Re: DMVPN tunnels go down when source interface moved from global to v

aacole · ‎01-19-2023

I've run into a problem with a working DMVPN setup, where I need to move the external (DMVPN source interface) from the global table into the same VRF as the tunnel.

Prior to adding the external into the VRF the tunnel was up and passing traffic.

When I configured the external interface with the same VRF as that used on the tunnel (this is a hub device) the tunnel failed to establish.

As far as I understand there is no VRF information passed in the crypto exchange?

This is running on 2811 with c2800nm-advsecurityk9-mz.151-4.M12a, old kit I know, but its for a low bandwidth application for a hard up not-for-profit charity!

Should this work, in all the years of working with DMVPN I've never used an external interface that is not in the global table, but see no reason why that should cause an issue.

vrf definition SARnet
rd 100:200
!
address-family ipv4
exit-address-family
!
crypto ipsec profile VTI
set transform-set DMVPN
!

interface Tunnel200
description <removed>
vrf forwarding SARnet
ip address 10.200.1.254 255.255.0.0
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 2222
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 2222
tunnel protection ipsec profile VTI shared
!

interface FastEthernet0/0
description to WAN
vrf forwarding SARnet
ip address <removed> 255.255.255.252
no ip unreachables
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

MHM Cisco World · ‎01-19-2023

You need only defualt static route with vrf aware and the tunnel will be up and work.

aacole · ‎01-20-2023

Aha, yes, I forgot to post this line in my script, was already in my config thanks

MHM Cisco World · ‎01-20-2023

do
show dmvpn detail <<- share it here, I what to see at which stage the DMVPN stop

Rob Ingram · ‎01-19-2023

@aacole a couple of things. The tunnel needs to be configure in the the Front Door VRF using "tunnel vrf VRFNAME"

interface tunnel200
 no vrf-forwarding SARnet
 tunnel vrf SARnet

You'd also need to ensure the keyring is defined under the VRF

crypto keyring KEYRING vrf SARnet
 pre-shared-key address 0.0.0.0 0.0.0.0 key cisco1234

Check your IKE profile/policy to determine whether it's specified to match on global or any VRF.

And obviously the default route as already mentioned.

aacole · ‎01-20-2023

Right, that fixed the tunnel issue, but I'm left with another issue now with the crypto. after modifying the crypto I'm getting an error which is related to a pre-shared key mismatch, I've checked and re-checked this at both ends though.

Error is %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from <remote IP> failed its sanity check or is malformed

The crypto did work prior to the VRF and keyring config modifications, that was a non keyring crypto setup.

The config I ended up with (I've not used keyring config before) is:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2

crypto keyring VTI vrf SARnet
pre-shared-key address 0.0.0.0 0.0.0.0 key SecretKey
!
crypto isakmp profile VTI-ISAKMP-PROFILE
keyring VTI
match identity address 0.0.0.0 SARnet
!
crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
mode transport

crypto ipsec profile VTI
set transform-set DMVPN
set isakmp-profile VTI-ISAKMP-PROFILE

Added the following my the DMVPN tunnel:

int t0
tunnel vrf SARnet
tunnel protection ipsec profile VTI shared

Now I'm failing to get the tunnels established. They do wotk if I remove the crypto though, so if I cannot get the crypto keyring config to work then I may do without the encryption.

Anything wroung with my crypto config?

DMVPN tunnels go down when source interface moved from global to vrf