dmvpn, nhrp, tunnel protection, vrf

Unanswered Question
Mar 16th, 2009

Hello!

Please see the configuration below.

Everythind is working w/o tunnel protection. NHRP registrations are completed, VRF eigrp is working.

If i set the tunnel protection the NHRP client registraton turn into incomplete and VRF eigrp does not working also. ( because of lack of multicast )

I've checked many config on CCO but everythin was in vain.

Thanks

!HUB

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key conet address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

!

!

!

!

!

!

!

interface Loopback0

ip address 172.0.1.1 255.255.255.255

!

interface Tunnel0

bandwidth 1000

ip vrf forwarding security

ip address 10.255.255.254 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication conet

ip nhrp map multicast dynamic

ip nhrp network-id 200

ip nhrp holdtime 360

ip tcp adjust-mss 1360

delay 1000

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 1000

tunnel protection ipsec profile SDM_Profile1

-------------

! SPOKE

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key conet address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

!

!

!

!

!

!

!

interface Loopback0

description teszt if

ip vrf forwarding security

ip address 172.2.1.1 255.255.255.255

!

interface Tunnel0

bandwidth 1000

ip vrf forwarding security

ip address 10.255.255.2 255.255.255.0

ip mtu 1400

ip nhrp authentication conet

ip nhrp map 10.255.255.254 255.255.255.0 209.209.209.209

ip nhrp map multicast 209.209.209.209

ip nhrp network-id 2

ip nhrp holdtime 360

ip nhrp nhs 10.255.255.254

ip tcp adjust-mss 1360

delay 1000

tunnel source Serial0/0/0

tunnel destination 172.0.1.1

tunnel key 1000

tunnel protection ipsec profile SDM_Profile1

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Mon, 03/16/2009 - 06:24

Hello Karoly,

what you see can be caused by the IOS image on the hub.

What platform and what IOS release you use as Hub ? and for the spoke ?

you can use feature navigator to verify if you have VRF aware NHRP support in your release

see

www.cisco.com/go/fn

Hope to help

Giuseppe

KAROLY KOHEGYI Mon, 03/16/2009 - 06:36

Hi'

It's may be a good question but unfortunetly i did not find vrf-aware nhrp in the feature guide.

and i have problem after i set th etunnel protection. Without tunnel protection the nhrp (with VRF) is working well.

By the way the IOS version is

Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1).

Regards,

Giuseppe Larosa Tue, 03/17/2009 - 03:59

Hello Karoly,

thanks for having reported the solution to your issue this makes the thread helpful for others that can have the same problem.

Best Regards

Giuseppe

Actions

This Discussion