Tunnel VRF and Crypto Keyring

NOTE

  • DMVPNの設定でtunnel vrf の有無とcrypto isa key or crypto keyring を整理する
  • Tunnel IF がVRF所属か否かに関わらず、NBMAアドレスの宛先解決にVRFのテーブルを使う時は tunnel vrf XXXX とcrypto keyring が必要(crypto isa keyではダメ)。
  • R4のようにTunnel IF がVRF所属でない場合でもNBMAアドレスがVRFの時は必要になる。逆にR2のようにVRF所属でない場合、tunnel vrf XXXX やcrypto keyringを使うとダメ。

 

DIAGRAM

 

 

CONFIG

!!!!! R1
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set TF-SET esp-aes
 mode transport
crypto ipsec profile PROF
 set transform-set TF-SET

interface Tunnel0
 ip address 172.16.0.1 255.255.255.0
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip tcp adjust-mss 1380
 ip ospf network point-to-multipoint
 ip ospf 1 area 0
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile PROF

ip route 0.0.0.0 0.0.0.0 10.1.255.1

!!!!! R2
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set TF-SET esp-aes
 mode transport
crypto ipsec profile PROF
 set transform-set TF-SET

interface Tunnel0
 ip vrf forwarding VRF
 ip address 172.16.0.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map multicast 10.1.255.2
 ip nhrp map 172.16.0.1 10.1.255.2
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1
 ip tcp adjust-mss 1380
 ip ospf network point-to-multipoint
 ip ospf 1 area 0
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile PROF

ip route 0.0.0.0 0.0.0.0 10.2.255.1
ip route vrf VRF 0.0.0.0 0.0.0.0 FastEthernet0/0 10.2.255.1 global

!!!!! R3
crypto keyring DMVPN vrf VRF
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
crypto isakmp policy 10
 authentication pre-share
crypto ipsec transform-set TF-SET esp-aes
 mode transport
crypto ipsec profile PROF
 set transform-set TF-SET

interface Tunnel0
 ip vrf forwarding VRF
 ip address 172.16.0.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map multicast 10.1.255.2
 ip nhrp map 172.16.0.1 10.1.255.2
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1
 ip tcp adjust-mss 1380
 ip ospf network point-to-multipoint
 ip ospf 1 area 0
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel vrf VRF
 tunnel protection ipsec profile PROF

ip route vrf VRF 0.0.0.0 0.0.0.0 10.3.255.1

!!!!! R4
crypto keyring DMVPN vrf VRF
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
crypto isakmp policy 10
 authentication pre-share
crypto ipsec transform-set TF-SET esp-aes
 mode transport
crypto ipsec profile PROF
 set transform-set TF-SET

interface Tunnel0
 ip address 172.16.0.4 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map multicast 10.1.255.2
 ip nhrp map 172.16.0.1 10.1.255.2
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1
 ip tcp adjust-mss 1380
 ip ospf network point-to-multipoint
 ip ospf 1 area 0
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel vrf VRF
 tunnel protection ipsec profile PROF

ip route vrf VRF 0.0.0.0 0.0.0.0 10.4.255.1

 

コメント