Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1710
Views
0
Helpful
1
Replies

DMVPN - NHRP fails on IPSEC protected tunnel with FVRF on the hub

David Williams
Level 1
Level 1

‎06-01-2010 03:19 PM - edited ‎02-21-2020 04:40 PM

Good day everyone,

I have a situation that has been nagging at me all day.  I'm trying to setup a DMVPN with a 7606 using an IPSEC SPA on one end and a 2431 on the cpe end.  The complication seems to be surrounding the implementation on the 7606.  We have an IP connection that comes into the 7606 and terminates in a vrf called IPSEC (The FVRF).  All the tunnels come in that connection, through the IPSEC SPA magi,c and come get dumped into different IVRFs depending on the tunnel.  From there they can go back upstream via the MPLS network to sites within the MPLS VPN.  It sounds like a great idea!!  I'm hoping I am not misunderstanding how this works because I could see us using this A LOT.  The problem I am having is with NHRP.  If I build everything up with IPSEC protection, the tunnels never establish.  If I remove the tunnel protection from the spoke and the hub, allow the NHRP cache to populate on the HUB, then drop the tunnel encryption on both ends, voila!  Tunnels come up and all it great! Until....we build 10s of tunnels to this HUB and one drops due to a crappy cable or dsl connection and is down long enough for the NHRP cache to timeout on the hub.  Now to get that one site back up I have to remove tunnel protection so that the NHRP cache can populate on the HUB.  In the mean time I have broken all the other sites and have to go touch all of them.  When we tried this without vrfs at all it worked fine.  It just came up without an intervention.  I would really like to know what, if anything, I'm doing wrong with this implementation that requires me to remove tunnel protection to allow NHRP to build it's initial cache entry on the HUB.

Any suggestions?  IPSEC is the FVRF and test is the IVRF in the config below.

HUB

interface Tunnel123

bandwidth 1000

ip vrf forwarding test

ip address 10.0.0.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication test

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 600

delay 1000

tunnel source Loopback0

tunnel mode gre multipoint

tunnel vrf IPSEC

tunnel protection ipsec profile vpnprof

crypto engine slot 2/0 inside

end

SPOKE

interface Tunnel123

bandwidth 1000

ip address 10.0.0.2 255.255.255.0

ip mtu 1400

ip nhrp authentication test

ip nhrp map 10.0.0.1 x.x.x.x

ip nhrp network-id 100000

ip nhrp holdtime 300

ip nhrp nhs 10.0.0.1

delay 1000

tunnel source Serial1/1:0.16

tunnel destination X.X.X.X (IP = the IP of Loopback0 on the Hub)

tunnel protection ipsec profile test

end

Labels:
0 Helpful
1 Reply 1

David Williams
Level 1
Level 1

‎06-02-2010 08:34 AM

I found a post on a non-cisco site claiming the following.

"NHRP Registration Request causes an IKE session to be initiated with the Hub. Once the IKE/IPSEC sessions are established, the NHRP Registration request is forward over the IPSEC/GRE tunnel."

Is this accurate?  If so, then IPSEC would have to use aggressive mode which gains me little.

0 Helpful
Customers Also Viewed These Support Documents