05-13-2012 08:37 PM - edited 02-21-2020 06:04 PM
Hi.
I have been labbing up a solution using DMVPN and VRF, similar to that described in the blog post here. It works very well, however when I try to extend the concept to a redundant hub, it breaks with IPSec. If I remove the tunnel protection, it works fine.
Does anyone have any ideas about providing IPSec protection to multiple DMVPN tunnels for VRFs to a redundant Hub?
Thanks.
Client config (no IPSec):
interface Tunnel10
ip vrf forwarding Staff
ip address 10.254.254.23 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFS
ip nhrp map multicast 172.16.1.1
ip nhrp map 10.254.254.1 172.16.1.1
ip nhrp map 10.254.254.3 172.16.1.3
ip nhrp map multicast 172.16.1.3
ip nhrp network-id 10
ip nhrp holdtime 600
ip nhrp nhs 10.254.254.1
ip nhrp nhs 10.254.254.3
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10
!
interface Tunnel20
ip vrf forwarding Clients
ip address 10.254.253.23 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFSC
ip nhrp map 10.254.253.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp map multicast 172.16.1.3
ip nhrp map 10.254.253.3 172.16.1.3
ip nhrp network-id 20
ip nhrp holdtime 600
ip nhrp nhs 10.254.253.1
ip nhrp nhs 10.254.253.3
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 20
!
Hub 1:
interface Tunnel10
ip vrf forwarding Staff
ip address 10.254.254.1 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFS
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp holdtime 360
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10
!
interface Tunnel20
ip vrf forwarding Clients
ip address 10.254.253.1 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFSC
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 360
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 20
!
Hub 2:
interface Tunnel10
ip vrf forwarding Staff
ip address 10.254.254.3 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFS
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp holdtime 360
ip nhrp server-only
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10
!
interface Tunnel20
ip vrf forwarding Clients
ip address 10.254.253.3 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFSC
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 360
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0 tunnel mode gre multipoint
tunnel key 20
!
05-13-2012 09:42 PM
Under the Hub you have to add
HUB1
interface Tunnel10
ip nhrp map 10.254.254.1
ip nhrp map multicast < ip add of FastEthernet0/0 for HUB2>
HUB2
interface Tunnel10
ip nhrp map 10.254.254.3
ip nhrp map multicast < ip add of FastEthernet0/0 for HUB1>
The same thing for the other tunnel interfaces
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: