DMVPN - NHRP fails on IPSEC protected tunnel with FVRF on the hub

Unanswered Question
Jun 1st, 2010

Good day everyone,

I have a situation that has been nagging at me all day.  I'm trying to setup a DMVPN with a 7606 using an IPSEC SPA on one end and a 2431 on the cpe end.  The complication seems to be surrounding the implementation on the 7606.  We have an IP connection that comes into the 7606 and terminates in a vrf called IPSEC (The FVRF).  All the tunnels come in that connection, through the IPSEC SPA magi,c and come get dumped into different IVRFs depending on the tunnel.  From there they can go back upstream via the MPLS network to sites within the MPLS VPN.  It sounds like a great idea!!  I'm hoping I am not misunderstanding how this works because I could see us using this A LOT.  The problem I am having is with NHRP.  If I build everything up with IPSEC protection, the tunnels never establish.  If I remove the tunnel protection from the spoke and the hub, allow the NHRP cache to populate on the HUB, then drop the tunnel encryption on both ends, voila!  Tunnels come up and all it great! Until....we build 10s of tunnels to this HUB and one drops due to a crappy cable or dsl connection and is down long enough for the NHRP cache to timeout on the hub.  Now to get that one site back up I have to remove tunnel protection so that the NHRP cache can populate on the HUB.  In the mean time I have broken all the other sites and have to go touch all of them.  When we tried this without vrfs at all it worked fine.  It just came up without an intervention.  I would really like to know what, if anything, I'm doing wrong with this implementation that requires me to remove tunnel protection to allow NHRP to build it's initial cache entry on the HUB.

Any suggestions?  IPSEC is the FVRF and test is the IVRF in the config below.

HUB

interface Tunnel123

bandwidth 1000

ip vrf forwarding test

ip address 10.0.0.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication test

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 600

delay 1000

tunnel source Loopback0

tunnel mode gre multipoint

tunnel vrf IPSEC

tunnel protection ipsec profile vpnprof

crypto engine slot 2/0 inside

end

SPOKE

interface Tunnel123

bandwidth 1000

ip address 10.0.0.2 255.255.255.0

ip mtu 1400

ip nhrp authentication test

ip nhrp map 10.0.0.1 x.x.x.x

ip nhrp network-id 100000

ip nhrp holdtime 300

ip nhrp nhs 10.0.0.1

delay 1000

tunnel source Serial1/1:0.16

tunnel destination X.X.X.X (IP = the IP of Loopback0 on the Hub)

tunnel protection ipsec profile test

end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David Williams Wed, 06/02/2010 - 08:34

I found a post on a non-cisco site claiming the following.

"NHRP Registration Request causes an IKE session to be initiated with the Hub. Once the IKE/IPSEC sessions are established, the NHRP Registration request is forward over the IPSEC/GRE tunnel."

Is this accurate?  If so, then IPSEC would have to use aggressive mode which gains me little.

Actions

This Discussion