Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec for Redundant DMVPN with VRF

Hi.

I have been labbing up a solution using DMVPN and VRF, similar to that described in the blog post here.  It works very well, however when I try to extend the concept to a redundant hub, it breaks with IPSec.  If I remove the tunnel protection, it works fine.

Does anyone have any ideas about providing IPSec protection to multiple DMVPN tunnels for VRFs to a redundant Hub?

Thanks.

Client config (no IPSec):

interface Tunnel10

ip vrf forwarding Staff

ip address 10.254.254.23 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp authentication MFS

ip nhrp map multicast 172.16.1.1

ip nhrp map 10.254.254.1 172.16.1.1

ip nhrp map 10.254.254.3 172.16.1.3

ip nhrp map multicast 172.16.1.3

ip nhrp network-id 10

ip nhrp holdtime 600

ip nhrp nhs 10.254.254.1

ip nhrp nhs 10.254.254.3

ip tcp adjust-mss 1360

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 10

!

interface Tunnel20

ip vrf forwarding Clients

ip address 10.254.253.23 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp authentication MFSC

ip nhrp map 10.254.253.1 172.16.1.1

ip nhrp map multicast 172.16.1.1

ip nhrp map multicast 172.16.1.3

ip nhrp map 10.254.253.3 172.16.1.3

ip nhrp network-id 20

ip nhrp holdtime 600

ip nhrp nhs 10.254.253.1

ip nhrp nhs 10.254.253.3

ip tcp adjust-mss 1360

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 20

!

Hub 1:

interface Tunnel10

ip vrf forwarding Staff

ip address 10.254.254.1 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp authentication MFS

ip nhrp map multicast dynamic

ip nhrp network-id 10

ip nhrp holdtime 360

ip tcp adjust-mss 1360

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 10

!

interface Tunnel20

ip vrf forwarding Clients

ip address 10.254.253.1 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp authentication MFSC

ip nhrp map multicast dynamic

ip nhrp network-id 20

ip nhrp holdtime 360

ip tcp adjust-mss 1360

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 20

!

Hub 2:

interface Tunnel10

ip vrf forwarding Staff

ip address 10.254.254.3 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp authentication MFS

ip nhrp map multicast dynamic

ip nhrp network-id 10

ip nhrp holdtime 360

ip nhrp server-only

ip tcp adjust-mss 1360

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 10

!

interface Tunnel20

ip vrf forwarding Clients

ip address 10.254.253.3 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp authentication MFSC

ip nhrp map multicast dynamic

ip nhrp network-id 20

ip nhrp holdtime 360

ip tcp adjust-mss 1360

tunnel source FastEthernet0/0 tunnel mode gre multipoint

tunnel key 20

!

Everyone's tags (4)
1 REPLY
New Member

IPSec for Redundant DMVPN with VRF

Under the Hub you have to add

HUB1

interface Tunnel10

ip nhrp map 10.254.254.1
ip nhrp map multicast < ip add of FastEthernet0/0 for HUB2>

HUB2

interface Tunnel10

ip nhrp map 10.254.254.3

ip nhrp map multicast < ip add of FastEthernet0/0 for HUB1>

The same thing for the other tunnel interfaces

630
Views
0
Helpful
1
Replies
CreatePlease to create content