Hi PJ I didn't lap it.
Did you see the "sh crypto ipsec sa" O/P of spoke1 in the link I gave? For both T0 and T1, same inbound and outbound ESP SAs is being used right? Hence they use the same IPSec SADB. But T0 and T1 of spoke1 are connected to hub1 and hub2 respectively? When IPSec negotiation happens, spoke1 negotiates IPSec with Hub1 through T0 and with Hub2 through T1. The DH algorithm uses prime numbers for the shared key generation. Hub1 will use a different prime number and hub2 will use another prime number. Said with this, how does the spokes arrive at same SA on T0 and T1. With regards KIngs On Mon, Sep 13, 2010 at 6:24 PM, Pieter-Jan Nefkens < [email protected]> wrote: > Hi Kings, > > > I use the shared profile in combination with isakmp profiles. What I found, > whether it is multiple tunnels or one tunnel and ezvpn / site-to-site > tunnels) on a single router, sometimes, altough the isakmp profile should > restrict it, the inbound sa would be set into a different sadb then the > outbound sa. E.g. For tunnel0 inbound the spoke sa would be in the system, > or even the wrong tunnel, while the outbound would be in the tunnel0 sadb. > What then happens is for example eigrp flapping, nhrp registration not > working, etc.. Basically traffic comes in, but can't get out, or vice versa, > that traffic isn't even hitting the tunnel interface. > > > So to prevent it, I specify shared on all tunnels, so that the sadb between > the tunnels is shared. > In production it means that you have a short interruption on the database. > > What do you mean with that the same SA is valid? Where did you put the > shared profile, on the hub side, or the spoke side? > > Kind regards > > PJ > > On 13 sep 2010, at 14:43, Kingsley Charles wrote: > > Hi all > > IPSec shared profiles enables more than two GRE tunnels that has the same > tunnel source, destination and tunnel key to use the same IPSec SADB. > > Here the spokes uses IPSec shared profile. The spokes peer with two hubs. > With IPsec profile the SADB are the same. The spoke's T0 and T1 that tunnels > to Hub1 and hub2 uses the same SA. > I am wondering how can that happen? > > The spokes are negotiating DH with two different hubs. How come they come > up with the same shared secret. Hub 1 and Hub 2 doesn't communicate each > other. > > Can someone provide the insight. > > > > > > http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/share_ipsec_w_tun_protect_ps6441_TSD_Products_Configuration_Guide_Chapter.html > > With regards > Kings > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > --- > > Nefkens Advies > > Enk 26 > > 4214 DD Vuren > > The Netherlands > > > Tel: +31 183 634730 > > Fax: +31 183 690113 > > Cell: +31 654 323221 > > Email: [email protected] > > Web: http://www.nefkensadvies.nl/ > > Think before you print. > > > > >
<<green.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
