Thanks for the responses, very helpful. Sharing the IPSEC SA between the tunnels looked very appealing, but after a little digging, looks like it's not supported:
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/share_ipsec_w_tun_protect.pdf "Sharing IPsec is not desired and not supported for a Virtual Tunnel Interface (VTI). A VTI provides a routable interface type for terminating IPsec tunnels and a way to define protection between sites to form an overlay network." I ended up sticking another address on the source interface at one end, and specifying the tunnel sources on that end by IP address instead of interface name. On the other end I use one address per tunnel destination. All seems well now. Rationale for two tunnels is so the production tunnel/network can be shut independently of the management tunnel/network. There are two OSPF processes running, one for each network. Access lists control what traffic traverses each tunnel. Thanks all. On one side I have a few source addresses to play with. The other side has only one IP address available to use for the tunnel, unfortunately. On Mon, Apr 2, 2012 at 7:37 PM, Matthew Melbourne <[email protected]> wrote: > Are you able to configure add the 'shared' keyword on the 'tunnel protection > ipsec profile VTI-PROFILE' command? In order to differentiate the tunnel > interfaces, you may need a unique 'tunnel key' identifier. Alternatively, > are you able to source the tunnels from different addresses? What is the > rationale for using two tunnels between a pair of routers, given the > destinations appear to land in the same routing instance? > > Cheers, > Matt > > -----Original Message----- > Message: 3 > Date: Mon, 2 Apr 2012 10:50:16 -0400 > From: Robert Johnson <[email protected]> > To: [email protected] > Subject: [c-nsp] Parallel VTIs > Message-ID: > <CAOq=Mmm=5g+seoqopwwryr09zh+nwy60akct_eipng7hmbn...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > I have a 2811 and a 3745 router at separate sites. I'd like to establish two > IPSEC virtual tunnel interface links between the routers, in parallel. One > tunnel will be used for production traffic, the other for a management > network. Is there an accepted way of making this work? Configuring a second > parallel tunnel seems to mix up the ISAKMP SAs between the two. > > router 1: > > crypto isakmp policy 10 > encryption aes > authentication pre-share > group 2 > crypto isakmp key mykey address b.b.b.b > ! > crypto ipsec transform-set VTI-SET esp-aes esp-sha-hmac ! > crypto ipsec profile VTI-PROFILE > set transform-set VTI-SET > ! > interface Tunnel 0 > description Management VTI to router2 > ip address x.x.x.x m.m.m.m > ip ospf message-digest-key 10 md5 7 key ip ospf mtu-ignore tunnel source > FastEthernet0/0 tunnel destination b.b.b.b tunnel protection ipsec profile > VTI-PROFILE tunnel mode ipsec ipv4 ! > interface Tunnel 1 > description Production VTI to router2 > bandwidth 25000 > ip address y.y.y.y m.m.m.m > ip ospf message-digest-key 10 md5 7 key ip ospf mtu-ignore tunnel source > FastEthernet0/0 tunnel destination b.b.b.b tunnel protection ipsec profile > VTI-PROFILE tunnel mode ipsec ipv4 ip flow ingress ip flow egress > > router 2: > > crypto isakmp policy 10 > encr aes > authentication pre-share > group 2 > crypto isakmp key mykey address a.a.a.a > ! > ! > crypto ipsec transform-set VTI-SET esp-aes esp-sha-hmac ! > crypto ipsec profile VTI-PROFILE > set transform-set VTI-SET > ! > interface Tunnel0 > description Management VTI to router1 > bandwidth 25000 > ip address z.z.z.z m.m.m.m > ip ospf message-digest-key 1 md5 7 key > ip ospf mtu-ignore > tunnel source FastEthernet0/1 > tunnel destination a.a.a.a > tunnel mode ipsec ipv4 > tunnel protection ipsec profile VTI-PROFILE ! > interface Tunnel1 > description Production VTI to router1 > bandwidth 25000 > ip address t.t.t.t m.m.m.m > ip ospf message-digest-key 10 md5 7 key ip ospf mtu-ignore tunnel source > FastEthernet0/1 tunnel destination a.a.a.a tunnel mode ipsec ipv4 tunnel > protection ipsec profile VTI-PROFILE > > > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
