I think I am really close to a solution, but the fvrf/ivrf seem to be all one or the other.
The set up is GETVPN-client connects to two networks, one in VRF RED, one on VRF WHITE on separate interfaces. Gi0/0 connects to a transparent firewall and has a default route out to another router.
Gi0/0 is in VRF FRVF and the KS (GETVPN-S1) is reachable over this VRF. ICMP and UDP/848 allowed through the transparent ASA and intermediate ASAs, and I can ping from the GM to the KS using VRF FVRF, so routing and firewalls are not the problem.
So far my config is:
GETVPN-Client#sh run int gi0/0 | b interf interface GigabitEthernet0/0 ip vrf forwarding FVRF ip address 10.1.2.254 255.255.255.0 end GETVPN-Client#sh run int lo 103 | b inter interface Loopback103 ip vrf forwarding RED ip address 10.1.103.1 255.255.255.0 crypto map G1-RED end GETVPN-Client#sh run int virtual-tem 3 | b inter interface Virtual-Template3 type tunnel ip vrf forwarding RED ip unnumbered Loopback103 tunnel source Loopback103 tunnel mode ipsec ipv4 tunnel destination 10.1.9.103 tunnel vrf FVRF tunnel protection ipsec profile GET-IPS-Profile-RED end GETVPN-Client#sh run | s crypto crypto keyring RED-G1 vrf RED pre-shared-key address 10.1.9.103 key CCIE crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp policy 20 encr aes 256 authentication pre-share group 2 crypto isakmp keepalive 10 crypto isakmp profile GET-ISAK-Profile-RED vrf RED keyring RED-G1 match identity address 10.1.9.103 255.255.255.255 FVRF virtual-template 3 crypto ipsec transform-set GET-TS esp-3des esp-sha-hmac mode transport crypto ipsec profile GET-IPS-Profile-RED set group G1-RED set transform-set GET-TS set isakmp-profile GET-ISAK-Profile-RED crypto gdoi group G1-RED identity number 103 server address ipv4 10.1.9.103 crypto map G1-RED isakmp-profile GET-ISAK-Profile-RED crypto map G1-RED 103 gdoi set group G1-RED crypto map G1-RED GETVPN-Client# GETVPN-Client#sh run | i ip route ip route vrf FVRF 0.0.0.0 0.0.0.0 10.1.2.1 GETVPN-Client# ip vrf FVRF rd 100:100 ip vrf RED rd 103:103 ip vrf WHITE rd 104:104Whatever I do, the GDOI registration wants to use either RED/RED for the fvrf/ivrf, or FVRF/FVRF.. for example:
GETVPN-Client(config-gkm-group)#do sh cry gdo | i ivr fvrf/ivrf : FVRF/FVRF GETVPN-Client(config-gkm-group)#no client registration interface gi0/0 GETVPN-Client(config-gkm-group)#do sh cry gdo | i ivr fvrf/ivrf : RED/RED GETVPN-Client(config-gkm-group)# GETVPN-Client(config-if)#tunnel sou gi0/0 GETVPN-Client(config-if)# GETVPN-Client(config-if)#do sh cry gdoi | i ivrf fvrf/ivrf : RED/RED GETVPN-Client(config-if)#crypto gdoi group G1-RED GETVPN-Client(config-gkm-group)#client reg in gi0/0 GETVPN-Client(config-gkm-group)#do sh cry gdoi | i ivrf fvrf/ivrf : FVRF/FVRF GETVPN-Client(config-gkm-group)#I am sure it can be done, and what I need is for the fvrf to be FVRF and the ivrf to be RED, but I am having a really hard time finding supporting documentation - most have sub-interfaces on the Gi0/0 interface for the different VRFs... Been trying this since Saturday night! I am pretty sure I am only one "no" command away from a solution, but it's baffling me!
Hoping someone might have an idea!
Let's make it interesting, without a) creating sub-interfaces for the VRFs, or b) making other IP addressing/topological changes, see if you can get this to work, you won't need to replicate the entire setup, in fact it only needs two routers LON-1 with gi0/1 set with the IP address 10.1.2.1/24, and GETVPN-Client with Gi0/0 in VRF FVRF with the IP address 10.1.2.254, and a static default route to LON-1.
The first correct answer/solution will win a £5 Amazon voucher!