This is a sample configuration for IKEv2 DMVPN utilizing VRF and EIGRP routing. Very common deployment for multi-tanent deployment. 

 

Topology 

 

 

Configuration

 

R1 (HUB)

……………………………………………………………………………………………………………………………………………

 

vrf definition dmvpn

 !

 address-family ipv4

 exit-address-family

!

crypto ikev2 proposal prop-01

 encryption aes-cbc-128 aes-cbc-192

 integrity sha256 sha512

 group 14 15

!

crypto ikev2 policy pol-01

 proposal prop-01

!

crypto ikev2 keyring dmvpn-key

 peer ALL

  address 0.0.0.0 0.0.0.0

  pre-shared-key cisco123

!

crypto ikev2 profile prof-01

 match identity remote address 0.0.0.0

 authentication local pre-share

 authentication remote pre-share

 keyring local dmvpn-key

!

crypto ipsec transform-set tset esp-aes 192 esp-sha512-hmac

 mode tunnel

!

crypto ipsec profile dmvpn

 set transform-set tset

 set ikev2-profile prof-01

!

interface Loopback0

 vrf forwarding dmvpn

 ip address 10.150.10.1 255.255.255.255

!

interface Tunnel0

 vrf forwarding dmvpn          !!! …. This is to define iVRF

 ip address 192.168.1.1 255.255.255.0

 no ip redirects

 no ip split-horizon eigrp 102

 ip nhrp map multicast dynamic

 ip nhrp network-id 1

 ip nhrp redirect

 tunnel source GigabitEthernet0/0

 tunnel mode gre multipoint

 tunnel protection ipsec profile dmvpn

!

interface GigabitEthernet0/0

 ip address 10.150.1.1 255.255.255.0

!

router eigrp 1

 !

 address-family ipv4 vrf dmvpn autonomous-system 102

  network 10.150.10.1 0.0.0.0

  network 192.168.1.1 0.0.0.0

 exit-address-family

!

ip route 0.0.0.0 0.0.0.0 10.150.1.2

 

R1# sh cry ikev2 sa

 IPv4 Crypto IKEv2  SA

 

Tunnel-id Local                 Remote                fvrf/ivrf            Status

1         10.150.1.1/500        10.150.5.1/500        none/dmvpn           READY

      Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/5847 sec

 

Tunnel-id Local                 Remote                fvrf/ivrf            Status

2         10.150.1.1/500        10.150.6.1/500        none/dmvpn           READY

      Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/4183 sec

 

 IPv6 Crypto IKEv2  SA

 

 

R5 (SPOKE - IVRF and FVRF are same)

……………………………………………………………………………………………………………………………………………

 

vrf definition dmvpn

 !

 address-family ipv4

 exit-address-family

!

crypto ikev2 proposal prop-01

 encryption aes-cbc-128 aes-cbc-192

 integrity sha256 sha512

 group 14 15

!

crypto ikev2 policy pol-01

 match fvrf dmvpn     !!! ….. Because tunnel is invoked using VRF, this policy should be assigned to same Front VRF

 match address local 10.150.5.1     !!! ….. This source interface should be defined as its in VRF Routing Table instead of Global Routing Table

 proposal prop-01

!

crypto ikev2 keyring dmvpn-key

 peer R1

  address 0.0.0.0 0.0.0.0

  pre-shared-key cisco123

!

crypto ikev2 profile prof-01

 match fvrf dmvpn         !!! ….. Because tunnel is invoked using VRF, this profile should be assigned to same Front VRF

 match identity remote address 0.0.0.0

 authentication local pre-share

 authentication remote pre-share

 keyring local dmvpn-key

!

crypto ipsec transform-set tset esp-aes 192 esp-sha512-hmac

 mode tunnel

!

crypto ipsec profile dmvpn

 set transform-set tset

 set ikev2-profile prof-01

!

interface Loopback0

 vrf forwarding dmvpn

 ip address 10.150.50.1 255.255.255.255

!

