DMVPN Phase3 IKEv1 and NHS Cluster

Lab Introduction This lab is still about DMVPN Phase 3 point-to-multipoint OSPF. It focuses on IKEv1 instead of IKEv2 in previous post. Later part of

Install CSR1000v on GNS3
Site-to-Site FlexVPN Lab 2: static tunnel + RSA key within PKI
Use pfSense to Load Balance Web Servers (1)

Lab Introduction

This lab is still about DMVPN Phase 3 point-to-multipoint OSPF. It focuses on IKEv1 instead of IKEv2 in previous post. Later part of the lab will also introduce NHS cluster for dual-head in single DMVPN design.

The topology is as below:

dmvpn_ospf_p2mp_2.JPG

Configuration

DC1-R1
DC1-R2
DC2-R1
DC2-R2
Site1
Site2

VRF-aware DMVPN with IKEv1

VRF-aware ipsec cheat sheet’ is an excellent reference provides the following key points on configuring VRF-aware DMVPN with IKEv1:

  • “ip vrf forwarding <ivrf>” on the tunnel interface
  • “tunnel vrf <fvrf>” on the tunnel interface
  • crypto keyring tagged with fvrf
  • NO “vrf <ivrf>” on isakmp profile
  • fvrf on match statement of isakmp profile
  • no need to worry about RRI (tunnel destination needs to be reachable in fvrf), inside traffic gets routed to the tunnel interface
  • interfaces in their VRF and proper routes in each VRF as well

My lab configuration example is as below:

#Create VRF-aware PSK. Crypto keyring has to be tagged with FVRF, not IVRF. If there are multiple IVRFs and each requires different IKEv1 PSK, then multiple FVRFs are required. For example development environment has DEV-IVRF and DEV-FVRF; production environment has PROD-IVRF and PROD-FVRF.

crypto keyring FVRF vrf FVRF
pre-shared-key address 200.1.1.0 255.255.255.0 key Cisco

#Create IKE (ISAKMP) policy. For better security, go with AES as encryption instead of DES or 3DES; SHA2 as hash for integrity instead of SHA1; DH Group 2 (1024 bits) at least.

crypto isakmp policy 101
encr aes
hash sha256
authentication pre-share
group 2

# Create IKE (ISAKMP) profile. The context under ISAKMP profile are FVRF. FVRF on match statement of isakmp profile. G1/0 is WAN physical interface.

crypto isakmp profile IVRF-ike-prof
keyring FVRF
match identity address 200.1.1.0 255.255.255.0 FVRF
local-address GigabitEthernet1/0

# Define IPSEC transform set: ‘ESP transform using AES cipher’ and ‘ESP transform using HMAC-SHA256 auth’. The default mode is ‘tunnel’ mode. ‘tunnel’ mode appears more secure than ‘transport’ mode but with additional header, which lead to smaller MSS than ‘transport’ mode supports. A good reference: ‘Understanding VPN IPSec Tunnel Mode and IPSec Transport Mode – What’s the Difference?’

crypto ipsec transform-set IVRF esp-aes esp-sha256-hmac
mode tunnel

# Create IPSEC profile, define IPSEC transform and IKE(ISAKMP) profile

crypto ipsec profile IVRF-ipsec-prof
set transform-set IVRF
set isakmp-profile IVRF-ike-prof

#Apply IPSEC profile to tunnel interfaces. Since 2 tunnels use the same IPSEC profile, key word ‘shared’ is added.

interface Tunnel101
tunnel protection ipsec profile IVRF-ipsec-prof shared
interface Tunnel102
tunnel protection ipsec profile IVRF-ipsec-prof shared

NHS Cluster

Please refer to Cisco reference: ‘DMVPN-Tunnel Health Monitoring and Recovery Backup NHS’ for articulation on NHS cluster.

My lab example is as below:

SITE1

interface Tunnel101
vrf forwarding IVRF #define VRF context for tunnel/IVRF
ip address 172.16.101.5 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication GREEN #NHRP authentication password, string as type
ip nhrp map multicast 200.1.1.1
ip nhrp map multicast 200.1.1.2
ip nhrp map 172.16.101.1 200.1.1.1 #SPOKE requires static mapping to HUB, static tunnel between HUB and SPOKE; dynamic tunnel between SPOKE and SPOKE.
ip nhrp map 172.16.101.2 200.1.1.2
ip nhrp network-id 101 #define DMVPN domain
ip nhrp holdtime 300

