Cisco Support Community
Community Member

DMVPN Front VRF fVRF IPSec remote endpoint IP address problem

I am testing a fVRF solution on a spoke router in a DMVPN phase 3 network.  The spoke is having problems with IPSec, i think the ISAKMP is working ok.

When I take a look at the HUB (it isnt VRF aware in any way but it doesnt need to be as its on the right network).  I see a successful ISAKMP:

Spoke Router (c1811 with 12.4(24)T3)

Hub Router (c7301 with 12.4(24)T3)

dst             src             state          conn-id status    QM_IDLE          13035 ACTIVE

When I take a look at the IPSec SA it goes wrong:

  protected vrf: (none)
   local  ident (addr/mask/prot/port): (
   remote ident (addr/mask/prot/port): (
   current_peer port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.:, remote crypto endpt.:
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.580
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

It is now looking for the IP .9 as the remote endpoint, and my spoke is .109.   .9 does exist as an IP on my spoke, but in another VRF!

I have tried many config variations of what i have found for fVRF, but this is what i am currently using on my SPOKE (c1811 with 12.4(24)T3)

ip vrf vpn1-out
rd 100:1

crypto keyring vpn1 vrf vpn1-out
  local-address vpn1-out
  pre-shared-key address key cisco
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 14400
crypto isakmp profile VRFprofile
   vrf vpn1-out
   keyring vpn1
   match identity address vpn1-out
crypto ipsec transform-set stronger ah-sha-hmac esp-aes 256
mode transport
crypto ipsec profile DMVPN
set security-association lifetime seconds 120
set transform-set stronger
set pfs group2
set isakmp-profile VRFprofile

interface FastEthernet1.580
encapsulation dot1Q 580
ip vrf forwarding vpn1-out
ip address

Please can anybody help?

Everyone's tags (5)
Cisco Employee

Re: DMVPN Front VRF fVRF IPSec remote endpoint IP address proble


Can you post your tunnel configuration? With tunnel protection, the ipsec local identity is chosen to be the tunnel source address. If that's correctly set to be the FastEthernet1.580 interface, then could you post the output of "show crypto socket" from the spoke as well?



CreatePlease to create content