ahhhh, didn't know about "tunnel key". That's done the trick as a "selector".

However it does look like I might be going about this in the wrong way and perhaps i'll try MPLSoGRE instead.

If going for MPLS over FlexVPN (if this is flex) make sure/double check whether you need spoke to spoke features.

I believe that was something introduced pretty recently. Spoke->hub should work fine.

Hmmmm, since changing from "tunnel mode ipsec ip" to "tunnel mode gre ip" so I can use the "tunnel key x" feature as a selector, the tunnel won't stay up and the dynamic routing protocol isn't bringing anything through anymore. Are there other considerations when using GRE ?

That depends, as usual :-)

Is that Flex?

What is the RP?

What is the platform?

Are the spoke(s) behind NAT?

There are mutliple examples out there for starters I would say you do not need tunnel source on your VTs (if this if flex)

Looks like your problem COULD be related to one way traffic - typically due to some misconfig.

M.

Yes to flex

RIPv2 is the routing protocol, with MD5 authentication.

IOS 15.0 on each end

Yeah the spokes on on O2-UK mobile broadband: a private IP address that get's PAT'd.

I'm using the flexvpn client on the spoke to get hub redundancy:

crypto ikev2 client flexvpn Tunne1

  peer 1 *hub 1 ip*

  peer 2 *hub 2 ip*

  client connect Tunnel1

!

crypto ikev2 client flexvpn Tunnel2

  peer 1 *hub 1 ip*

  peer 2 *hub 2 ip*

  client connect Tunnel2

!

Thats why I have "tunnel destination dynamic" on my VTI's and "dpd 30 2 on-demand" under the IKEv2 profile. Everything works fine when I use "tunnel mode ipsec ipv4". Should I try and remove tunnel source from the hub end or the remote end ?

Hmmmm and what's the headend platform ... is there a chance that spokes are visible under same public IP address?

And seriously 15.0? 15.2(4)M is the minimum I would try this on 15.3.3M would be a decent starting point.

Oops thats the bootstrap version,

Hubs:

Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.2(4)M4, RELEASE SOFTWARE (fc2)

Spokes:

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M4, RELEASE SOFTWARE (fc2)

That could be the case but I'd hope NAT-T would take case of that by allowing the UDP port to be changed in transit by PAT without effecting the integrity of IPSec. Also i'm just doing this on the one spoke for now.

I have a feeling i've missed something really basic here but it's not jumping out at me. I'm trying to think of the things that makes IPSec-GRE/IP different to straight forward IPSec/IP. One thing I'm fairly sure on is that this is a routing problem. I think the fact the tunnel is coming up and down is a consequence of the GRE keep alive and FlexVPN moving on to try another hub.

I was asking about NAT and headend because of this:

https://tools.cisco.com/bugsearch/bug/CSCue00443/?reffering_site=dumpcr

But it only affecting ASR1k.

Post the cofigs, obfuscate the IPs if needed, I'll have a look when possible.

Tunnel source is indeed not needed, you can start there and enable crypto logging session :]

Hi Marcin,

Thanks for having the time to look at this for me. Here are the full configs (well the bits that I believe are relevant)

Hub:

====

key chain RIP

key 1

  key-string 0 ***

!

!

crypto ikev2 proposal default

encryption ***

integrity ***

group ***

!

!

crypto ikev2 keyring LAN-to-LAN

peer LAN-to-LAN

  address 0.0.0.0 0.0.0.0

  pre-shared-key ***

!

!