# Define NHS priority and cluster on SPOKE. If cluster number is not specified, the default cluster is 0. The default priority is 0, which is the most preferred NHS. In the following example, 172.16.101.1 is preferred over 172.16.101.2. ‘max-connection 2’ allows concurrent tunnels with 101.1 and 101.2. Cisco reference: ‘DMVPN-Tunnel Health Monitoring and Recovery Backup NHS’ explains fallback time.

ip nhrp nhs 172.16.101.1 cluster 1
ip nhrp nhs 172.16.101.2 priority 2 cluster 1
ip nhrp nhs cluster 1 max-connections 2
ip nhrp nhs fallback 25

ip nhrp shortcut #DMVPN Phase 3 enable SPOKE-to-SPOKE dynamic tunnel. 
ip ospf network point-to-multipoint #Phase 3 OSPF point-to-multipoint
ip ospf 1 area 0
ip ospf cost 101
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
tunnel key 101 #DMVPN tunnel key, integer <0-4294967295> 
tunnel vrf FVRF #tunnel source interface (g1/0) VRF 
tunnel protection ipsec profile IVRF-ipsec-prof shared #IPSEC profile applied to tunnel interface

Full Configuration

DC1-R1

DC1-R1#show run
Building configuration…Current configuration : 3405 bytes
!
! Last configuration change at 21:02:29 UTC Fri May 20 2016
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DC1-R1
!
boot-start-marker
boot-end-marker
!
vrf definition FVRF
!
address-family ipv4
exit-address-family
!
vrf definition IVRF
!
address-family ipv4
exit-address-family
!
no aaa new-model
no ip icmp rate-limit unreachable
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
ip tcp synwait-time 5
!
crypto keyring FVRF vrf FVRF
pre-shared-key address 200.1.1.0 255.255.255.0 key Cisco
crypto keyring IVRF vrf IVRF
pre-shared-key address 172.16.101.0 255.255.255.0 key Cisco
!
crypto isakmp policy 101
encr aes
hash sha256
authentication pre-share
group 2
crypto isakmp profile IVRF-ike-prof
keyring FVRF
match identity address 200.1.1.0 255.255.255.0 FVRF
local-address GigabitEthernet1/0
!
crypto ipsec transform-set IVRF esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IVRF-ipsec-prof
set transform-set IVRF
set isakmp-profile IVRF-ike-prof
!
interface Loopback1
vrf forwarding IVRF
ip address 1.1.1.1 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel101
vrf forwarding IVRF
ip address 172.16.101.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication GREEN
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 300
ip nhrp redirect
ip ospf network point-to-multipoint
ip ospf 1 area 0
ip ospf cost 101
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
tunnel key 101
tunnel vrf FVRF
tunnel protection ipsec profile IVRF-ipsec-prof shared
!
interface Tunnel102
vrf forwarding IVRF
ip address 172.16.102.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map multicast 200.1.1.3
ip nhrp map multicast 200.1.1.4
ip nhrp map 172.16.102.3 200.1.1.3
ip nhrp map 172.16.102.4 200.1.1.4
ip nhrp network-id 102
ip nhrp holdtime 300
ip nhrp nhs 172.16.102.3 cluster 1
ip nhrp nhs 172.16.102.4 priority 2 cluster 1
ip nhrp nhs cluster 1 max-connections 2
ip nhrp nhs fallback 25
ip nhrp shortcut
ip ospf network point-to-multipoint
ip ospf 1 area 0
ip ospf cost 102
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
tunnel key 102
tunnel vrf FVRF
tunnel protection ipsec profile IVRF-ipsec-prof shared
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex full
speed 1000
media-type gbic
negotiation auto
!
interface GigabitEthernet1/0
vrf forwarding FVRF
ip address 200.1.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4/0
no ip address
shutdown
negotiation auto
!
router ospf 1 vrf IVRF
router-id 1.1.1.1
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
mgcp profile default
!
gatekeeper
shutdown
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
end

DC1-R2

DC1-R2#show run
Building configuration…Current configuration : 3313 bytes
!
! Last configuration change at 21:04:47 UTC Fri May 20 2016
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DC1-R2
!
boot-start-marker
boot-end-marker
!
vrf definition FVRF
!
address-family ipv4
exit-address-family
!
vrf definition IVRF
!
address-family ipv4
exit-address-family
!
no aaa new-model
no ip icmp rate-limit unreachable
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
ip tcp synwait-time 5
!
crypto keyring FVRF vrf FVRF
pre-shared-key address 200.1.1.0 255.255.255.0 key Cisco
!
crypto isakmp policy 101
encr aes
hash sha256
authentication pre-share
group 2
crypto isakmp profile IVRF-ike-prof
keyring FVRF
match identity address 200.1.1.0 255.255.255.0 FVRF
local-address GigabitEthernet1/0
!
crypto ipsec transform-set IVRF esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IVRF-ipsec-prof
set transform-set IVRF
set isakmp-profile IVRF-ike-prof
!
interface Loopback1
vrf forwarding IVRF
ip address 2.2.2.2 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel101
vrf forwarding IVRF
ip address 172.16.101.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication GREEN
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 300
ip nhrp redirect
ip ospf network point-to-multipoint
ip ospf 1 area 0
ip ospf cost 101
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
tunnel key 101
tunnel vrf FVRF
tunnel protection ipsec profile IVRF-ipsec-prof shared
!
interface Tunnel102
vrf forwarding IVRF
ip address 172.16.102.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map multicast 200.1.1.3
ip nhrp map multicast 200.1.1.4
ip nhrp map 172.16.102.3 200.1.1.3
ip nhrp map 172.16.102.4 200.1.1.4
ip nhrp network-id 102
ip nhrp holdtime 300
ip nhrp nhs 172.16.102.3 cluster 1
ip nhrp nhs 172.16.102.4 priority 2 cluster 1
ip nhrp nhs cluster 1 max-connections 2
ip nhrp nhs fallback 25
ip nhrp shortcut
ip ospf network point-to-multipoint
ip ospf 1 area 0
ip ospf cost 102
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
tunnel key 102
tunnel vrf FVRF
tunnel protection ipsec profile IVRF-ipsec-prof shared
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex full
speed 1000
media-type gbic
negotiation auto
!
interface GigabitEthernet1/0
vrf forwarding FVRF
ip address 200.1.1.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4/0
no ip address
shutdown
negotiation auto
!
router ospf 1 vrf IVRF
router-id 2.2.2.2
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
mgcp profile default
!
gatekeeper
shutdown
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
end

DC2-R1

DC2-R1#show run
Building configuration…Current configuration : 3313 bytes
!
! Last configuration change at 21:05:44 UTC Fri May 20 2016
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DC2-R1
!
boot-start-marker
boot-end-marker
!
vrf definition FVRF
!
address-family ipv4
exit-address-family
!
vrf definition IVRF
!
address-family ipv4
exit-address-family
!
no aaa new-model
no ip icmp rate-limit unreachable
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
ip tcp synwait-time 5
!
crypto keyring FVRF vrf FVRF
pre-shared-key address 200.1.1.0 255.255.255.0 key Cisco
!
crypto isakmp policy 101
encr aes
hash sha256
authentication pre-share
group 2
crypto isakmp profile IVRF-ike-prof
keyring FVRF
match identity address 200.1.1.0 255.255.255.0 FVRF
local-address GigabitEthernet1/0
!
crypto ipsec transform-set IVRF esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IVRF-ipsec-prof
set transform-set IVRF
set isakmp-profile IVRF-ike-prof
!
interface Loopback1
vrf forwarding IVRF
ip address 3.3.3.3 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel101
vrf forwarding IVRF
ip address 172.16.101.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication GREEN
ip nhrp map multicast 200.1.1.1
ip nhrp map multicast 200.1.1.2
ip nhrp map 172.16.101.1 200.1.1.1
ip nhrp map 172.16.101.2 200.1.1.2
ip nhrp network-id 101
ip nhrp holdtime 300
ip nhrp nhs 172.16.101.1 cluster 1
ip nhrp nhs 172.16.101.2 priority 2 cluster 1
ip nhrp nhs cluster 1 max-connections 2
ip nhrp nhs fallback 25
ip nhrp shortcut
ip ospf network point-to-multipoint
ip ospf 1 area 0
ip ospf cost 101
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
tunnel key 101
tunnel vrf FVRF
tunnel protection ipsec profile IVRF-ipsec-prof shared
!
interface Tunnel102
vrf forwarding IVRF
ip address 172.16.102.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map multicast dynamic
ip nhrp network-id 102
ip nhrp holdtime 300
ip nhrp redirect
ip ospf network point-to-multipoint
ip ospf 1 area 0
ip ospf cost 102
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
tunnel key 102
tunnel vrf FVRF
tunnel protection ipsec profile IVRF-ipsec-prof shared
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex full
speed 1000
media-type gbic
negotiation auto
!
interface GigabitEthernet1/0
vrf forwarding FVRF
ip address 200.1.1.3 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4/0
no ip address
shutdown
negotiation auto
!
router ospf 1 vrf IVRF
router-id 3.3.3.3
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
mgcp profile default
!
gatekeeper
shutdown
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
end

DC2-R2

DC2-R2#show run
Building configuration…Current configuration : 3313 bytes
!
! Last configuration change at 20:55:38 UTC Fri May 20 2016
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DC2-R2
!
boot-start-marker
boot-end-marker
!
vrf definition FVRF
!
address-family ipv4
exit-address-family
!
vrf definition IVRF
!
address-family ipv4
exit-address-family
!
no aaa new-model
no ip icmp rate-limit unreachable
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
ip tcp synwait-time 5
!
crypto keyring FVRF vrf FVRF
pre-shared-key address 200.1.1.0 255.255.255.0 key Cisco
!
crypto isakmp policy 101
encr aes
hash sha256
authentication pre-share
group 2
crypto isakmp profile IVRF-ike-prof
keyring FVRF
match identity address 200.1.1.0 255.255.255.0 FVRF
local-address GigabitEthernet1/0
!
crypto ipsec transform-set IVRF esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IVRF-ipsec-prof
set transform-set IVRF
set isakmp-profile IVRF-ike-prof
!
interface Loopback1
vrf forwarding IVRF
ip address 4.4.4.4 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel101
vrf forwarding IVRF
ip address 172.16.101.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication GREEN
ip nhrp map multicast 200.1.1.1
ip nhrp map multicast 200.1.1.2
ip nhrp map 172.16.101.1 200.1.1.1
ip nhrp map 172.16.101.2 200.1.1.2
ip nhrp network-id 101
ip nhrp holdtime 300
ip nhrp nhs 172.16.101.1 cluster 1
ip nhrp nhs 172.16.101.2 priority 2 cluster 1
ip nhrp nhs cluster 1 max-connections 2
ip nhrp nhs fallback 25
ip nhrp shortcut
ip ospf network point-to-multipoint
ip ospf 1 area 0
ip ospf cost 101
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
tunnel key 101
tunnel vrf FVRF
tunnel protection ipsec profile IVRF-ipsec-prof shared
!
interface Tunnel102
vrf forwarding IVRF
ip address 172.16.102.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map multicast dynamic
ip nhrp network-id 102
ip nhrp holdtime 300
ip nhrp redirect
ip ospf network point-to-multipoint
ip ospf 1 area 0
ip ospf cost 102
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
tunnel key 102
tunnel vrf FVRF
tunnel protection ipsec profile IVRF-ipsec-prof shared
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex full
speed 1000
media-type gbic
negotiation auto
!
interface GigabitEthernet1/0
vrf forwarding FVRF
ip address 200.1.1.4 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4/0
no ip address
shutdown
negotiation auto
!
router ospf 1 vrf IVRF
router-id 4.4.4.4
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
mgcp profile default
!
gatekeeper
shutdown
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
end

Site1

Site1#show run
Building configuration…Current configuration : 3660 bytes
!
! Last configuration change at 21:07:16 UTC Fri May 20 2016
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site1
!
boot-start-marker
boot-end-marker
!
vrf definition FVRF
!
address-family ipv4
exit-address-family
!
vrf definition IVRF
!
address-family ipv4
exit-address-family
!
no aaa new-model
no ip icmp rate-limit unreachable
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
ip tcp synwait-time 5
!
crypto keyring FVRF vrf FVRF
pre-shared-key address 200.1.1.0 255.255.255.0 key Cisco
crypto keyring IVRF vrf IVRF
pre-shared-key address 172.16.101.0 255.255.255.0 key Cisco
!
crypto isakmp policy 101
encr aes
hash sha256
authentication pre-share
group 2
crypto isakmp profile IVRF-ike-prof
keyring FVRF
match identity address 200.1.1.0 255.255.255.0 FVRF
local-address GigabitEthernet1/0
!
crypto ipsec transform-set IVRF esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IVRF-ipsec-prof
set transform-set IVRF
set isakmp-profile IVRF-ike-prof
!
interface Loopback1
vrf forwarding IVRF
ip address 5.5.5.5 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel101
vrf forwarding IVRF
ip address 172.16.101.5 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication GREEN
ip nhrp map multicast 200.1.1.1
ip nhrp map multicast 200.1.1.2
ip nhrp map 172.16.101.1 200.1.1.1
ip nhrp map 172.16.101.2 200.1.1.2
ip nhrp network-id 101
ip nhrp holdtime 300
ip nhrp nhs 172.16.101.1 cluster 1
ip nhrp nhs 172.16.101.2 priority 2 cluster 1
ip nhrp nhs cluster 1 max-connections 2
ip nhrp nhs fallback 25
ip nhrp shortcut
ip ospf network point-to-multipoint
ip ospf 1 area 0
ip ospf cost 101
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
tunnel key 101
tunnel vrf FVRF
tunnel protection ipsec profile IVRF-ipsec-prof shared
!
interface Tunnel102
vrf forwarding IVRF
ip address 172.16.102.5 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map multicast 200.1.1.3
ip nhrp map multicast 200.1.1.4
ip nhrp map 172.16.102.3 200.1.1.3
ip nhrp map 172.16.102.4 200.1.1.4
ip nhrp network-id 102
ip nhrp holdtime 300
ip nhrp nhs 172.16.102.3 cluster 1
ip nhrp nhs 172.16.102.4 priority 2 cluster 1
ip nhrp nhs cluster 1 max-connections 2
ip nhrp nhs fallback 25
ip nhrp shortcut
ip ospf network point-to-multipoint
ip ospf 1 area 0
ip ospf cost 102
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
tunnel key 102
tunnel vrf FVRF
tunnel protection ipsec profile IVRF-ipsec-prof shared
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex full
speed 1000
media-type gbic
negotiation auto
!
interface GigabitEthernet1/0
vrf forwarding FVRF
ip address 200.1.1.5 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4/0
no ip address
shutdown
negotiation auto
!
router ospf 1 vrf IVRF
router-id 5.5.5.5
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
mgcp profile default
!
gatekeeper
shutdown
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
end

