Overview

In VRF-aware DMVPN with FVRF, a new site is to be added. Here is an example of a router configuration for a new site. A series of configurations related to VRF-aware DMVPNs all together.

Network Diagram

Consider the following network diagram. The underlay network in this network diagram is not the Internet, but is assumed to be the Internet. R31 is the router of the newly added base.

Figure DMVPN with FVRF Configuration Example Part2
Figure DMVPN with FVRF Configuration Example Part2

Configuration conditions

Build DMVPN overlay network among R11/R21/R31. R11 as NHS (Next Hop Server) and R21/R31 as NHC (Next Hop Client). Then, separate the overlay network from the underlay network with VRF; as VRF, configure the following

RouterVRF nameRDInterface
R11FVRF65001:100Lo0
Eth0/0
 IVRF65001:200Tunnel0
Eth0/1
R21FVRF65001:100Lo0
Eth0/0
 IVRF65001:200Tunnel0
Eth0/1
R31FVRF65001:100Lo0
Eth0/0
 IVRF65001:200Tunnel0
Lo31
Table VRF

In addition, the address ranges of IVRF in the overlay network and FVRF in the underlay network do not overlap. IVRF is addressing with Class B private addresses such as 172.16.x.x and 172.17.x.x and 172.18.x.x. And FVRF is addressing with class A private addresses of 10.x.x.x.

As routing protocols, IVRF uses EIGRP and FVRF uses OSPF.

Address RangeRouting Protocol
Overlay Network(IVRF)172.16.0.0/16
172.17.0.0/16
172.18.0.0/16
172.19.31.0/24
EIGRP
Underlay Network(FVRF)10.0.0.0/8OSPF
Table VRF Routing
Figure VRF Routing
Figure VRF Routing

Overlay network data is encrypted with IPSec and transferred over the underlay network. The various IPSec parameters are as follows

Encryption algorithm3DES
Hash AlgorithmMD5
Peer AuthenticationPSK
DH group2
Table IKE Phase1 ISAKMP SA

Security protocolESP
Encryption algorithm 3DES
Hash Algorithm MD5
Table IKE Phase2 IPSec SA

Initial Configuration

Starting with all configurations completed except for the newly added R31, only the hostname is configured for R31. The DMVPN-related settings for each router are as follows

R11 Configuration Excerpts (Click)

hostname R11
!
ip vrf FVRF
 rd 65001:100
!
ip vrf IVRF
 rd 65001:200
!
crypto keyring KEY vrf FVRF
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile IPSEC
 set transform-set TS
!
interface Loopback0
 ip vrf forwarding FVRF
 ip address 10.0.0.11 255.255.255.255
!
interface Tunnel0
 ip vrf forwarding IVRF
 ip address 172.16.0.11 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 1000
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel vrf FVRF
!
interface Ethernet0/0
 ip vrf forwarding FVRF
 ip address 10.0.11.11 255.255.255.0
!
interface Ethernet0/1
 ip vrf forwarding IVRF
 ip address 172.17.0.11 255.255.255.0
!
router eigrp 1
 !
 address-family ipv4 vrf IVRF autonomous-system 1
  network 172.16.0.0
  network 172.17.0.0
 exit-address-family
 eigrp router-id 11.11.11.11
!
router ospf 1 vrf FVRF
 router-id 11.11.11.11
 network 10.0.0.11 0.0.0.0 area 0
 network 10.0.11.11 0.0.0.0 area 0

R21 Configuration Excerpts (Click)

hostname R21
!
ip vrf FVRF
 rd 65100:100
!
ip vrf IVRF
 rd 65100:200
!
crypto keyring KEY vrf FVRF
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile IPSEC
 set transform-set TS
!
interface Loopback0
 ip vrf forwarding FVRF
 ip address 10.0.0.21 255.255.255.255
!
interface Tunnel0
 ip vrf forwarding IVRF
 ip address 172.16.0.21 255.255.255.0
 no ip redirects
 ip nhrp map 172.16.0.11 10.0.0.11
 ip nhrp map multicast 10.0.0.11
 ip nhrp network-id 1000
 ip nhrp nhs 172.16.0.11
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel vrf FVRF
!
interface Ethernet0/0
 ip vrf forwarding FVRF
 ip address 10.0.21.21 255.255.255.0
!
interface Ethernet0/1
 ip vrf forwarding IVRF
 ip address 172.18.0.21 255.255.255.0
!
router eigrp 1
 !
 address-family ipv4 vrf IVRF autonomous-system 1
  network 172.16.0.0
  network 172.18.0.0
 exit-address-family
 eigrp router-id 21.21.21.21
!
router ospf 1 vrf FVRF
 router-id 21.21.21.21
 network 10.0.0.21 0.0.0.0 area 0
 network 10.0.21.21 0.0.0.0 area 0

R12 Configuration Excerpts (Click)

hostname R12
!
interface Loopback0
 ip address 172.17.12.12 255.255.255.0
 ip ospf network point-to-point
!
interface Ethernet0/0
 ip address 172.17.0.12 255.255.255.0
!
router eigrp 1
 network 172.17.0.0
 eigrp router-id 12.12.12.12

R22 Configuration Excerpts (Click)

hostname R22
!
interface Loopback0
 ip address 172.18.22.22 255.255.255.0
 ip ospf network point-to-point
!
interface Ethernet0/0
 ip address 172.18.0.22 255.255.255.0
!
router eigrp 1
 network 172.18.0.0
 eigrp router-id 22.22.22.22

UL1 Configuration Excerpts (Click)

hostname UL1
!
interface Ethernet0/0
 ip address 10.0.11.1 255.255.255.0
!
interface Ethernet0/1
 ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
 ip address 10.0.31.1 255.255.255.0
!
router ospf 1
 router-id 1.1.1.1
 network 10.0.0.0 0.255.255.255 area 0

UL2 Configuration Excerpts (Click)

hostname UL2
!
interface Ethernet0/0
 ip address 10.0.21.2 255.255.255.0
!
interface Ethernet0/1
 ip address 10.0.0.2 255.255.255.0
!
router ospf 1
 router-id 2.2.2.2
 network 10.0.0.0 0.255.255.255 area 0

Configuration and Verification

Step1: R31 Underlay Network (FVRF) Configuration

Configure an underlay network for actual data transfer on R31. Create an FVRF for the underlay network and assign appropriate interfaces to the FVRF. Then, use OSPF for routing.

R31 Underlay Network (FVRF) Configuration

ip vrf FVRF
 rd 65001:100
!
interface Loopback0
 ip vrf forwarding FVRF
 ip address 10.0.0.31 255.255.255.255
!
interface Ethernet0/0
 ip vrf forwarding FVRF
 ip address 10.0.31.31 255.255.255.0
!
router ospf 1 vrf FVRF
 router-id 31.31.31.31
 network 10.0.0.31 0.0.0.0 area 0
 network 10.0.31.31 0.0.0.0 area 0
Figure R31 Underlay Network (FVRF) Configuration
Figure R31 Underlay Network (FVRF) Configuration

Step2: R31 Underlay Network (FVRF) Verification

Verify that the underlay network configuration on R31 is working properly. Use the following show command.

  • show ip vrf detail
  • show ip route vrf FVRF

R31 Underlay Network (FVRF) Verification

R31#show ip vrf detail
VRF FVRF (VRF Id = 1); default RD 65001:100; default VPNID 
  Old CLI format, supports IPv4 only
  Flags: 0xC
  Interfaces:
    Lo0                      Et0/0
Address family ipv4 unicast (Table ID = 0x1):
  Flags: 0x0
  No Export VPN route-target communities
  No Import VPN route-target communities
  No import route-map
  No global export route-map
  No export route-map
  VRF label distribution protocol: not configured
  VRF label allocation mode: per-prefix


R31#show ip route vrf FVRF

Routing Table: FVRF
-- omitted --

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O        10.0.0.0/24 [110/20] via 10.0.31.1, 00:00:50, Ethernet0/0
O        10.0.0.11/32 [110/21] via 10.0.31.1, 00:00:50, Ethernet0/0
O        10.0.0.21/32 [110/31] via 10.0.31.1, 00:00:40, Ethernet0/0
C        10.0.0.31/32 is directly connected, Loopback0
O        10.0.11.0/24 [110/20] via 10.0.31.1, 00:00:50, Ethernet0/0
O        10.0.21.0/24 [110/30] via 10.0.31.1, 00:00:40, Ethernet0/0
C        10.0.31.0/24 is directly connected, Ethernet0/0
L        10.0.31.31/32 is directly connected, Ethernet0/0

Now R31 can communicate with R11/R21 through the underlay network.

R31 Underlay Network Communication

R31#ping vrf FVRF 10.0.0.11 source 10.0.0.31
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.11, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.31
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R31#ping vrf FVRF 10.0.0.21 source 10.0.0.31
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.21, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.31
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Step3: R31 Overlay Network (IVRF) Configuration Part1

Create IVRF for overlay network on R31. Also, create Tunnel0. For the moment, only IP address 172.16.0.31/24 for the overlay network is configured for Tunnel0, and NHRP will be discussed later.

Then, assign Tunnel0 and Lo31 as interfaces for IVRF. The data of Tunnel0 is actually forwarded through FVRF. Associate Tunnel0 with FVRF with the tunnel vrf command.

R31 Overlay Network (IVRF) Configuration Part1

ip vrf IVRF
 rd 65001:200
!
interface Loopback31
 ip vrf forwarding IVRF
 ip address 172.19.31.31 255.255.255.0
!
interface Tunnel0
 ip vrf forwarding IVRF
 ip address 172.16.0.31 255.255.255.0
 tunnel source Loopback0
 tunnel vrf FVRF

Figure R31 Overlay Network (FVRF) Configuration Part1
Figure R31 Overlay Network (FVRF) Configuration Part1

Step4: R31 Overlay Network (IVRF) Configuration Part2

Make Tunnel0 of R31 an mGRE. R31 is the NHC (Next Hop Client); configure R11 (IVRF) as the NHS. In addition, encapsulate the multicast packets with the underlay address (FVRF) of R11 (IVRF) so that they can be forwarded to R11 (IVRF).

R31 Overlay Network (IVRF) Configuration Part2

interface Tunnel0
 ip nhrp map multicast 10.0.0.11
 ip nhrp map 172.16.0.11 10.0.0.11
 ip nhrp network-id 1000
 ip nhrp nhs 172.16.0.11
 tunnel mode gre multipoint
Figure R31 Overlay Network (FVRF) Configuration Part2
Figure R31 Overlay Network (FVRF) Configuration Part2

これでmGREのNHRPの設定は完了です。

Step5: R31 Overlay Network (IVRF) Configuration Part3

Now all the data on R31’s Tunnel0 is encrypted with IPSec. When communicating in IKE Phase 1, it is based on FVRF; specify the FVRF when configuring the pre-shared key in crypto keyring.

R31 Overlay Network (IVRF) Configuration Part3

crypto keyring KEY vrf FVRF
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile IPSEC
 set transform-set TS
!
interface Tunnel0
 tunnel protection ipsec profile IPSEC

This completes the configuration of the overlay network (IVRF) for R31.

Step6: R31 Overlay Network (IVRF) Verification

Verify that the mGRE configuration for Tunnel 0 is working properly on R31. Use the following show command.

