[c-nsp] Parallel VTIs

Matthew Melbourne matt at melbourne.org.uk
Mon Apr 2 19:37:14 EDT 2012 

Are you able to configure add the 'shared' keyword on the 'tunnel protection
ipsec profile VTI-PROFILE' command? In order to differentiate the tunnel
interfaces, you may need a unique 'tunnel key' identifier. Alternatively,
are you able to source the tunnels from different addresses? What is the
rationale for using two tunnels between a pair of routers, given the
destinations appear to land in the same routing instance?

Cheers,
Matt

-----Original Message-----
Message: 3
Date: Mon, 2 Apr 2012 10:50:16 -0400
From: Robert Johnson <fasterfourier at gmail.com>
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Parallel VTIs
Message-ID:
	<CAOq=Mmm=5g+SeoQOPwWRyr09zh+NwY60akcT_EipnG7HmBNXuQ at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

I have a 2811 and a 3745 router at separate sites. I'd like to establish two
IPSEC virtual tunnel interface links between the routers, in parallel. One
tunnel will be used for production traffic, the other for a management
network. Is there an accepted way of making this work? Configuring a second
parallel tunnel seems to mix up the ISAKMP SAs between the two.

router 1:

crypto isakmp policy 10
 encryption aes
 authentication pre-share
 group 2
crypto isakmp key mykey address b.b.b.b
!
crypto ipsec transform-set VTI-SET esp-aes esp-sha-hmac !
crypto ipsec profile VTI-PROFILE
 set transform-set VTI-SET
!
interface Tunnel 0
 description Management VTI to router2
 ip address x.x.x.x m.m.m.m
 ip ospf message-digest-key 10 md5 7 key   ip ospf mtu-ignore  tunnel source
FastEthernet0/0  tunnel destination b.b.b.b  tunnel protection ipsec profile
VTI-PROFILE  tunnel mode ipsec ipv4 !
interface Tunnel 1
 description Production VTI to router2
 bandwidth 25000
 ip address y.y.y.y m.m.m.m
 ip ospf message-digest-key 10 md5 7 key  ip ospf mtu-ignore  tunnel source
FastEthernet0/0  tunnel destination b.b.b.b  tunnel protection ipsec profile
VTI-PROFILE  tunnel mode ipsec ipv4  ip flow ingress  ip flow egress

router 2:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key mykey address a.a.a.a
!
!
crypto ipsec transform-set VTI-SET esp-aes esp-sha-hmac !
crypto ipsec profile VTI-PROFILE
 set transform-set VTI-SET
!
interface Tunnel0
 description Management VTI to router1
 bandwidth 25000
 ip address z.z.z.z m.m.m.m
 ip ospf message-digest-key 1 md5 7 key
 ip ospf mtu-ignore
 tunnel source FastEthernet0/1
 tunnel destination a.a.a.a
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI-PROFILE !
interface Tunnel1
 description Production VTI to router1
 bandwidth 25000
 ip address t.t.t.t m.m.m.m
 ip ospf message-digest-key 10 md5 7 key  ip ospf mtu-ignore  tunnel source
FastEthernet0/1  tunnel destination a.a.a.a  tunnel mode ipsec ipv4  tunnel
protection ipsec profile VTI-PROFILE

More information about the cisco-nsp mailing list