Site2

Site2#show run
Building configuration…Current configuration : 3568 bytes
!
! Last configuration change at 21:08:07 UTC Fri May 20 2016
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site2
!
boot-start-marker
boot-end-marker
!
vrf definition FVRF
!
address-family ipv4
exit-address-family
!
vrf definition IVRF
!
address-family ipv4
exit-address-family
!
no aaa new-model
no ip icmp rate-limit unreachable
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
ip tcp synwait-time 5
!
crypto keyring FVRF vrf FVRF
pre-shared-key address 200.1.1.0 255.255.255.0 key Cisco
!
crypto isakmp policy 101
encr aes
hash sha256
authentication pre-share
group 2
crypto isakmp profile IVRF-ike-prof
keyring FVRF
match identity address 200.1.1.0 255.255.255.0 FVRF
local-address GigabitEthernet1/0
!
crypto ipsec transform-set IVRF esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IVRF-ipsec-prof
set transform-set IVRF
set isakmp-profile IVRF-ike-prof
!
interface Loopback1
vrf forwarding IVRF
ip address 6.6.6.6 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel101
vrf forwarding IVRF
ip address 172.16.101.6 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication GREEN
ip nhrp map multicast 200.1.1.1
ip nhrp map multicast 200.1.1.2
ip nhrp map 172.16.101.1 200.1.1.1
ip nhrp map 172.16.101.2 200.1.1.2
ip nhrp network-id 101
ip nhrp holdtime 300
ip nhrp nhs 172.16.101.1 cluster 1
ip nhrp nhs 172.16.101.2 priority 2 cluster 1
ip nhrp nhs cluster 1 max-connections 2
ip nhrp nhs fallback 25
ip nhrp shortcut
ip ospf network point-to-multipoint
ip ospf 1 area 0
ip ospf cost 101
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
tunnel key 101
tunnel vrf FVRF
tunnel protection ipsec profile IVRF-ipsec-prof shared
!
interface Tunnel102
vrf forwarding IVRF
ip address 172.16.102.6 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map multicast 200.1.1.3
ip nhrp map multicast 200.1.1.4
ip nhrp map 172.16.102.3 200.1.1.3
ip nhrp map 172.16.102.4 200.1.1.4
ip nhrp network-id 102
ip nhrp holdtime 300
ip nhrp nhs 172.16.102.3 cluster 1
ip nhrp nhs 172.16.102.4 priority 2 cluster 1
ip nhrp nhs cluster 1 max-connections 2
ip nhrp nhs fallback 25
ip nhrp shortcut
ip ospf network point-to-multipoint
ip ospf 1 area 0
ip ospf cost 102
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
tunnel key 102
tunnel vrf FVRF
tunnel protection ipsec profile IVRF-ipsec-prof shared
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex full
speed 1000
media-type gbic
negotiation auto
!
interface GigabitEthernet1/0
vrf forwarding FVRF
ip address 200.1.1.6 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4/0
no ip address
shutdown
negotiation auto
!
router ospf 1 vrf IVRF
router-id 6.6.6.6
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
mgcp profile default
!
gatekeeper
shutdown
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
end

COMMENTS

WORDPRESS: 1
  • comment-avatar

    […] lab is related to my previous post DMVPN Phase3 IKEv1 and NHS Cluster. The previous post shows ‘the crypto keyring can only be tagged with fvrf’ and […]

  • DISQUS: 0