  • show ip vrf detail IVRF
  • show interface tunnel0
  • show ip nhrp
  • show dmvpn

R31 Overlay Network (IVRF) Verification

R31#show ip vrf detail IVRF
VRF IVRF (VRF Id = 2); default RD 65001:200; default VPNID 
  Old CLI format, supports IPv4 only
  Flags: 0xC
  Interfaces:
    Lo31                     Tu0
Address family ipv4 unicast (Table ID = 0x2):
  Flags: 0x0
  No Export VPN route-target communities
  No Import VPN route-target communities
  No import route-map
  No global export route-map
  No export route-map
  VRF label distribution protocol: not configured
  VRF label allocation mode: per-prefix

R31#show interfaces tunnel 0
Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 172.16.0.31/24
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation up
  Tunnel source 10.0.0.31 (Loopback0)
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with Loopback0
          Set of tunnels with source Loopback0, 1 member (includes iterators), on interface 
  Tunnel protocol/transport multi-GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1476 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "IPSEC")
-- omitted --
R31#show ip nhrp
172.16.0.11/32 (IVRF) via 172.16.0.11
   Tunnel0 created 00:50:23, never expire
   Type: static, Flags: used
   NBMA address: 10.0.0.11
R31#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 10.0.0.11           172.16.0.11    UP 00:49:21     S

Also verify that communication with R11/R21 in the overlay network is possible.

R31 Overlay network (IVRF) communication verification

R31#ping vrf IVRF 172.16.0.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/5 ms
R31#ping vrf IVRF 172.16.0.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.21, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/9/18 ms
R31#show ip nhrp
172.16.0.11/32 (IVRF) via 172.16.0.11
   Tunnel0 created 00:52:17, never expire
   Type: static, Flags: used
   NBMA address: 10.0.0.11
172.16.0.21/32 (IVRF) via 172.16.0.21
   Tunnel0 created 00:00:04, expire 01:59:55
   Type: dynamic, Flags: router used nhop
   NBMA address: 10.0.0.21
172.16.0.31/32 (IVRF) via 172.16.0.31
   Tunnel0 created 00:00:04, expire 01:59:55
   Type: dynamic, Flags: router unique local
   NBMA address: 10.0.0.31
    (no-socket)
R31#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 10.0.0.11           172.16.0.11    UP 00:51:16     S
     1 10.0.0.21           172.16.0.21    UP 00:00:07     D

When sending data from R31 to R21, the underlay address of R21 is resolved in NHRP. Then, a DMVPN peer is dynamically established.

However, at this point, communication to 172.17.0.0/16 and 172.18.0.0/16 under R11/R21 via the overlay network is not possible. EIGRP must be configured on the overlay network.

Step7: R31 Overlay Network(IVRF) EIGRP Configuration

EIGRP routing in the overlay network (IVRF) of R31.

R31 Overlay Network(IVRF) EIGRP Configuration

router eigrp 1
 !
 address-family ipv4 vrf IVRF autonomous-system 1
  network 172.16.0.0
  network 172.19.0.0
 exit-address-family
 eigrp router-id 31.31.31.31
Figure  R31 Overlay Network(IVRF) EIGRP Configuration
Figure R31 Overlay Network(IVRF) EIGRP Configuration

Step8: R31 Overlay Network(IVRF) EIGRP Verification

Verify R31’s EIGRP configuration for the overlay network. Use the following show command.

  • show ip eigrp vrf IVRF neighbor
  • show ip route vrf IVRF

R31 Overlay Network(IVRF) EIGRP Verification

R31#show ip eigrp vrf IVRF neighbors
EIGRP-IPv4 Neighbors for AS(1) VRF(IVRF)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   172.16.0.11             Tu0                      13 00:02:06   58  1470  0  25
R31#show ip route vrf IVRF

Routing Table: IVRF
-- omitted --

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/24 is directly connected, Tunnel0
L        172.16.0.31/32 is directly connected, Tunnel0
      172.17.0.0/24 is subnetted, 2 subnets
D        172.17.0.0 [90/26905600] via 172.16.0.11, 00:02:10, Tunnel0
D        172.17.12.0 [90/27033600] via 172.16.0.11, 00:02:10, Tunnel0
      172.19.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.19.31.0/24 is directly connected, Loopback31
L        172.19.31.31/32 is directly connected, Loopback31

R31 is EIGRP neighbor with R11 only; it is not EIGRP neighbor with R21.

