Hi

I made this configuration which you recommended to me:

ip vrf WAN
rd 1:0
!
interface Tunnel1
description "Internet Tunnel"
bandwidth 1000
ip address 172.30.2.226 255.255.255.0
ip mtu 1400
ip nhrp authentication XXX
ip nhrp map 172.30.2.200 public IP address office 3
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.30.2.200
ip tcp adjust-mss 1300
delay 1000

tunnel source GigabitEthernet9

tunnel destination public IP address office 3
tunnel vrf WAN
!
!
interface GigabitEthernet9
description "To Internet "
ip vrf forwarding WAN
ip address public IP address office 2
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
!
ip route vrf WAN 0.0.0.0 0.0.0.0 public IP address office 2

After this tunnel down.

show inter.. tunnel > tunnel is up ,  line is down

I deleting the changes I made, try  shutdown tunnel and interface G9, the connection was not established.

I must reload the cisco to have connection through tunnel.

Hi,

Share some outout as:

Show ip route vrf WAN

ping vrf WAN <Office 1 WAN IP>

Cisco_R892#show ip route vrf WAN

Routing Table: WAN

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       a - application route

       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

Cisco_R892#ping vrf WAN 10.141.68.1

% VRF WAN does not have a usable source address

Cisco_R892#show ip vrf brief

  Name                             Default RD            Interfaces

  WAN                              1:0                   Gi9

Cisco_R892#show ip vrf detail

VRF WAN (VRF Id = 1); default RD 1:0; default VPNID <not set>

  Old CLI format, supports IPv4 only

  Flags: 0xC

  Interfaces:

    Gi9

Address family ipv4 unicast (Table ID = 0x1):

  Flags: 0x0

  No Export VPN route-target communities

  No Import VPN route-target communities

  No import route-map

  No global export route-map

  No export route-map

  VRF label distribution protocol: not configured

  VRF label allocation mode: per-prefix

Cisco_R892#show interfaces tunnel 2

Tunnel2 is up, line protocol is down

  Hardware is Tunnel

  Description: "Internet Tunnel"

  Internet address is 172.30.2.226/24

  MTU 17912 bytes, BW 1000 Kbit/sec, DLY 10000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel linestate evaluation down - no output interface

  Tunnel source UNKNOWN (GigabitEthernet9), destination public IP address office 3

   Tunnel Subblocks:

      src-track:

         Tunnel2 source tracking subblock associated with GigabitEthernet9

          Set of tunnels with source GigabitEthernet9, 2 members (includes iterators), on interface <OK>

  Tunnel protocol/transport GRE/IP

    Key 0x186A0, sequencing disabled

    Checksumming of packets disabled

  Tunnel TTL 255, Fast tunneling enabled

  Tunnel transport MTU 1472 bytes

  Tunnel transmit bandwidth 8000 (kbps)

  Tunnel receive bandwidth 8000 (kbps)

  Tunnel protection via IPSec (profile "CiscoCP_Profile1")

  Last input 00:08:20, output never, output hang never

  Last clearing of "show interface" counters 02:05:39

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2

  Queueing strategy: fifo

  Output queue: 0/0 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     7189 packets input, 1617945 bytes, 0 no buffer

     Received 0 broadcasts (0 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     6353 packets output, 1274853 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 unknown protocol drops

     0 output buffer failures, 0 output buffers swapped out

I set public_address office 2  to G9

now the command:

Cisco_R892#show ip route vrf WAN

Routing Table: WAN
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is Gateway public_address office 2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via Gateway public_address office 2
78.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C public LAN/29 is directly connected, GigabitEthernet9
L public_address_cisco/32 is directly connected, GigabitEthernet9

I don't know now !!!

the router has no access to anywhere, neither to the internet nor to the private networks in office 3.

I think that tunnel or EIGRP do not working.

Some other configurations may be needed?

Hi,

As we are modifying complete WAN and LAN routing than you must have console access. As our LAN and WAN interfaces are in the different VRF so NATing will not happen because there is no route leak. 

