Hi, I use the following DMVPN Setup: I have 2 Hub configure in MGRE and every Spoke has 2 tunnel to each Hub, one from a primary link (like cable modem or DSL) and a secondary from an dialup link for redundancy. All the spoke are in MGRE because they're doing Spoke to Spoke Here is the tunnel configuration from one of ny hub:
crypto ipsec transform-set DMVPNSEC esp-3des esp-sha-hmac mode transport
crypto ipsec profile IPSECPROFILE set transform-set DMVPNSEC set isakmp-profile DMVPNISAKMP
interface Tunnel0 bandwidth 5000 ip address x.x.x.x x.x.x.x no ip redirects no ip proxy-arp ip mtu 1436 no ip next-hop-self eigrp 110 ip nhrp authentication NHRPKEY ip nhrp map multicast dynamic ip nhrp network-id 99 ip nhrp holdtime 600 ip nhrp cache non-authoritative no ip split-horizon eigrp 110 no ip mroute-cache delay 1000 qos pre-classify keepalive 5 3 tunnel source FastEthernet4 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile IPSECPROFILE shared
interface Tunnel1 bandwidth 1000 ip address y.y.y.y y.y.y.y no ip redirects no ip proxy-arp ip mtu 1436 no ip next-hop-self eigrp 110 ip nhrp authentication NHRPKEY1 ip nhrp map multicast dynamic ip nhrp network-id 100 ip nhrp holdtime 600 ip nhrp cache non-authoritative no ip split-horizon eigrp 110 no ip mroute-cache delay 5000 qos pre-classify keepalive 5 3 tunnel source FastEthernet0/1 tunnel mode gre multipoint tunnel key 200000 tunnel protection ipsec profile IPSECPROFILE shared
My problem is that I have another DMVPN on the same HUB that use another keyring. I want to know if it is possible to configure different tunnel protection ipsec profile IPSECPROFILE shared with different Tunnel interfaces with the same tunnel source?
All tunnels with the same tunnel source interface must use the same IPsec profile and the shared keyword with the tunnel protection command on all such tunnels. The only exception is a scenario when there are only peer-to-peer (P2P) GRE tunnel interfaces configured with the same tunnel source in the system all with unique tunnel destination IP addresses.
Thanks for the answer. Its seems to be clear but i've been able to have multiple ISAKMP profile with MGRE by doing the following:
I boot the cisco routeur with 1 tunnel interface in MGRE with 1 ISAKMP profile. After un add mannually another Key with ISAKMP Profile associated with another tunnel interface and its working. But if I save the config and I reboot, there's only one of the tunnel that's working. If I remove the non-working tunnel/ISAKMP profile and add it back, it working!!!!
Is it normal or is a kind of a bug in the IOS? I use the folliwing: c3745-advsecurityk9-mz.124-15.T1.bin
I looked at your config and clearly this is not supported per my previous link. Precisely, that is why you are having issues with this configuration. When you have a production network scalability and reliability is a goal in a proper design. Not to mention supportability issue in case you contact Cisco TAC/Support forums.
When something is not supported you will get inconsistent results and that is exactly what you are seeing. Kudos for trying though.
You will either need to have a unique source interface to have multiple profiles on tunnels ( e.g using unique loopbacks per tunnel source interface - challenge is to have those loopbacks routable) or you need to have gre ptp instead of gre multipoint and in that case using "shared" keyword is not required.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :