN binding  goes to the tunnel interface(just like this http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml ).For some reason,Can I use the physical interface to form standard GRE over IPSEC VPN using another Tunnel interface.but in GRE over IPSEC crpto map will also apply to the physical interface,would it disturb other VPN (DMVPN)going throught it.Here i mention a seperate tunnel interface bcause i need to mention source and destination IP for GRE to the specific spoke.

how about Virtual tunnel interface(http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html )

Thanks for your urgent  response.

The tunnels would be something like this

========================================

 
!--- This is the first tunnel for DMVPN 
 
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 90
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
 
!--- This is the outbound interface.both encrypted tunnel use this interface.
 
interface FastEthernet0/0
ip address 209.168.202.225 255.255.255.224
duplex auto
speed auto
!
 
!--- This is the second tunnel .
 
interface Tunnel1
 ip address 10.0.51.203 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination xx.xx.xx.xx
 tunnel mode IPsec ipv4
 tunnel protection IPsec profile VTI
!

===================================================

Message was edited by: ciscohamid

3 REPLIES
Cisco Employee

Re: different VPN types, same interface

Hi,

There is no reason why it shouldn't work but avoid using crypto-map on the physical interface to keep your configuration simple and consistant.

VTI or encrypted GRE tunnel are both fine but my personal choice goes to VTI.

HTH

Laurent.

New Member

Re: different VPN types, same interface

   Hello.

What can I do if I have one interface facing the internet and it need to be tunell source for VTI and at the same time I should apply crypto map because

that router is easy VPN server? For example, is this configuration possible:

interface fastethernet 0/0

ip address x.x.x.x

crypto-map VPN

!

!

interface tunnel 0

ip address y.y.y.y

tunnel source fastethernet 0/0

tunnel destination z.z.z.z

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN_TO_BR

!

crypto ipsec transform-set VPN_TS esp-3des esp-sha-hmac

!

crypto ipsec profile VPN_TO_BR

set transform-set VPN_TS

!

crypto-map VPN

match address 101

set transform set VPN_TS

Cisco Employee

Re: different VPN types, same interface

Hi,

It should work. To avoid any overlapping be sure that your crypto ACL doesn't include your VTI tunnel addresses and tune your routing protocols so your EZVPN client addresses are never reachable from the tunnel.

One restriction is you can't have the same IPSec peer configured with both VTI and crypto-map.

HTH

Laurent.

938
Views
0
Helpful
3
Replies
CreatePlease to create content