!

crypto ikev2 profile CUSTOMER1

match fvrf any

match identity remote fqdn spoke1.com_CUSTOMER1

match identity remote fqdn spoke2.com_CUSTOMER1

identity local fqdn hub1.com_CUSTOMER1

authentication remote pre-share

authentication local pre-share

keyring local LAN-to-LAN

virtual-template 1

!

crypto ikev2 profile CUSTOMER2

match fvrf any

match identity remote fqdn spoke1.com_CUSTOMER2

match identity remote fqdn spoke2.com_CUSTOMER2

identity local fqdn hub1.com_CUSTOMER2

authentication remote pre-share

authentication local pre-share

keyring local LAN-to-LAN

virtual-template 2

!

crypto ikev2 profile CUSTOMER3

match fvrf any

match identity remote fqdn spoke1.com_CUSTOMER3

match identity remote fqdn spoke2.com_CUSTOMER3

identity local fqdn hub1.com_CUSTOMER3

authentication remote pre-share

authentication local pre-share

keyring local LAN-to-LAN

virtual-template 3

!

!

crypto ipsec transform-set ESP-TUNNEL esp-*** esp-***

mode tunnel

!

!

crypto ipsec profile CUSTOMER1

set transform-set ESP-TUNNEL

set ikev2-profile CUSTOMER1

!

crypto ipsec profile CUSTOMER2

set transform-set ESP-TUNNEL

set ikev2-profile CUSTOMER2

!

crypto ipsec profile CUSTOMER3

set transform-set ESP-TUNNEL

set ikev2-profile CUSTOMER3

!

!

interface Virtual-Template1 type tunnel

vrf forwarding CUSTOMER1

ip unnumbered Loopback1

ip rip authentication mode md5

ip rip authentication key-chain RIP

tunnel source *PUBLIC ADDRESS*

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel protection ipsec profile CUSTOMER1

!

interface Virtual-Template2 type tunnel

vrf forwarding CUSTOMER2

ip unnumbered Loopback2

ip rip authentication mode md5

ip rip authentication key-chain RIP

tunnel source *PUBLIC ADDRESS*

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel protection ipsec profile CUSTOMER2

!

interface Virtual-Template3 type tunnel

vrf forwarding CUSTOMER3

ip unnumbered Loopback3

ip rip authentication mode md5

ip rip authentication key-chain RIP

tunnel source *PUBLIC ADDRESS*

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel protection ipsec profile CUSTOMER3

!

interface Loopback1

vrf forwarding CUSTOMER1

192.168.1.1 255.255.255.255

!

interface Loopback2

vrf forwarding CUSTOMER2

192.168.2.1 255.255.255.255

!

interface Loopback3

vrf forwarding CUSTOMER3

192.168.3.1 255.255.255.255

!

router rip

!

address-family ipv4 vrf CUSTOMER1

  network 192.168.1.0

  version 2

  no auto-summary

exit-address-family

!

address-family ipv4 vrf CUSTOMER2

  network 192.168.2.0

  version 2

  no auto-summary

exit-address-family

!

address-family ipv4 vrf CUSTOMER3

  network 192.168.3.0

  version 2

  no auto-summary

exit-address-family

Spoke1:

=======

key chain RIP

key 1

  key-string 0 ***

!

!

crypto ikev2 proposal default

encryption ***

integrity ***

group ***

!

!

crypto ikev2 keyring LAN-to-LAN

peer LAN-to-LAN

  address 0.0.0.0 0.0.0.0

  pre-shared-key ***

!

!

!

crypto ikev2 profile CUSTOMER1

match fvrf any

match identity remote fqdn hub1.com_CUSTOMER1

match identity remote fqdn hub2.com_CUSTOMER1

identity local fqdn spoke1.com_CUSTOMER1

authentication remote pre-share

authentication local pre-share

keyring local LAN-to-LAN

dpd 10 2 on-demand

!

crypto ikev2 profile CUSTOMER2

match fvrf any

match identity remote fqdn hub1.com_CUSTOMER2

match identity remote fqdn hub2.com_CUSTOMER2

identity local fqdn spoke1.com_CUSTOMER2

authentication remote pre-share

authentication local pre-share

keyring local LAN-to-LAN

dpd 10 2 on-demand

!

crypto ikev2 profile CUSTOMER3

match fvrf any

match identity remote fqdn hub1.com_CUSTOMER3

match identity remote fqdn hub2.com_CUSTOMER3

identity local fqdn spoke1.com_CUSTOMER3

authentication remote pre-share

authentication local pre-share

keyring local LAN-to-LAN

dpd 10 2 on-demand

!