Remove a command  "ip nat outside" from the WAN interface.

First, you must check that is tunnel interface in up|up state or not?

I remove  "ip nat outside" from the WAN interface - nothing has changed,

remove and ""ip nat inside" from G9  - nothing has changed.

there is no ping to  the private networks and the internet

Cisco_R892#show ip interface tunnel 2
Tunnel2 is up, line protocol is down
Internet address is 172.30.2.226/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1400 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
Tunnel VPN Routing/Forwarding "WAN"
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check, TCP Adjust MSS
Output features: TCP Adjust MSS
Post encapsulation features: IPSEC Post-encap output classification
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled

this is configuration now:

Cisco_R892#show run

Building configuration...

!

vrf list WAN

!

ip vrf WAN

 rd 1:0

ip cef

no ipv6 cef

!

no cdp run

!

interface Tunnel2

 description "Internet Tunnel"

 bandwidth 1000

 ip address 172.30.2.226 255.255.255.0

 ip mtu 1400

 ip nhrp authentication DMVPN_xx

 ip nhrp map 172.30.2.200 public IP address office 3

 ip nhrp network-id 100000

 ip nhrp holdtime 360

 ip nhrp nhs 172.30.2.200

 ip tcp adjust-mss 1300

 delay 1000

 tunnel source GigabitEthernet9

 tunnel destination public IP address office 3

 tunnel key 100000

 tunnel vrf WAN

 tunnel protection ipsec xxxxx

!

no cdp enable

!

!

interface GigabitEthernet9

 description "To Internet"

 ip vrf forwarding WAN

 ip address public IP address office 2

 ip virtual-reassembly in

 duplex auto

 speed auto

 no cdp enable

!

interface Vlan200

 description "Inside interface"

 ip address 192.168.226.1 255.255.255.0

 ip virtual-reassembly in

!

!

router eigrp 100

 network lan 1

 network lan 2

  network 192.168.226.0

 passive-interface Vlan200

!

!

!

ip tftp source-interface Vlan200

ip nat inside source list 100 interface GigabitEthernet9 overload

ip route vrf WAN 0.0.0.0 0.0.0.0 gateway ISP office 2

!

!

end

Hi,

As I am looking that tunnel protection is enabled but you didn't share the information. In the profile, we use the keyring and also need to specify the identity of our peers and set VRF used to reach them.

As example:

crypto isakmp profile ISAKMP_PROF
   keyring KEYRING
   match identity address 0.0.0.0 0.0.0.0 WAN

Can you check your configuration? 

Hi

I made the changes, now I have these values:

crypto isakmp profile XXXXXX

   keyring default

   match identity address 0.0.0.0 WAN

Cisco_R892#show interfaces tunnel 2

Tunnel2 is up, line protocol is down

  Hardware is Tunnel

  Description: "Internet Tunnel"

  Internet address is 172.30.2.226/24

  MTU 17912 bytes, BW 1000 Kbit/sec, DLY 10000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel linestate evaluation down - linestate protection reg down

  Tunnel source public IP office 2 (GigabitEthernet9), destination public IP office 3

   Tunnel Subblocks:

      src-track:

         Tunnel2 source tracking subblock associated with GigabitEthernet9

          Set of tunnels with source GigabitEthernet9, 2 members (includes iterators), on interface <OK>

  Tunnel protocol/transport GRE/IP

    Key 0x186A0, sequencing disabled

    Checksumming of packets disabled

  Tunnel TTL 255, Fast tunneling enabled

  Tunnel transport MTU 1472 bytes

  Tunnel transmit bandwidth 8000 (kbps)

  Tunnel receive bandwidth 8000 (kbps)

  Tunnel protection via IPSec (profile " XXXXXX ")

  Last input 3d18h, output never, output hang never

  Last clearing of "show interface" counters 3d20h

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2

  Queueing strategy: fifo

  Output queue: 0/0 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     7189 packets input, 1617945 bytes, 0 no buffer

     Received 0 broadcasts (0 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     6353 packets output, 1274853 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 unknown protocol drops

