Hi All,
I have deployed ASR's within a service provider environment acting as the DMVPN hubs for multiple customers networks contained within their own VRFs.
In each case from the tunnel perspective the iVRF and fVRF are the same for a specific customer and crypto key rings are used to associate pre-shared-keys.
When the box was first deployed a test network was built without using keyrings, but still using the VRF's as shown in the snippet. However I cannot get the configuration to work using keyrings, hence cannot add additional customers. It would appear that IKE phase 2 is not completing.
An initial bug scrub has come up clear so I'm guessing i must be missing something.
Current firmware: Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.0(1)S)
-- snippet of test configuration --
crypto keyring CUST1 vrf CUST1
pre-shared-key address 10.10.10.0 255.255.255.0 key **CRYPTOKEY_CUST1**
crypto isakmp profile CUST1_PROFILE
vrf CUST1
keyring CUST1
match identity address 0.0.0.0
crypto ipsec transform-set CUST1 esp-aes 256 esp-sha-hmac
mode transport
interface Tunnel1
bandwidth 1000
ip vrf forwarding CUST1
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip nhrp authentication CUST1
ip nhrp map multicast dynamic
ip nhrp network-id 10101010
ip nhrp holdtime 450
ip nhrp registration no-unique
no ip split-horizon
delay 1000
tunnel source GigabitEthernet0/0/0.1010
tunnel mode gre multipoint
tunnel key 1010
tunnel vrf CUST1
tunnel protection ipsec profile CUST1_PROFILE shared
Any help would be great.
Best regards
Mick