[c-nsp] Parallel VTIs

Mon Apr 2 20:14:32 EDT 2012

Thanks for the responses, very helpful.

Sharing the IPSEC SA between the tunnels looked very appealing, but
after a little digging, looks like it's not supported:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/share_ipsec_w_tun_protect.pdf

"Sharing IPsec is not desired and not supported for a Virtual Tunnel
Interface (VTI). A VTI provides
a routable interface type for terminating IPsec tunnels and a way to
define protection between sites
to form an overlay network."

I ended up sticking another address on the source interface at one
end, and specifying the tunnel sources on that end by IP address
instead of interface name. On the other end I use one address per
tunnel destination. All seems well now.

Rationale for two tunnels is so the production tunnel/network can be
shut independently of the management tunnel/network. There are two
OSPF processes running, one for each network. Access lists control
what traffic traverses each tunnel.

Thanks all.

On one side I have a few source addresses to play with. The other side
has only one IP address available to use for the tunnel,
unfortunately.

On Mon, Apr 2, 2012 at 7:37 PM, Matthew Melbourne <matt at melbourne.org.uk> wrote:
> Are you able to configure add the 'shared' keyword on the 'tunnel protection
> ipsec profile VTI-PROFILE' command? In order to differentiate the tunnel
> interfaces, you may need a unique 'tunnel key' identifier. Alternatively,
> are you able to source the tunnels from different addresses? What is the
> rationale for using two tunnels between a pair of routers, given the
> destinations appear to land in the same routing instance?
>
> Cheers,
> Matt
>
> -----Original Message-----
> Message: 3
> Date: Mon, 2 Apr 2012 10:50:16 -0400
> From: Robert Johnson <fasterfourier at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Parallel VTIs
> Message-ID:
>        <CAOq=Mmm=5g+SeoQOPwWRyr09zh+NwY60akcT_EipnG7HmBNXuQ at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I have a 2811 and a 3745 router at separate sites. I'd like to establish two
> IPSEC virtual tunnel interface links between the routers, in parallel. One
> tunnel will be used for production traffic, the other for a management
> network. Is there an accepted way of making this work? Configuring a second
> parallel tunnel seems to mix up the ISAKMP SAs between the two.
>
> router 1:
>
> crypto isakmp policy 10
>  encryption aes
>  authentication pre-share
>  group 2
> crypto isakmp key mykey address b.b.b.b
> !
> crypto ipsec transform-set VTI-SET esp-aes esp-sha-hmac !
> crypto ipsec profile VTI-PROFILE
>  set transform-set VTI-SET
> !
> interface Tunnel 0
>  description Management VTI to router2
>  ip address x.x.x.x m.m.m.m
>  ip ospf message-digest-key 10 md5 7 key   ip ospf mtu-ignore  tunnel source
> FastEthernet0/0  tunnel destination b.b.b.b  tunnel protection ipsec profile
> VTI-PROFILE  tunnel mode ipsec ipv4 !
> interface Tunnel 1
>  description Production VTI to router2
>  bandwidth 25000
>  ip address y.y.y.y m.m.m.m
>  ip ospf message-digest-key 10 md5 7 key  ip ospf mtu-ignore  tunnel source
> FastEthernet0/0  tunnel destination b.b.b.b  tunnel protection ipsec profile
> VTI-PROFILE  tunnel mode ipsec ipv4  ip flow ingress  ip flow egress
>
> router 2:
>
> crypto isakmp policy 10
>  encr aes
>  authentication pre-share
>  group 2
> crypto isakmp key mykey address a.a.a.a
> !
> !
> crypto ipsec transform-set VTI-SET esp-aes esp-sha-hmac !
> crypto ipsec profile VTI-PROFILE
>  set transform-set VTI-SET
> !
> interface Tunnel0
>  description Management VTI to router1
>  bandwidth 25000
>  ip address z.z.z.z m.m.m.m
>  ip ospf message-digest-key 1 md5 7 key
>  ip ospf mtu-ignore
>  tunnel source FastEthernet0/1
>  tunnel destination a.a.a.a
>  tunnel mode ipsec ipv4
>  tunnel protection ipsec profile VTI-PROFILE !
> interface Tunnel1
>  description Production VTI to router1
>  bandwidth 25000
>  ip address t.t.t.t m.m.m.m
>  ip ospf message-digest-key 10 md5 7 key  ip ospf mtu-ignore  tunnel source
> FastEthernet0/1  tunnel destination a.a.a.a  tunnel mode ipsec ipv4  tunnel
> protection ipsec profile VTI-PROFILE
>
>
>