Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

VRF aware muliple GRE tunnel over one IPSEC site to site VPN

Hi,

I have a requirement as below,

VRF aware muliple GRE tunnel over single IPSEC tunnel.

The routing protocol will be BGP withe the other GRE endpoints and need to use seperate address-family for the teo VRF configured under GRE tunnel.

Please advice me in this as i am not sure how to configure VRF aware muliple GRE tunnel over one IPSEC Site to Site VPN.

Thanks in advance,

Sree

7 REPLIES

Re: VRF aware muliple GRE tunnel over one IPSEC site to site VPN

This is a very complex requirement that requires specific knowledge in multiple areas. Where does the requirement come from, as running BGP over GRE inside an IPSEC tunnel as in my opinion there will probably be an easier solution.

Sent from Cisco Technical Support iPad App

New Member

Re: VRF aware muliple GRE tunnel over one IPSEC site to site VPN

Thanks Andrew. Running BGP over GRE which is running over IPSEC tunnel is a common design. This requirement is more complex than the one mentiond.

Two VRF aware BGP session which need to run over two seperate GRE tunnels within VRF and need to run these GRE tunnels over one IPSEC VPN. I know seems to be strange requirement

Need help from you guys ..

Thanks in advance,

Thanks,

Anil.

New Member

Re: VRF aware muliple GRE tunnel over one IPSEC site to site VPN

Hi Anil,

Correct me if I am wrong, so the IPSEC tunnel is bind to the tunnel interface (using tunnel ipsec profile) ?

If yes then you only need to specify ISAKMP profile using keyring (bind vrf there) and ipsec transform set.

Bind these 2 to ipsec profile, and then bind the profile to the tunnel interface, which practically will permit any (encrypt any) as long the traffic goes through tunnel.

Let me know if you need any help for the specific portion of configs, maybe I can help there.

HTH,

Vikram

VRF aware muliple GRE tunnel over one IPSEC site to site VPN

Hi Anil,

I agree with Vikram, what you need is just 2 GRE tunnels with IPSec aware configuration, look this link

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vrf_aware_ipsec.html#wp1055553

and after you just need to activate a BGP session in address-family for a cirtain VRF.

New Member

VRF aware muliple GRE tunnel over one IPSEC site to site VPN

Hi Vikram & Konstantin,

Thanks for your valuable suggestions. The slight difference from your solution is that i need to use one IPSEC tunnel and two GRE (VRF aware ) over that. Then i can run two BGP address-families.

The issue is how i can run two GRE tunnel sourcing from one IP address. I found a solution is to use tunnel key to differentiate two GRE tunnels so that two GRE tunnels even sourcing from same IP address and destination also to the same IP address will be different.

But i need to test it to confirm. As always suggestions and appreciated.

Regards,

Anil.

VRF aware muliple GRE tunnel over one IPSEC site to site VPN

just to be sure that we speak about the same issue - I suppose one can't use the "same" IPSec tunnel with 2 different destinations, I mean IPSec is a session specific (source-destination address), each session uses a separate IPSec tunnel. But you may _configure_ a single IPSec  profile, where you define a destination and/or access-list which will be used to crypt the traffic, and apply it onto physical intraface which use to transmit the GRE traffic.

New Member

VRF aware muliple GRE tunnel over one IPSEC site to site VPN

Many thanks for all replied for my query.

I have managed to do this design by using two diffrent tunnel keys for the two GRE tunnels with source and destination as the same over IPSEC VPN . Working fine

Regards,

Anil.

1272
Views
0
Helpful
7
Replies
CreatePlease to create content