Cisco Support Community
Community Member

Multiple DMVPNs within separate VRF's using crypto keyring

Hi All,

I have deployed ASR's within a service provider environment acting as the DMVPN hubs for multiple customers networks contained within their own VRFs.

In each case from the tunnel perspective the iVRF and fVRF are the same for a specific customer and crypto key rings are used to associate pre-shared-keys.

When the box was first deployed a test network was built without using keyrings, but still using the VRF's as shown in the snippet. However I cannot get the configuration to work using keyrings, hence cannot add additional customers. It would appear that IKE phase 2 is not completing.

An initial bug scrub has come up clear so I'm guessing i must be missing something.

Current firmware: Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.0(1)S)

-- snippet of test configuration --

crypto keyring CUST1 vrf CUST1

  pre-shared-key address key **CRYPTOKEY_CUST1**

crypto isakmp profile CUST1_PROFILE

   vrf CUST1

   keyring CUST1

   match identity address

crypto ipsec transform-set CUST1 esp-aes 256 esp-sha-hmac

mode transport

interface Tunnel1

bandwidth 1000

ip vrf forwarding CUST1

ip address

no ip redirects

ip nhrp authentication CUST1

ip nhrp map multicast dynamic

ip nhrp network-id 10101010

ip nhrp holdtime 450

ip nhrp registration no-unique

no ip split-horizon

delay 1000

tunnel source GigabitEthernet0/0/0.1010

tunnel mode gre multipoint

tunnel key 1010

tunnel vrf CUST1

tunnel protection ipsec profile CUST1_PROFILE shared

Any help would be great.

Best regards


Everyone's tags (4)
Cisco Employee

Multiple DMVPNs within separate VRF's using crypto keyring

Config wise, you do not need "vrf CUST1" inside the profile, GRE will do handoff for you.

Hard to say where the problem is without more debugs ;-)


CreatePlease to create content