     0 output buffer failures, 0 output buffers swapped out

Hi,

Here is complete my LAB configuration:

ip vrf WAN
rd 1:0
!
crypto keyring KEYRING vrf WAN
pre-shared-key address 0.0.0.0 0.0.0.0 key CISCO
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp profile ISAKMP_PROF
keyring KEYRING
match identity address 0.0.0.0 WAN
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile IPSEC_PROF
set transform-set TS
set isakmp-profile ISAKMP_PROF
!
!
interface Tunnel1
ip address 192.168.10.2 255.255.255.0
ip mtu 1400
ip nhrp authentication 1
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp nhs 192.168.10.1
tunnel source FastEthernet0/0
tunnel destination 1.1.1.1
tunnel vrf WAN
tunnel protection ipsec profile IPSEC_PROF
!
interface FastEthernet0/0  

Description WAN Interface
ip vrf forwarding WAN
ip address 2.2.2.2 255.255.255.0
!
ip route vrf WAN 0.0.0.0 0.0.0.0 2.2.2.1
!

All Changes are high lighted and keep in the mind that you have to change your configuration as per your HUB configuration as IP, Policy, and TSET, etc.

Hi

after the last changes, the tunnels going  to UP, I have access to all private Lans, 192.168.0.0., 10.10.0.0. 172.17.0.0., but I don't have internet access. This is full  my running-config:

 if I change 

crypto ipsec transform-set ESP_SHA_AES256 esp-aes 256 esp-sha-hmac

 mode tunnel

 to mode transport  tunnels going down??

Cisco_R892#show run

Building configuration...

Current configuration : 10266 bytes

!

! Last configuration change at 13:46:55 EEST Tue Oct 15 2019 by test

!

version 15.5

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname Cisco_R892

!

boot-start-marker

boot-end-marker

!

aqm-register-fnf

!

logging buffered 51200 warnings

enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

!

no aaa new-model

ethernet lmi ce

clock timezone EET 2 0

clock summer-time EEST recurring last Sun Mar 3:00 last Sun Oct 4:00

!

crypto pki trustpoint TP-self-signed-3548181929

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3548181929

 revocation-check none

 rsakeypair TP-self-signed-3548181929

!

!

crypto pki certificate chain TP-self-signed-3548181929

 certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

xxxxxx

        quit

!

ip vrf WAN

 rd 1:0

!

ip dhcp excluded-address 192.168.226.1 192.168.226.50

ip dhcp excluded-address 192.168.226.200 192.168.226.254

ip dhcp excluded-address 10.10.226.1 10.10.226.10

!

ip dhcp pool locallan

 network 192.168.226.0 255.255.255.0

 default-router 192.168.226.1

 dns-server 192.168.100.10 192.168.100.11

 option 242 ascii MCIPADD=10.10.100.10,TFTPSRVR=10.10.100.10,HTTPSRVR=10.10.100.10,TLSSRVR=10.10.100.10,SIP_CONTROLLER_LIST=10.10.100.10

 option 42 ip 192.168.100.10

!

ip dhcp pool Ip Voice phone

 network 10.10.226.0 255.255.255.0

 default-router 10.10.226.1

 option 242 ascii MCIPADD=10.10.100.10,TFTPSRVR=10.10.100.10,HTTPSRVR=10.10.100.10,HTTPSSRVR=10.10.100.10

 dns-server 192.168.100.10

 option 42 ip 10.10.100.10

!

