on 07-07-2019 06:22 AM
This is a sample configuration for IKEv2 DMVPN utilizing VRF and EIGRP routing. Very common deployment for multi-tanent deployment.
Topology
Configuration
R1 (HUB)
……………………………………………………………………………………………………………………………………………
vrf definition dmvpn
!
address-family ipv4
exit-address-family
!
crypto ikev2 proposal prop-01
encryption aes-cbc-128 aes-cbc-192
integrity sha256 sha512
group 14 15
!
crypto ikev2 policy pol-01
proposal prop-01
!
crypto ikev2 keyring dmvpn-key
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
crypto ikev2 profile prof-01
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local dmvpn-key
!
crypto ipsec transform-set tset esp-aes 192 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile dmvpn
set transform-set tset
set ikev2-profile prof-01
!
interface Loopback0
vrf forwarding dmvpn
ip address 10.150.10.1 255.255.255.255
!
interface Tunnel0
vrf forwarding dmvpn !!! …. This is to define iVRF
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip split-horizon eigrp 102
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp redirect
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
!
interface GigabitEthernet0/0
ip address 10.150.1.1 255.255.255.0
!
router eigrp 1
!
address-family ipv4 vrf dmvpn autonomous-system 102
network 10.150.10.1 0.0.0.0
network 192.168.1.1 0.0.0.0
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 10.150.1.2
R1# sh cry ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.150.1.1/500 10.150.5.1/500 none/dmvpn READY
Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/5847 sec
Tunnel-id Local Remote fvrf/ivrf Status
2 10.150.1.1/500 10.150.6.1/500 none/dmvpn READY
Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4183 sec
IPv6 Crypto IKEv2 SA
R5 (SPOKE - IVRF and FVRF are same)
……………………………………………………………………………………………………………………………………………
vrf definition dmvpn
!
address-family ipv4
exit-address-family
!
crypto ikev2 proposal prop-01
encryption aes-cbc-128 aes-cbc-192
integrity sha256 sha512
group 14 15
!
crypto ikev2 policy pol-01
match fvrf dmvpn !!! ….. Because tunnel is invoked using VRF, this policy should be assigned to same Front VRF
match address local 10.150.5.1 !!! ….. This source interface should be defined as its in VRF Routing Table instead of Global Routing Table
proposal prop-01
!
crypto ikev2 keyring dmvpn-key
peer R1
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
crypto ikev2 profile prof-01
match fvrf dmvpn !!! ….. Because tunnel is invoked using VRF, this profile should be assigned to same Front VRF
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local dmvpn-key
!
crypto ipsec transform-set tset esp-aes 192 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile dmvpn
set transform-set tset
set ikev2-profile prof-01
!
interface Loopback0
vrf forwarding dmvpn
ip address 10.150.50.1 255.255.255.255
!
interface Tunnel0
vrf forwarding dmvpn !!! …. Assign iVRF same as fVRF
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip nhrp map 192.168.1.1 10.150.1.1
ip nhrp map multicast 10.150.1.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp shortcut
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel vrf dmvpn !!! … Invoke the tunnel using Front VRF used on the source interface
tunnel protection ipsec profile dmvpn
!
interface GigabitEthernet0/0
vrf forwarding dmvpn
ip address 10.150.5.1 255.255.255.0
!
router eigrp 1
!
address-family ipv4 vrf dmvpn autonomous-system 102
network 10.150.50.1 0.0.0.0
network 192.168.1.2 0.0.0.0
exit-address-family
!
ip route vrf dmvpn 0.0.0.0 0.0.0.0 10.150.5.2
R5#sh cry ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 10.150.5.1/500 10.150.6.1/500 dmvpn/dmvpn READY
Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/2475 sec
Tunnel-id Local Remote fvrf/ivrf Status
1 10.150.5.1/500 10.150.1.1/500 dmvpn/dmvpn READY
Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/6088 sec
IPv6 Crypto IKEv2 SA
R6 (This is same as R5 except that F-VRF is different from I-VRF)
……………………………………………………………………………………………………………………………………………
vrf definition fvrf-dmvpn
!
address-family ipv4
exit-address-family
!
vrf definition ivrf-dmvpn
!
address-family ipv4
exit-address-family
!
crypto ikev2 proposal prop-01
encryption aes-cbc-128 aes-cbc-192
integrity sha256 sha512
group 14 15
!
crypto ikev2 policy pol-01
match fvrf fvrf-dmvpn
proposal prop-01
!
crypto ikev2 keyring dmvpn-key
peer R1
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
crypto ikev2 profile prof-01
match fvrf fvrf-dmvpn
match identity remote address 0.0.0.0
identity local address 10.150.6.1
authentication local pre-share
authentication remote pre-share
keyring local dmvpn-key
!
crypto ipsec transform-set tset esp-aes 192 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile dmvpn
set transform-set tset
set ikev2-profile prof-01
!
interface Loopback0
vrf forwarding ivrf-dmvpn
ip address 10.150.60.1 255.255.255.255
!
interface Tunnel0
vrf forwarding ivrf-dmvpn
ip address 192.168.1.3 255.255.255.0
no ip redirects
ip nhrp map 192.168.1.1 10.150.1.1
ip nhrp map multicast 10.150.1.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp shortcut
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel vrf fvrf-dmvpn
tunnel protection ipsec profile dmvpn
!
interface GigabitEthernet0/0
vrf forwarding fvrf-dmvpn
ip address 10.150.6.1 255.255.255.0
!
router eigrp 1
!
address-family ipv4 vrf ivrf-dmvpn autonomous-system 102
network 10.150.60.1 0.0.0.0
network 192.168.1.3 0.0.0.0
exit-address-family
!
ip route vrf fvrf-dmvpn 0.0.0.0 0.0.0.0 10.150.6.2
R6# sh cry ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.150.6.1/500 10.150.1.1/500 fvrf-dmvpn/ivrf-dm READY
Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4924 sec
Tunnel-id Local Remote fvrf/ivrf Status
2 10.150.6.1/500 10.150.5.1/500 fvrf-dmvpn/ivrf-dm READY
Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/2973 sec
IPv6 Crypto IKEv2 SA
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: