I have a 2811 and a 3745 router at separate sites. I'd like to establish two IPSEC virtual tunnel interface links between the routers, in parallel. One tunnel will be used for production traffic, the other for a management network. Is there an accepted way of making this work? Configuring a second parallel tunnel seems to mix up the ISAKMP SAs between the two.
router 1: crypto isakmp policy 10 encryption aes authentication pre-share group 2 crypto isakmp key mykey address b.b.b.b ! crypto ipsec transform-set VTI-SET esp-aes esp-sha-hmac ! crypto ipsec profile VTI-PROFILE set transform-set VTI-SET ! interface Tunnel 0 description Management VTI to router2 ip address x.x.x.x m.m.m.m ip ospf message-digest-key 10 md5 7 key ip ospf mtu-ignore tunnel source FastEthernet0/0 tunnel destination b.b.b.b tunnel protection ipsec profile VTI-PROFILE tunnel mode ipsec ipv4 ! interface Tunnel 1 description Production VTI to router2 bandwidth 25000 ip address y.y.y.y m.m.m.m ip ospf message-digest-key 10 md5 7 key ip ospf mtu-ignore tunnel source FastEthernet0/0 tunnel destination b.b.b.b tunnel protection ipsec profile VTI-PROFILE tunnel mode ipsec ipv4 ip flow ingress ip flow egress router 2: crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key mykey address a.a.a.a ! ! crypto ipsec transform-set VTI-SET esp-aes esp-sha-hmac ! crypto ipsec profile VTI-PROFILE set transform-set VTI-SET ! interface Tunnel0 description Management VTI to router1 bandwidth 25000 ip address z.z.z.z m.m.m.m ip ospf message-digest-key 1 md5 7 key ip ospf mtu-ignore tunnel source FastEthernet0/1 tunnel destination a.a.a.a tunnel mode ipsec ipv4 tunnel protection ipsec profile VTI-PROFILE ! interface Tunnel1 description Production VTI to router1 bandwidth 25000 ip address t.t.t.t m.m.m.m ip ospf message-digest-key 10 md5 7 key ip ospf mtu-ignore tunnel source FastEthernet0/1 tunnel destination a.a.a.a tunnel mode ipsec ipv4 tunnel protection ipsec profile VTI-PROFILE _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
