Hi Kings,


I use the shared profile in combination with isakmp profiles. What I found, whether it is multiple tunnels or one tunnel and ezvpn / site-to-site tunnels) on a single router, sometimes, altough the isakmp profile should restrict it, the inbound sa would be set into a different sadb then the outbound sa. E.g. For tunnel0 inbound the spoke sa would be in the system, or even the wrong tunnel, while the outbound would be in the tunnel0 sadb.
What then happens is for example eigrp flapping, nhrp registration not working, etc.. Basically traffic comes in, but can't get out, or vice versa, that traffic isn't even hitting the tunnel interface.


So to prevent it, I specify shared on all tunnels, so that the sadb between the tunnels is shared.
In production it means that you have a short interruption on the database.

What do you mean with that the same SA is valid? Where did you put the shared profile, on the hub side, or the spoke side?

Kind regards

PJ

On 13 sep 2010, at 14:43, Kingsley Charles wrote:

Hi all

IPSec shared profiles enables more than two GRE tunnels that has the same tunnel source, destination and tunnel key to use the same IPSec SADB.

Here the spokes uses IPSec shared profile. The spokes peer with two hubs. With IPsec profile the SADB are the same. The spoke's T0 and T1 that tunnels to Hub1 and hub2 uses the same SA.
I am wondering how can that happen?

The spokes are negotiating DH with two different hubs. How come they come up with the same shared secret. Hub 1 and Hub 2 doesn't communicate each other.
 
Can someone provide the insight.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com

---

Nefkens Advies

Enk 26

4214 DD Vuren

The Netherlands


Tel: +31 183 634730

Fax: +31 183 690113

Cell: +31 654 323221

Email: [email protected]

Web: http://www.nefkensadvies.nl/


 Think before you print.




_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to