!

crypto ikev2 client flexvpn Tunnel1

  peer 1 hub1.com

  peer 2 hub2.com

  client connect Tunnel1

!

crypto ikev2 client flexvpn Tunnel2

  peer 1 hub1.com

  peer 2 hub2.com

  client connect Tunnel2

!

crypto ikev2 client flexvpn Tunnel3

  peer 1 hub1.com

  peer 2 hub2.com

  client connect Tunnel3

!

!

crypto ipsec transform-set ESP-TUNNEL esp-*** esp-***

mode tunnel

!

!

crypto ipsec profile CUSTOMER1

set transform-set ESP-TUNNEL

set ikev2-profile CUSTOMER1

!

crypto ipsec profile CUSTOMER2

set transform-set ESP-TUNNEL

set ikev2-profile CUSTOMER2

!

crypto ipsec profile CUSTOMER3

set transform-set ESP-TUNNEL

set ikev2-profile CUSTOMER3

!

!

interface Tunnel1

vrf forwarding CUSTOMER1

ip unnumbered Loopback1

ip rip authentication mode md5

ip rip authentication key-chain RIP

tunnel source Dialer1

tunnel mode ipsec ipv4

tunnel destination dynamic

tunnel path-mtu-discovery

tunnel protection ipsec profile CUSTOMER1

!

interface Tunnel2

vrf forwarding CUSTOMER2

ip unnumbered Loopback2

ip rip authentication mode md5

ip rip authentication key-chain RIP

tunnel source Dialer1

tunnel mode ipsec ipv4

tunnel destination dynamic

tunnel path-mtu-discovery

tunnel protection ipsec profile CUSTOMER2

!

interface Tunnel3

vrf forwarding CUSTOMER3

ip unnumbered Loopback3

ip rip authentication mode md5

ip rip authentication key-chain RIP

tunnel source Dialer1

tunnel mode ipsec ipv4

tunnel destination dynamic

tunnel path-mtu-discovery

tunnel protection ipsec profile CUSTOMER3

!

interface Loopback1

vrf forwarding CUSTOMER1

192.168.1.2 255.255.255.255

!

interface Loopback2

vrf forwarding CUSTOMER2

192.168.2.2 255.255.255.255

!

interface Loopback3

vrf forwarding CUSTOMER3

192.168.3.2 255.255.255.255

!

router rip

!

address-family ipv4 vrf CUSTOMER1

  network 192.168.1.0

  version 2

  no auto-summary

exit-address-family

!

address-family ipv4 vrf CUSTOMER2

  network 192.168.2.0

  version 2

  no auto-summary

exit-address-family

!

address-family ipv4 vrf CUSTOMER3

  network 192.168.3.0

  version 2

  no auto-summary

exit-address-family

!

Hi there,

Oops they got left behind when obscuring the real ip's and tunnel numbers; I've corrected it now.

Yeah I see what you mean about demultiplexing, I think that's what I'm seing. I tried GRE with "tunnel key" then 1,2,3 so the sVTI matches up with the dVTI at the hub end, but for some reason this wouldn't work at all even with just the one tunnel active (tunnel 1). I guess this is a routing issue but I couldn't see it.

I was just wondering if that would work, if I use a different public IP at the hub end for each virtual-template I guess that should work?

Yes, different IP addresses for termination on hub side would work.

One caveat. You need to make sure you select the correct IKEv2 profile ("tunnel source" command will not work AFAIR) during IKE negotiation. Should not be a big problem in your case.

What I would really like to see is a case open with one of the VPN teams. The GRE approach should work unless I forgot everything in last 10 months ;-)

Thanks i'll give it a try and see if works. It would be good to figure out why GRE wasn't working as this will save on public IPv4 addresses.