Solved: MPLS over DMVPN

R Manjunatha · ‎11-14-2023

Hi,

I configured the MPLS over DMVPN with an IPsec tunnel for encryption. everything was good after configuring tunnel protection IPsec on the Tunnel interface, all respective router's EIGRP adjacencies are down.

If any more detailed information is needed, please let me know.

*Nov 14 10:51:19.354: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.1.13 (Tunnel1) is down: holding time expired
*Nov 14 10:52:09.233: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.1.8 (Tunnel1) is down: holding time expired
*Nov 14 10:52:51.167: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.1.9 (Tunnel1) is down: holding time expired
*Nov 14 10:53:11.534: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.1.16 (Tunnel1) is down: holding time expired

CE-R13#sh ip route vrf FVRF

Routing Table: FVRF
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
B 10.8.8.0/24 [20/0] via 192.168.40.254, 03:43:51
B 10.9.9.0/24 [20/0] via 192.168.40.254, 03:43:55
C 10.13.13.0/24 is directly connected, Loopback0
L 10.13.13.13/32 is directly connected, Loopback0
B 10.16.16.0/24 [20/0] via 192.168.40.254, 03:43:55
B 10.17.17.0/24 [20/0] via 192.168.40.254, 03:44:08
B 10.18.18.0/24 [20/0] via 192.168.40.254, 03:43:56
192.168.40.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.40.0/24 is directly connected, Ethernet0/0
L 192.168.40.1/32 is directly connected, Ethernet0/0
CE-R13#sh ip route vrf FVRF eigrp

Routing Table: FVRF
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

CE-R13# sh run
Building configuration...

Current configuration : 2406 bytes
!
! Last configuration change at 11:06:07 UTC Tue Nov 14 2023
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CE-R13
!
boot-start-marker
boot-end-marker
!
!
vrf definition FVRF
rd 65006:1
!
address-family ipv4
exit-address-family
!
vrf definition INTERNAL
!
address-family ipv4
exit-address-family
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set ABC esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile IPROF
set transform-set ABC
!
!
!
!
!
!
!
interface Loopback0
vrf forwarding FVRF
ip address 10.13.13.13 255.255.255.0
!
interface Loopback1
vrf forwarding INTERNAL
ip address 192.168.13.13 255.255.255.0
!
interface Loopback2
vrf forwarding INTERNAL
ip address 172.16.13.13 255.255.255.0
!
interface Tunnel1
vrf forwarding INTERNAL
ip address 192.168.1.13 255.255.255.0
no ip redirects
ip nhrp map 192.168.1.17 10.17.17.17
ip nhrp map multicast 10.17.17.17
ip nhrp network-id 1
ip nhrp nhs 192.168.1.17
tunnel source Loopback0
tunnel mode gre multipoint
tunnel vrf FVRF
tunnel protection ipsec profile IPROF
!
interface Ethernet0/0
vrf forwarding FVRF
ip address 192.168.40.1 255.255.255.0
duplex auto
!
interface Ethernet0/1
no ip address
shutdown
duplex auto
!
interface Ethernet0/2
no ip address
shutdown
duplex auto
!
interface Ethernet0/3
no ip address
shutdown
duplex auto
!
!
router eigrp 1
!
address-family ipv4 vrf INTERNAL autonomous-system 100
network 172.16.0.0
network 192.168.1.0
network 192.168.13.0
exit-address-family
!
router bgp 65006
bgp router-id 13.13.13.13
bgp log-neighbor-changes
!
address-family ipv4 vrf FVRF
network 10.13.13.0 mask 255.255.255.0
neighbor 192.168.40.254 remote-as 100
neighbor 192.168.40.254 activa

MHM Cisco World · ‎06-13-2024

please close this post
thanks
MHM

View solution in original post

MHM Cisco World · ‎11-14-2023

hi
make the Key VRF-aware and it will start work
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-3s/VRF-Aware_IPsec.html

Thanks A Lot
MHM

R Manjunatha · ‎11-14-2023

Hi

Thanks for the update, I can't figure it out. can you please let me know the commands?

MHM Cisco World · ‎11-14-2023

1. enable

2. configure terminal

3. crypto keyring keyring-name [vrf fvrf-name

4. description string

5. pre-shared-key {address address [mask] | hostname hostname} key key

This need' remove crypro isakmp key command and use above instead.

MHM Cisco World · ‎11-14-2023

https://www.cisco.com/c/en/us/support/docs/security-vpn/dynamic-multi-point-vpn-dmvpn/119022-configure-dmvpn-00.html

This example also for more info.

Note:- you need to add

Tunnel key xxx in all tunnel of spoke and hub

MHM Cisco World · ‎06-13-2024

please close this post
thanks
MHM