interface Tunnel0

 vrf forwarding dmvpn    !!! …. Assign iVRF same as fVRF

 ip address 192.168.1.2 255.255.255.0

 no ip redirects

 ip nhrp map 192.168.1.1 10.150.1.1

 ip nhrp map multicast 10.150.1.1

 ip nhrp network-id 1

 ip nhrp nhs 192.168.1.1

 ip nhrp shortcut

 tunnel source GigabitEthernet0/0

 tunnel mode gre multipoint

 tunnel vrf dmvpn    !!! … Invoke the tunnel using Front VRF used on the source interface

 tunnel protection ipsec profile dmvpn

!

interface GigabitEthernet0/0

 vrf forwarding dmvpn

 ip address 10.150.5.1 255.255.255.0

!

router eigrp 1

 !

 address-family ipv4 vrf dmvpn autonomous-system 102

  network 10.150.50.1 0.0.0.0

  network 192.168.1.2 0.0.0.0

 exit-address-family

!

ip route vrf dmvpn 0.0.0.0 0.0.0.0 10.150.5.2

 

R5#sh cry ikev2 sa

 IPv4 Crypto IKEv2  SA

 

Tunnel-id Local                 Remote                fvrf/ivrf            Status

2         10.150.5.1/500        10.150.6.1/500        dmvpn/dmvpn          READY

      Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/2475 sec

 

Tunnel-id Local                 Remote                fvrf/ivrf            Status

1         10.150.5.1/500        10.150.1.1/500        dmvpn/dmvpn          READY

      Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/6088 sec

 

 IPv6 Crypto IKEv2  SA

 

R6 (This is same as R5 except that F-VRF is different from I-VRF)

……………………………………………………………………………………………………………………………………………

 

vrf definition fvrf-dmvpn

 !

 address-family ipv4

 exit-address-family

!

vrf definition ivrf-dmvpn

 !

 address-family ipv4

 exit-address-family

!

crypto ikev2 proposal prop-01

 encryption aes-cbc-128 aes-cbc-192

 integrity sha256 sha512

 group 14 15

!

crypto ikev2 policy pol-01

 match fvrf fvrf-dmvpn

 proposal prop-01

!

crypto ikev2 keyring dmvpn-key

 peer R1

  address 0.0.0.0 0.0.0.0

  pre-shared-key cisco123

!

crypto ikev2 profile prof-01

 match fvrf fvrf-dmvpn

 match identity remote address 0.0.0.0

 identity local address 10.150.6.1

 authentication local pre-share

 authentication remote pre-share

 keyring local dmvpn-key

!

crypto ipsec transform-set tset esp-aes 192 esp-sha512-hmac

 mode tunnel

!

crypto ipsec profile dmvpn

 set transform-set tset

 set ikev2-profile prof-01

!

interface Loopback0

 vrf forwarding ivrf-dmvpn

 ip address 10.150.60.1 255.255.255.255

!

interface Tunnel0

 vrf forwarding ivrf-dmvpn

 ip address 192.168.1.3 255.255.255.0

 no ip redirects

 ip nhrp map 192.168.1.1 10.150.1.1

 ip nhrp map multicast 10.150.1.1

 ip nhrp network-id 1

 ip nhrp nhs 192.168.1.1

 ip nhrp shortcut

 tunnel source GigabitEthernet0/0

 tunnel mode gre multipoint

 tunnel vrf fvrf-dmvpn

 tunnel protection ipsec profile dmvpn

!

interface GigabitEthernet0/0

 vrf forwarding fvrf-dmvpn

 ip address 10.150.6.1 255.255.255.0

!

router eigrp 1

 !

 address-family ipv4 vrf ivrf-dmvpn autonomous-system 102

  network 10.150.60.1 0.0.0.0

  network 192.168.1.3 0.0.0.0

 exit-address-family

!

ip route vrf fvrf-dmvpn 0.0.0.0 0.0.0.0 10.150.6.2

 

R6# sh cry ikev2 sa

 IPv4 Crypto IKEv2  SA

 

Tunnel-id Local                 Remote                fvrf/ivrf            Status

1         10.150.6.1/500        10.150.1.1/500        fvrf-dmvpn/ivrf-dm   READY

      Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/4924 sec

 

Tunnel-id Local                 Remote                fvrf/ivrf            Status

2         10.150.6.1/500        10.150.5.1/500        fvrf-dmvpn/ivrf-dm   READY

      Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/2973 sec

 

 IPv6 Crypto IKEv2  SA