cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2064
Views
0
Helpful
1
Replies

Multiple DMVPNs within separate VRF's using crypto keyring

mvaites
Level 1
Level 1

Hi All,

I have deployed ASR's within a service provider environment acting as the DMVPN hubs for multiple customers networks contained within their own VRFs.

In each case from the tunnel perspective the iVRF and fVRF are the same for a specific customer and crypto key rings are used to associate pre-shared-keys.

When the box was first deployed a test network was built without using keyrings, but still using the VRF's as shown in the snippet. However I cannot get the configuration to work using keyrings, hence cannot add additional customers. It would appear that IKE phase 2 is not completing.

An initial bug scrub has come up clear so I'm guessing i must be missing something.

Current firmware: Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.0(1)S)

-- snippet of test configuration --

crypto keyring CUST1 vrf CUST1

  pre-shared-key address 10.10.10.0 255.255.255.0 key **CRYPTOKEY_CUST1**

crypto isakmp profile CUST1_PROFILE

   vrf CUST1

   keyring CUST1

   match identity address 0.0.0.0

crypto ipsec transform-set CUST1 esp-aes 256 esp-sha-hmac

mode transport

interface Tunnel1

bandwidth 1000

ip vrf forwarding CUST1

ip address 10.10.10.1 255.255.255.0

no ip redirects

ip nhrp authentication CUST1

ip nhrp map multicast dynamic

ip nhrp network-id 10101010

ip nhrp holdtime 450

ip nhrp registration no-unique

no ip split-horizon

delay 1000

tunnel source GigabitEthernet0/0/0.1010

tunnel mode gre multipoint

tunnel key 1010

tunnel vrf CUST1

tunnel protection ipsec profile CUST1_PROFILE shared

Any help would be great.

Best regards

Mick

1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Config wise, you do not need "vrf CUST1" inside the profile, GRE will do handoff for you.

Hard to say where the problem is without more debugs ;-)

M.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: