01-19-2023 10:21 AM
I've run into a problem with a working DMVPN setup, where I need to move the external (DMVPN source interface) from the global table into the same VRF as the tunnel.
Prior to adding the external into the VRF the tunnel was up and passing traffic.
When I configured the external interface with the same VRF as that used on the tunnel (this is a hub device) the tunnel failed to establish.
As far as I understand there is no VRF information passed in the crypto exchange?
This is running on 2811 with c2800nm-advsecurityk9-mz.151-4.M12a, old kit I know, but its for a low bandwidth application for a hard up not-for-profit charity!
Should this work, in all the years of working with DMVPN I've never used an external interface that is not in the global table, but see no reason why that should cause an issue.
vrf definition SARnet
rd 100:200
!
address-family ipv4
exit-address-family
!
crypto ipsec profile VTI
set transform-set DMVPN
!
interface Tunnel200
description <removed>
vrf forwarding SARnet
ip address 10.200.1.254 255.255.0.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 2222
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 2222
tunnel protection ipsec profile VTI shared
!
interface FastEthernet0/0
description to WAN
vrf forwarding SARnet
ip address <removed> 255.255.255.252
no ip unreachables
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
01-19-2023 10:59 AM
You need only defualt static route with vrf aware and the tunnel will be up and work.
01-20-2023 09:07 AM
Aha, yes, I forgot to post this line in my script, was already in my config thanks
01-20-2023 09:11 AM
do
show dmvpn detail <<- share it here, I what to see at which stage the DMVPN stop
01-19-2023 11:07 AM - edited 01-19-2023 11:08 AM
@aacole a couple of things. The tunnel needs to be configure in the the Front Door VRF using "tunnel vrf VRFNAME"
interface tunnel200
no vrf-forwarding SARnet
tunnel vrf SARnet
You'd also need to ensure the keyring is defined under the VRF
crypto keyring KEYRING vrf SARnet
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco1234
Check your IKE profile/policy to determine whether it's specified to match on global or any VRF.
And obviously the default route as already mentioned.
01-20-2023 09:15 AM
Right, that fixed the tunnel issue, but I'm left with another issue now with the crypto. after modifying the crypto I'm getting an error which is related to a pre-shared key mismatch, I've checked and re-checked this at both ends though.
Error is %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from <remote IP> failed its sanity check or is malformed
The crypto did work prior to the VRF and keyring config modifications, that was a non keyring crypto setup.
The config I ended up with (I've not used keyring config before) is:
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto keyring VTI vrf SARnet
pre-shared-key address 0.0.0.0 0.0.0.0 key SecretKey
!
crypto isakmp profile VTI-ISAKMP-PROFILE
keyring VTI
match identity address 0.0.0.0 SARnet
!
crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
mode transport
crypto ipsec profile VTI
set transform-set DMVPN
set isakmp-profile VTI-ISAKMP-PROFILE
Added the following my the DMVPN tunnel:
int t0
tunnel vrf SARnet
tunnel protection ipsec profile VTI shared
Now I'm failing to get the tunnels established. They do wotk if I remove the crypto though, so if I cannot get the crypto keyring config to work then I may do without the encryption.
Anything wroung with my crypto config?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide