Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2153
Views
0
Helpful
1
Replies

DMVPN Front VRF fVRF IPSec remote endpoint IP address problem

Nicholas Poole
Level 1
Level 1

‎10-08-2010 04:40 AM - last edited on ‎02-21-2020 11:50 PM by Community Manager

I am testing a fVRF solution on a spoke router in a DMVPN phase 3 network.  The spoke is having problems with IPSec, i think the ISAKMP is working ok.

When I take a look at the HUB (it isnt VRF aware in any way but it doesnt need to be as its on the right network).  I see a successful ISAKMP:

Spoke Router 172.18.0.109 (c1811 with 12.4(24)T3)

Hub Router 172.18.0.3 (c7301 with 12.4(24)T3)

dst             src             state          conn-id status
172.18.0.3      172.18.0.109    QM_IDLE          13035 ACTIVE

When I take a look at the IPSec SA it goes wrong:

  protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.18.0.3/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.18.0.109/255.255.255.255/47/0)
   current_peer 172.18.0.9 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.18.0.3, remote crypto endpt.: 172.18.0.9
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.580
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

It is now looking for the IP .9 as the remote endpoint, and my spoke is .109.   .9 does exist as an IP on my spoke, but in another VRF!

I have tried many config variations of what i have found for fVRF, but this is what i am currently using on my SPOKE (c1811 with 12.4(24)T3)

!
ip vrf vpn1-out
rd 100:1
!

crypto keyring vpn1 vrf vpn1-out
  local-address 172.18.0.109 vpn1-out
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 14400
crypto isakmp profile VRFprofile
   vrf vpn1-out
   keyring vpn1
   match identity address 0.0.0.0 vpn1-out
!
!
crypto ipsec transform-set stronger ah-sha-hmac esp-aes 256
mode transport
!
crypto ipsec profile DMVPN
set security-association lifetime seconds 120
set transform-set stronger
set pfs group2
set isakmp-profile VRFprofile
!

interface FastEthernet1.580
encapsulation dot1Q 580
ip vrf forwarding vpn1-out
ip address 172.18.0.109 255.255.255.0


Please can anybody help?

1 person had this problem
Labels:
0 Helpful
1 Reply 1

wzhang
Cisco Employee
Cisco Employee

‎10-08-2010 07:03 AM

Hi,

Can you post your tunnel configuration? With tunnel protection, the ipsec local identity is chosen to be the tunnel source address. If that's correctly set to be the FastEthernet1.580 interface, then could you post the output of "show crypto socket" from the spoke as well?

Thanks,

Wen

0 Helpful
Customers Also Viewed These Support Documents