Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1420
Views
5
Helpful
7
Replies

mGRE with VRF

Go to solution
sqambera
Level 1
Level 1

ā€Ž03-07-2016 02:05 PM - edited ā€Ž03-05-2019 03:30 AM

Hello,

I am trying to configure a spoke router in a mGRE environment. I want to keep the tunnel interface in the global vrf whereas the physical interface which would be used as source of the tunnel should be in a separate vrf. This was quite possible in the case of point-to-point GRE tunnel by using the command "Tunnel vrf .. ". But this doesn't seems to be working with mGRE because I can't ping tunnel IPs.

Can anyone please help me to know what can be done to achieve this? I am copying configuration that I have done on the spoke router.

Thanks in advance.

Qamber

interface Tunnel0
 ip address 10.1.1.2 255.255.255.252
 no ip redirects
 ip mtu 1440
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp map 10.1.1.1 <real ip of hub router>
 ip nhrp map multicast <real ip of hub router>
 ip nhrp network-id 1
 ip nhrp nhs 10.1.1.1
 tunnel source GigabitEthernet0/0/2.1
 tunnel mode gre multipoint
 tunnel key 0
 tunnel vrf test
 tunnel protection ipsec profile myprofile

interface GigabitEthernet0/0/2.1
 encapsulation dot1Q 3000
 ip vrf forwarding test
 ip address <real ip of spoke router>

ip route vrf test 0.0.0.0 0.0.0.0 <next hop real ip>

#sh vrf
  Name                             Default RD            Protocols   Interfaces
  Mgmt-intf                        <not set>             ipv4,ipv6   Gi0
  test                             <not set>             ipv4        Gi0/0/2.1

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to sqambera

ā€Ž03-09-2016 11:20 AM

The crypto config is definitely the issue.  You need something more like:

crypto keyring kr-keyring vrf outside-vrf
   pre-shared-key address 0.0.0.0 0.0.0.0 key xxx

crypto isakmp profile myprofile
  keyring kr-keyring
  set security-association lifetime seconds 120
  set transform-set myset
  match identity address 0.0.0.0 0.0.0.0 outside-vrf
  local-address <public ip of local router>

You may get away without the "local-address <public ip of local router>" line.

And delete:

crypto isakmp key cisco address 0.0.0.0

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

ā€Ž03-07-2016 03:38 PM

The bit of the config you are showing is fine.  However have you also configured the VRF in the tunnel protection policy correctly (because you need all crypto done in the outside VRF)?  I need to see the rest of the crypto config.

Here is a guide saying how to configure it.

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmsw_book/ivmvpn5.pdf

Go to solution
sqambera
Level 1
Level 1
In response to Philip D'Ath

ā€Ž03-08-2016 08:39 AM

Many thanks Philip for helping out. To test your recommendation instantly I removed the tunnel protection profile from the tunnel interfaces of hub and spoke into mGRE and it worked. Now I have to check what am I missing from the tunnel protection perspective into VRF as you suggested. Will read the document that you shared and will get back.

Thanks again.

0 Helpful

Go to solution
sqambera
Level 1
Level 1
In response to Philip D'Ath

ā€Ž03-08-2016 10:01 AM

By looking at the document, it looks like I have to use probably "crypto engine outside" command on vrf interfaces. But I checked its not supported on my ASR and ISR routers. Do you think this command is what really matters?

Thanks,

Qamber

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to sqambera

ā€Ž03-08-2016 10:44 AM

The isakmp profile and the keyring are where the important vrf bits are.

If you post the crypto config I can look further, otherwise pay attention to those particular sections in your config.

0 Helpful

Go to solution
sqambera
Level 1
Level 1
In response to Philip D'Ath

ā€Ž03-09-2016 07:57 AM

Thanks for your time Philip. Here is the crypto related configuration on hub and spoke routers:

Hub Router:

crypto isakmp policy 1
 authentication pre-share


crypto isakmp key cisco address 0.0.0.0


crypto ipsec transform-set myset esp-des esp-md5-hmac
 mode tunnel


crypto ipsec profile myprofile
 set security-association lifetime seconds 120
 set transform-set myset

Spoke Router:

crypto isakmp policy 1
 authentication pre-share


crypto isakmp key cisco address 0.0.0.0


crypto ipsec transform-set myset esp-des esp-md5-hmac
 mode tunnel


crypto ipsec profile myprofile
 set security-association lifetime seconds 120
 set transform-set myset

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to sqambera

ā€Ž03-09-2016 11:20 AM

The crypto config is definitely the issue.  You need something more like:

crypto keyring kr-keyring vrf outside-vrf
   pre-shared-key address 0.0.0.0 0.0.0.0 key xxx

crypto isakmp profile myprofile
  keyring kr-keyring
  set security-association lifetime seconds 120
  set transform-set myset
  match identity address 0.0.0.0 0.0.0.0 outside-vrf
  local-address <public ip of local router>

You may get away without the "local-address <public ip of local router>" line.

And delete:

crypto isakmp key cisco address 0.0.0.0

0 Helpful

Go to solution
sqambera
Level 1
Level 1
In response to Philip D'Ath

ā€Ž03-10-2016 09:27 AM

Thanks a lot Philip it worked with your help.

Best regards,

Qamber

0 Helpful
Customers Also Viewed These Support Documents