Hello Ananthan,

You are welcome - actually, thanks to you, I have also learned something new while debugging your scenario

You may be interested in reading the following document that helped me to make my mind clear about the FVRF (Front VRF) and the IVRF (Internal VRF), see:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03_ps6658_Products_White_Paper.html

Best regards,

Peter

Hello Peter,

Thanks for the solution.. Actually before i configure i got the guide from that white paper. But i don't have enough experience in troubleshooting Security   ( until now i'm a pure R&S guy) . So couldn't able to get proper answers from DEBUG. But from your suggestion i got the answer and its working well.

Thanks..

-Ananthan

Hello Ananthan,

I am also primarily R&S guy. When I tried to debug your original configuration I needed to have the following debugs on the hub router so it finally told me that the FVRF did not match:

debug crypto isakmp

debug crypto isakmp error

debug crypto ipsec

debug crypto ipsec error

Anyway, I'm glad you got it working, allowing me to learn more as well in the process Take care and good luck!

Best regards,

Peter

Hello Peter,

I got an another issue.. After establish this DMVPN i add another IPSec to the spoke site to another peer                (crypto map CUSTMap).

.

Here is the sample config..

!

crypto keyring VPN

  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco

!

crypto isakmp policy 1

authentication pre-share

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp test123 address 192.168.169.50

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 30 periodic

crypto isakmp profile VPN-101

   keyring VPN

   match identity address 0.0.0.0

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac

crypto ipsec transform-set trans2 esp-des esp-md5-hmac

!

crypto ipsec profile CUST

set transform-set trans2

set isakmp-profile VPN-101

!

!

crypto map CUSTMap 1 ipsec-isakmp

set peer 192.168.169.50

set transform-set esp-3des-sha

match address 110

!

!

!

interface Tunnel0

description DMVPN Tunnel Interface

bandwidth 1000

ip address 10.10.10.2 255.255.255.0

no ip redirects

ip mtu 1436

ip nhrp authentication cisco123

ip nhrp map multicast 192.168.10.1

ip nhrp map 10.10.10.1 192.168.10.1

ip nhrp network-id 99

ip nhrp holdtime 300

ip nhrp nhs 10.10.10.1

ip tcp adjust-mss 1360

no ip split-horizon eigrp 1

delay 1000

tunnel source FastEthernet0/1

tunnel mode gre multipoint

tunnel key 10

tunnel protection ipsec profile CUST

!

interface FastEthernet0/1

  ip address 172.20.20.1 255.255.255.0

duplex auto

speed auto

crypto map CUSTMap

!

the problem is when remove the DMVPN config then only this IPSec is working fine. Once i bring up the DMVPN the IPSec to "crypto map CUSTMap" is going down. Any finding from your end ??

Thanks

-Ananthan

Hello Ananthan,

I do not quite understand the need for the crypto map on your Fa0/1 interface. Is it there for some other IPsec tunnel apart from the DMVPN? The DMVPN traffic itself, either spoke-to-hub or spoke-to-spoke, is protected using the IPsec crypto profile. Can you kindly explain the crypto map a little closer?

You have not shown us the ACL 110. It is possible that it conflicts with the traffic already encrypted by the Tunnel0 crypto profile. Can you also display the ACL 110?

Best regards,

Peter

Hello Peter,

Yes .. That crypto map under fa0/1 is belongs to another IPSec peering to another router (that router not in DMVPN cloud) . This IPSec purely for management purpose..

Here is the ACL 110

access-list 110 permit ip host 10.10.10.10 host 172.16.16.16

access-list 110 permit ip host 10.10.10.10 host 172.16.16.17

access-list 110 permit ip host 10.10.10.10 host 172.16.16.18

access-list 110 permit ip host 10.10.10.10 host 172.16.16.19

The IP 10.10.10.10 is loopback IP from Spoke router.

Thanks.

-Ananthan

Hello Ananthan,

So far, I do not see any obvious problem with the configuration. I am wondering, however: after the DMVPN comes up, what routes are learned by the routing protocol run over the DMVPN tunnel? Is it possible that either the 172.16.16.16-19 or the 192.168.169.50 becomes routed through the tunnel and not directly through the Fa0/1 interface?

We have to verify this very carefully - please use the show ip route command together with each of these IP addresses while the DMVPN is up, and check for the forwarding information.

Thanks!

Best regards,

Peter

Hi Ananthan,

Any news with this issue?

Best regards,

Peter