!

no ip domain lookup

ip domain name xxxx.bg

ip inspect name INSPECT_TRAFFIC dns

ip inspect name INSPECT_TRAFFIC ftp

ip inspect name INSPECT_TRAFFIC h323

ip inspect name INSPECT_TRAFFIC https

ip inspect name INSPECT_TRAFFIC icmp

ip inspect name INSPECT_TRAFFIC imap

ip inspect name INSPECT_TRAFFIC pop3

ip inspect name INSPECT_TRAFFIC netshow

ip inspect name INSPECT_TRAFFIC rcmd

ip inspect name INSPECT_TRAFFIC realaudio

ip inspect name INSPECT_TRAFFIC rtsp

ip inspect name INSPECT_TRAFFIC esmtp

ip inspect name INSPECT_TRAFFIC sqlnet

ip inspect name INSPECT_TRAFFIC streamworks

ip inspect name INSPECT_TRAFFIC tftp

ip inspect name INSPECT_TRAFFIC tcp

ip inspect name INSPECT_TRAFFIC udp

ip inspect name INSPECT_TRAFFIC vdolive

ip inspect name INSPECT_TRAFFIC http

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid C892FSP-K9 sn FCZ210411N0

no spanning-tree vlan 10

username xxx privilege 15 secret 5 $1$yc5I$gKRJZGO4KMfMY55Qkyt0

username xxx privilege 15 secret 5 $1$I22e$cNpyaIpmSLWOI2l9.8O.

username xxx privilege 15 secret 5 $1$HqT6$3mAl/xDadRRu1swSWGVS/

username test privilege 15 secret 5 $1$3DlJ$7DsxCZpORcq5pldWgEA.

!

!

no cdp run

!

!

crypto keyring KEYRING vrf WAN

  pre-shared-key address 0.0.0.0 0.0.0.0 key password

!

crypto isakmp policy 2

 encr aes 256

 authentication pre-share

 group 2

crypto isakmp key password address public ip -1 address office 3

crypto isakmp key password address public ip -2 address office 3

crypto isakmp keepalive 10 5

crypto isakmp profile ISAKMP_PROF

   keyring KEYRING

   match identity address 0.0.0.0 WAN

!

!

crypto ipsec transform-set ESP_SHA_AES256 esp-aes 256 esp-sha-hmac

 mode tunnel

!

crypto ipsec profile Cisco_pass

 set transform-set ESP_SHA_AES256

 set isakmp-profile ISAKMP_PROF

!

!

!

interface Tunnel2

 description "Internet  Tunnel"

 bandwidth 1000

 ip address 172.30.2.226 255.255.255.0

 ip mtu 1400

 ip nhrp authentication DMVPN_NW

 ip nhrp map 172.30.2.200 public ip -1 address office 3

 ip nhrp network-id 100000

 ip nhrp holdtime 360

 ip nhrp nhs 172.30.2.200

 ip tcp adjust-mss 1300

 delay 1000

 tunnel source GigabitEthernet9

 tunnel destination public ip -1 address office 3

 tunnel key 100000

 tunnel vrf WAN

 tunnel protection ipsec profile Cisco_pass

!

interface Tunnel3

 description "Internet Tunnel"

 bandwidth 1000

 ip address 172.30.4.226 255.255.255.0

 ip mtu 1400

 ip nhrp authentication DMVPN_NW

 ip nhrp map 172.30.4.200 public ip -2 address office 3

 ip nhrp network-id 100000

 ip nhrp holdtime 360

 ip nhrp nhs 172.30.4.200

 ip tcp adjust-mss 1300

 delay 1000

 tunnel source GigabitEthernet9

 tunnel destination public ip -2 address office 3

 tunnel key 100000

 tunnel vrf WAN

 tunnel protection ipsec profile Cisco_pass

!

interface GigabitEthernet0

 switchport trunk native vlan 200

 switchport mode trunk

 no ip address

 no cdp enable

!

interface GigabitEthernet1

 switchport trunk native vlan 200

 switchport mode trunk

 no ip address

!

interface GigabitEthernet2

 switchport trunk native vlan 200

 switchport mode trunk

 no ip address

!

interface GigabitEthernet3

 switchport access vlan 9

 no ip address

!

interface GigabitEthernet4

 switchport access vlan 20

 no ip address

!

interface GigabitEthernet5

 switchport access vlan 30

 no ip address

!

interface GigabitEthernet6

no ip address

!

interface GigabitEthernet7

 switchport access vlan 10

 no ip address

!

interface GigabitEthernet8

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface GigabitEthernet9

 description "To ISP "

 ip vrf forwarding WAN

 ip address public ip  address office 2 

 ip virtual-reassembly in

 duplex auto

 speed auto

 no cdp enable

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan9

 ip address 192.168.30.1 255.255.255.0

!

interface Vlan10

 no ip address

 shutdown

!

interface Vlan20

 description "Vlan 20"

 ip address 10.20.226.1 255.255.255.0

!

interface Vlan25

 description "Voice"

 ip address 10.10.226.1 255.255.255.0

!

interface Vlan30

 description "Vlan 30"

 ip address 172.16.141.105 255.255.255.248

!

interface Vlan200

 description "Inside interface"

 ip address 192.168.226.1 255.255.255.0

ip virtual-reassembly in

!

!

router eigrp 100

 network 10.10.226.0 0.0.0.255

 network 10.20.226.0 0.0.0.255

 network 172.16.141.104 0.0.0.7

 network 172.30.1.0 0.0.0.255

 network 172.30.2.0 0.0.0.255

 network 192.168.30.0

 network 192.168.226.0

 passive-interface Vlan200

 passive-interface Vlan25

!

ip forward-protocol nd

no ip http server

ip http authentication local

ip http secure-server

!

!

ip tftp source-interface Vlan200

ip route vrf WAN 0.0.0.0 0.0.0.0 gateway ISP office 2

!

!

snmp-server community XXXX RO 1

access-list 1 remark "SNMP allowed"

access-list 1 permit 192.168.96.254

access-list 100 remark "NAT ACL"

access-list 100 permit ip 192.168.226.0 0.0.0.255 any

access-list 110 remark "Outside interface inbound ACL"

access-list 110 permit tcp any host 192.168.1.226 eq 443

access-list 110 permit tcp any host 192.168.1.226 eq 22

access-list 110 permit udp host 80.96.120.253 host 192.168.1.226 eq ntp

access-list 110 permit udp any host 192.168.1.226 eq non500-isakmp

access-list 110 permit udp any host 192.168.1.226 eq isakmp

access-list 110 permit esp any host 192.168.1.226

access-list 110 permit ahp any host 192.168.1.226

access-list 110 permit gre any host 192.168.1.226

access-list 110 permit icmp any host 192.168.1.226 echo

access-list 110 permit icmp any host 192.168.1.226 echo-reply

access-list 110 permit icmp any host 192.168.1.226 time-exceeded

access-list 110 permit icmp any host 192.168.1.226 unreachable

access-list 110 permit icmp any any

access-list 110 deny   ip 10.0.0.0 0.255.255.255 any

access-list 110 deny   ip 172.16.0.0 0.15.255.255 any

access-list 110 deny   ip 192.168.0.0 0.0.255.255 any

access-list 110 deny   ip 127.0.0.0 0.255.255.255 any

access-list 110 deny   ip host 255.255.255.255 any

access-list 110 deny   ip host 0.0.0.0 any

access-list 110 deny   ip any any log

access-list 112 permit ip any host 192.168.129.55

access-list 112 permit ip any 172.16.141.0 0.0.0.255

access-list 112 permit ip any host 192.168.0.21

access-list 112 permit ip any host 10.30.14.22

access-list 112 permit udp any host 192.168.200.1 eq domain

access-list 112 permit ip any host 172.16.1.10

access-list 112 deny   ip any any

!

control-plane

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

line con 0

 login local

 no modem enable

line aux 0

line vty 0 4

 privilege level 15

 login local

 transport input telnet ssh

line vty 5 15

 privilege level 15

 login local

 transport input telnet ssh

!

scheduler allocate 20000 1000

ntp server 128.138.141.172

!

end

HI,

You must have allowed the internet from the head office. Means Your Head office Firewall must do the NATing "192.168.226.0/24" subnet and the firewall must have the proper routing for the same.  Also, your HUB router must advertise a default route in the EIGRP.

Now your LOCAL LAN and WAN traffic are moving through the tunnel and reaching to the head office. You have to allow the Internet through your firewall.