Hi,

I'm trying to get DMVPN (mGRE over IPSEC) to establish over different FVRF and IVRF on the hub side.

Just for clarity, hub IP is 10.1.1.1, spoke's is 10.2.2.2 (obviously I have routing between the 2, they can ping each other etc)

If I use an interface as source within the same VRF as the mGRE tunnel interface everything works fine (IPSEC comes UP, GRE, NHRP and BGP do too).

If I use an interface as source from another VRF, phase1 comes up (QM_IDLE ACTIVE) but phase2 doesn't, which prevents GRE, NHRP etc...

(those results are obtained from/within the same router, which is a C8000V FYI, and the spoke's config is unchanged in any scenario, just to be clear)

Debug shows "IPSEC policy invalidated proposal with error 32 / Phase2 SA policy not acceptable! (local 10.1.1.1 remote 10.2.2.2)"

Yet the phase2 parameters received from the spoke match those in the hub, and I've tried many different sets of parameters, I'm always getting the same error...

There is no NAT anywhere, and the IPs listed in the debug results above are correct FYI.

Also, that's the only tunnel in VRFBLUE FYI.

IVRF = VRFBLUE

FVRF = VRFRED

WORKING CFG

crypto isakmp policy 10
encryption aes 256
hash sha384
authentication pre-share
group 21

crypto keyring KR-DMVPN-ALL-WITHIN-SAME-VRF vrf VRFBLUE
pre-shared-key address 0.0.0.0 0.0.0.0 key **************

crypto isakmp profile IKP-DMVPN-ALL-WITHIN-SAME-VRF
vrf VRFBLUE
keyring KR-DMVPN-ALL-WITHIN-SAME-VRF
match identity address 0.0.0.0 VRFBLUE

crypto ipsec transform-set TS-DMVPN esp-aes 256 esp-sha384-hmac
mode transport

crypto ipsec profile IP-DMVPN-ALL-WITHIN-SAME-VRF
set transform-set TS-DMVPN
set isakmp-profile IKP-DMVPN-ALL-WITHIN-SAME-VRF

interface Loopback18683
vrf forwarding VRFBLUE
ip address 10.1.1.1 255.255.255.255

interface Tunnel1868
vrf forwarding VRFBLUE
ip address 169.254.239.254 255.255.254.0
no ip redirects
ip nhrp network-id 1
ip nhrp holdtime 180
tunnel source Loopback18683
tunnel mode gre multipoint
tunnel key XXXX
tunnel vrf VRFBLUE
tunnel protection ipsec profile IP-DMVPN-ALL-WITHIN-SAME-VRF

NOT WORKING CFG

crypto isakmp policy 10
encryption aes 256
hash sha384
authentication pre-share
group 21

crypto keyring KR-DMVPN-ACROSS-DIFFERENT-VRFS vrf VRFRED
pre-shared-key address 0.0.0.0 0.0.0.0 key **************

crypto isakmp profile IKP-DMVPN-ACROSS-DIFFERENT-VRFS
vrf VRFBLUE
keyring KR-DMVPN-ACROSS-DIFFERENT-VRFS
match identity address 0.0.0.0 VRFRED

crypto ipsec transform-set TS-DMVPN esp-aes 256 esp-sha384-hmac
mode transport

crypto ipsec profile IP-DMVPN-ACROSS-DIFFERENT-VRFS
set transform-set TS-DMVPN
set isakmp-profile IKP-DMVPN-ACROSS-DIFFERENT-VRFS

interface Loopback18683
vrf forwarding VRFRED
ip address 10.1.1.1 255.255.255.255

interface Tunnel1868
vrf forwarding VRFBLUE
ip address 169.254.239.254 255.255.254.0
no ip redirects
ip nhrp network-id 1
ip nhrp holdtime 180
tunnel source Loopback18683
tunnel mode gre multipoint
tunnel key XXXX
tunnel vrf VRFRED
tunnel protection ipsec profile IP-DMVPN-ACROSS-DIFFERENT-VRFS

(the "NOT WORKING CFG" above is copied from a pure IPSEC - not involving any GRE/mGRE therefore - from another router - an ASR1K - using different FVRF and IVRF and working fine FYI)

Any help is greatly appreciated, thanks.