[c-nsp] Parallel VTIs

Robert Johnson fasterfourier at gmail.com
Mon Apr 2 10:50:16 EDT 2012 

I have a 2811 and a 3745 router at separate sites. I'd like to
establish two IPSEC virtual tunnel interface links between the
routers, in parallel. One tunnel will be used for production traffic,
the other for a management network. Is there an accepted way of making
this work? Configuring a second parallel tunnel seems to mix up the
ISAKMP SAs between the two.

router 1:

crypto isakmp policy 10
 encryption aes
 authentication pre-share
 group 2
crypto isakmp key mykey address b.b.b.b
!
crypto ipsec transform-set VTI-SET esp-aes esp-sha-hmac
!
crypto ipsec profile VTI-PROFILE
 set transform-set VTI-SET
!
interface Tunnel 0
 description Management VTI to router2
 ip address x.x.x.x m.m.m.m
 ip ospf message-digest-key 10 md5 7 key
 ip ospf mtu-ignore
 tunnel source FastEthernet0/0
 tunnel destination b.b.b.b
 tunnel protection ipsec profile VTI-PROFILE
 tunnel mode ipsec ipv4
!
interface Tunnel 1
 description Production VTI to router2
 bandwidth 25000
 ip address y.y.y.y m.m.m.m
 ip ospf message-digest-key 10 md5 7 key
 ip ospf mtu-ignore
 tunnel source FastEthernet0/0
 tunnel destination b.b.b.b
 tunnel protection ipsec profile VTI-PROFILE
 tunnel mode ipsec ipv4
 ip flow ingress
 ip flow egress

router 2:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key mykey address a.a.a.a
!
!
crypto ipsec transform-set VTI-SET esp-aes esp-sha-hmac
!
crypto ipsec profile VTI-PROFILE
 set transform-set VTI-SET
!
interface Tunnel0
 description Management VTI to router1
 bandwidth 25000
 ip address z.z.z.z m.m.m.m
 ip ospf message-digest-key 1 md5 7 key
 ip ospf mtu-ignore
 tunnel source FastEthernet0/1
 tunnel destination a.a.a.a
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI-PROFILE
!
interface Tunnel1
 description Production VTI to router1
 bandwidth 25000
 ip address t.t.t.t m.m.m.m
 ip ospf message-digest-key 10 md5 7 key
 ip ospf mtu-ignore
 tunnel source FastEthernet0/1
 tunnel destination a.a.a.a
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI-PROFILE

More information about the cisco-nsp mailing list