[c-nsp] Parallel VTIs
Peter Rathlev
peter at rathlev.dk
Mon Apr 2 14:45:09 EDT 2012
On Mon, 2012-04-02 at 10:50 -0400, Robert Johnson wrote:
> I have a 2811 and a 3745 router at separate sites. I'd like to
> establish two IPSEC virtual tunnel interface links between the
> routers, in parallel. One tunnel will be used for production traffic,
> the other for a management network. Is there an accepted way of making
> this work? Configuring a second parallel tunnel seems to mix up the
> ISAKMP SAs between the two.
Had the same problem some time ago. We solved it by running one tunnel
inside the other, with the inner tunnel being regular GRE. Two different
tunnels using the same source and destination pair would AFAIK need
keying to work together. And I couldn't get keying to work correctly
with VTI.
Performance with tunnel-in-tunnel is terrible and MTU is even lower yet,
but since this was for a roaming 3G connection is was not a problem.
You could take a look at "tunnel protection ipsec profile <X> shared". I
haven't look at it myself, but 15.1T and 15.2 should support it.
--
Peter
More information about the cisco-nsp
mailing list