Solved: IPSec DVTI /SVTI issue

Soma-II · ‎05-07-2025

Hello,

We're in the process of setting up a HUB-and-SPOKE topology using IPsec VTIs.

The HUB router is configured with DVTI, and the SPOKE router uses SVTI.

While there is IP connectivity between the routers, Phase 1 of the IPsec negotiation is failing. The HUB router (ROUTER_HUB) is not receiving any IP packets from the SPOKE router (ROUTER_SPOKE).
We’ve reviewed multiple documents and guides, and based on that, the configuration appears to be correct.

Configuration and test outputs are attached below for reference.

I'd really appreciate any assistance you can offer.

EDIT: I've added the solution file for future reference

Thank you for everything

Rob Ingram · ‎05-07-2025

Hi @Soma-II when using VRF_555 as the FVRF where the peer is reached, then this configuration is what I was referring to:-

crypto keyring IPSec_key-ring_SPOKE_ROUTER_HUB vrf VRF_555
 pre-shared-key address 172.21.55.70 key CLAVE123

crypto isakmp profile Isakmp-profile_SPOKE_ROUTER_HUB
 match identity address 172.21.55.70 VRF_555

interface Tunnel555
 tunnel vrf VRF_555

View solution in original post

Rob Ingram · ‎05-07-2025

@Soma-II If the peer router is reachable via VRF_555, then you need to configure the keyring, isakmp identity and tunnel interface to match on VRF_555

Soma-II · ‎05-07-2025

Hello Rob,

Yes, we have already implemented the changes. Have you had a chance to review the configuration file? The VRF is correctly attached to the interfaces.

Thank you

Rob Ingram · ‎05-07-2025

Hi @Soma-II when using VRF_555 as the FVRF where the peer is reached, then this configuration is what I was referring to:-

crypto keyring IPSec_key-ring_SPOKE_ROUTER_HUB vrf VRF_555
 pre-shared-key address 172.21.55.70 key CLAVE123

crypto isakmp profile Isakmp-profile_SPOKE_ROUTER_HUB
 match identity address 172.21.55.70 VRF_555

interface Tunnel555
 tunnel vrf VRF_555

Soma-II · ‎05-07-2025

This is really interesting, Rob — I wasn’t aware those options were available.

According to some information I read (this one), VRF is only required on either the ISAKMP or the Tunnel interface (including VTIs).

In any case, I’ve applied the configuration as you suggested earlier, but I feel like something might still be missing.

Would you mind sharing any documentation or references I could check out?
Btw, I've modified the file again

Thank you so much for your help

Rob Ingram · ‎05-07-2025

@Soma-II refer to this guide, section "2.5 Migrate only router A to VTI – VRF-aware" - https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white-paper-c11-744879.html#2IPsecvirtualtunnelinterfacemigrationinpractice

...this example references the specific configuration where you need to specify the FVRF.

Is your internal network also in VRF_555 or in the global routing table? If in the global routing table, you don't need "ip vrf forwarding VRF_555" under the tunnel interface.

Soma-II · ‎05-07-2025

First of all, thank you for your answer.

I've reviewed your document, but unfortunately, it wasn't very clear to me.

However, I’ve looked into the following resources:

These sources are part of what’s caused some confusion. I’d really like to follow your recommendation, but since I’m using DVTI on the HUB and SVTI on the SPOKE, I’m still unclear on where exactly the VRF parameters should be configured.

Rob Ingram · ‎05-07-2025

@Soma-II is the interface facing the peer, in VRF_555 or in the global routing table? Or is the inside interfaces in VRF_555 or global routing table?

Please provide the interface configuration, this would clear this up.

If the interface facing the peer is in VRF_555, this is referred to as a FVRF and you need the VRF configuration applied as above.

Soma-II · ‎05-07-2025

I’ve modified the Config_IPSec file to clarify the configuration—sorry for the earlier confusion. The traffic should be in VRF_555.

Based on the information I attached, it should only be necessary to add ip vrf forwarding VRF_555 on the tunnel/VTI interface. However, I had previously applied this configuration on the Spoke router and it didn’t work, for this reason I think that more detailed information would be helpful, for example, same VRF aware configuration for DVTI and SVTI?

I apologize, but this is being a little confusing

Rob Ingram · ‎05-07-2025

@Soma-II as the external interface is explictly configured in VRF_555 you must configure "tunnel vrf VRF_555" on the tunnel/virtual-template interface.

Your updated configuration above does not appear to have that configured under the VT on the hub.

What VRF are your internal/LAN interface in? VRF_555 or the global routing table?

MHM Cisco World · ‎05-07-2025

I dont know about vrf-555 you use is it vrf of tunnel source or vrf of tunnel itself? Please clarify this point

What I see wrong is you use

Tunnel destination dynamic <<- under virtual template which is wrong' remove it

MHM

Soma-II · ‎05-07-2025

Hello!!

I saw this configuration on the Internet and it made sense to me, that's why I added it under Virtual-Template. I just removed it, thank you for this clarification.

As for this VRF, this all traffic is under this VRF. This tunnel is "travelling" across a MPLS network.

I don't know if this information is helpful for you

MHM Cisco World · ‎05-07-2025

Tunnel source is config with vrf or not?

This interface is config as vrf aware??

tunnel source GigabitEthernet0/0/2.555

MHM

Soma-II · ‎05-07-2025

I've just modified the Config_IPSec file to include additional interface configurations.

Yes, the ip vrf forwarding VRF_555 command is included—you can check it in the configuration.

Sorry, I assumed the ping test was sufficient.

Rob Ingram · ‎05-07-2025

@Soma-II you need "tunnel vrf VRF_555" on the hub virtual template as it's interface facing the spoke is in VRF_555

interface Virtual-Template555 type tunnel
 tunnel vrf VRF_555