Are you able to configure add the 'shared' keyword on the 'tunnel protection ipsec profile VTI-PROFILE' command? In order to differentiate the tunnel interfaces, you may need a unique 'tunnel key' identifier. Alternatively, are you able to source the tunnels from different addresses? What is the rationale for using two tunnels between a pair of routers, given the destinations appear to land in the same routing instance?
Cheers, Matt -----Original Message----- Message: 3 Date: Mon, 2 Apr 2012 10:50:16 -0400 From: Robert Johnson <[email protected]> To: [email protected] Subject: [c-nsp] Parallel VTIs Message-ID: <CAOq=Mmm=5g+seoqopwwryr09zh+nwy60akct_eipng7hmbn...@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 I have a 2811 and a 3745 router at separate sites. I'd like to establish two IPSEC virtual tunnel interface links between the routers, in parallel. One tunnel will be used for production traffic, the other for a management network. Is there an accepted way of making this work? Configuring a second parallel tunnel seems to mix up the ISAKMP SAs between the two. router 1: crypto isakmp policy 10 encryption aes authentication pre-share group 2 crypto isakmp key mykey address b.b.b.b ! crypto ipsec transform-set VTI-SET esp-aes esp-sha-hmac ! crypto ipsec profile VTI-PROFILE set transform-set VTI-SET ! interface Tunnel 0 description Management VTI to router2 ip address x.x.x.x m.m.m.m ip ospf message-digest-key 10 md5 7 key ip ospf mtu-ignore tunnel source FastEthernet0/0 tunnel destination b.b.b.b tunnel protection ipsec profile VTI-PROFILE tunnel mode ipsec ipv4 ! interface Tunnel 1 description Production VTI to router2 bandwidth 25000 ip address y.y.y.y m.m.m.m ip ospf message-digest-key 10 md5 7 key ip ospf mtu-ignore tunnel source FastEthernet0/0 tunnel destination b.b.b.b tunnel protection ipsec profile VTI-PROFILE tunnel mode ipsec ipv4 ip flow ingress ip flow egress router 2: crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key mykey address a.a.a.a ! ! crypto ipsec transform-set VTI-SET esp-aes esp-sha-hmac ! crypto ipsec profile VTI-PROFILE set transform-set VTI-SET ! interface Tunnel0 description Management VTI to router1 bandwidth 25000 ip address z.z.z.z m.m.m.m ip ospf message-digest-key 1 md5 7 key ip ospf mtu-ignore tunnel source FastEthernet0/1 tunnel destination a.a.a.a tunnel mode ipsec ipv4 tunnel protection ipsec profile VTI-PROFILE ! interface Tunnel1 description Production VTI to router1 bandwidth 25000 ip address t.t.t.t m.m.m.m ip ospf message-digest-key 10 md5 7 key ip ospf mtu-ignore tunnel source FastEthernet0/1 tunnel destination a.a.a.a tunnel mode ipsec ipv4 tunnel protection ipsec profile VTI-PROFILE _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