The mGRE tunnel is a non-broadcast multi-access network. The destination of multicast packets must be explicitly determined. To do so, the underlay address to encapsulate is configured with the ip nhrp map multicast command. R31 is only configured to forward multicast packets to R11; EIGRP Hello packets reach only R11. Therefore, R31 is EIGRP neighbor only with R11; the same is true for R21. In other words, from EIGRP’s point of view, the overlay network for mGRE tunnels is a hub-and-spoke topology centered on R11.

It is hub-and-spoke only from EIGRP’s perspective (multicast). Unicast communication is fully meshed by NHRP.

Figure mGRE Tunnel Multicast Configuration
Figure mGRE Tunnel Multicast Configuration

R11 does not advertise EIGRP routes received from R21 to R31 by split horizon. Similarly, EIGRP routes received from R31 are not advertised to R21. Communication with 172.17.0.0/16 under R11 is possible. However, communication with 172.18.0.0/16 under R21 and 172.19.0.0/16 under R31 is not possible.

R31 Communication Verification

R31#ping vrf IVRF 172.17.12.12 source 172.19.31.31
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.12.12, timeout is 2 seconds:
Packet sent with a source address of 172.19.31.31
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/5/7 ms
R31#ping vrf IVRF 172.18.22.22 source 172.19.31.31
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.22.22, timeout is 2 seconds:
Packet sent with a source address of 172.19.31.31
.....
Success rate is 0 percent (0/5)

If the ip nhrp map multicast command is added to allow multicast packets to be forwarded between R21/R31 in the NHC, then R21-R31 can also become an EIGRP neighbor and be fully meshed. However, if there are many NHCs, it would be complicated to configure ip nhrp map multicast to forward multicast packets between all NHCs.

Step9: Hub & Spoke EIGRP Configuration

Enables route information to be advertised using EIGRP in a hub-and-spoke topology with R11 as the hub. Disable split horizon on R11 Tunnel0 and do not change next hop.

Hub & Spoke EIGRP Configuration

interface Tunnel0
 no ip next-hop-self eigrp 1
 no ip split-horizon eigrp 1

With this configuration, EIGRP routes advertised from R21 (IVRF) will reach R31 (IVRF), and EIGRP routes advertised from R31 (IVRF) will reach R21 (IVRF) as well.

Figure Hub & Spoke EIGRP Configuration
Figure Hub & Spoke EIGRP Configuration

Step10: Hub & Spoke EIGRP Verification

Since EIGRP is configured as hub-and-spoke on R11, the routing table on R31 looks like this

R31 Routing Table

R31#show ip route vrf IVRF

Routing Table: IVRF
-- omitted --

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/24 is directly connected, Tunnel0
L        172.16.0.31/32 is directly connected, Tunnel0
      172.17.0.0/24 is subnetted, 2 subnets
D        172.17.0.0 [90/26905600] via 172.16.0.11, 00:07:45, Tunnel0
D        172.17.12.0 [90/27033600] via 172.16.0.11, 00:07:45, Tunnel0
      172.18.0.0/24 is subnetted, 2 subnets
D        172.18.0.0 [90/28185600] via 172.16.0.21, 00:07:45, Tunnel0
D        172.18.22.0 [90/28313600] via 172.16.0.21, 00:07:45, Tunnel0
      172.19.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.19.31.0/24 is directly connected, Loopback31
L        172.19.31.31/32 is directly connected, Loopback31

All configurations for adding a new site (R31) to DMVPN are now complete and correct.

Communication between R31 and R21 is also possible.

R31 Communication Verification

R31#ping vrf IVRF 172.17.12.12 source 172.19.31.31
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.12.12, timeout is 2 seconds:
Packet sent with a source address of 172.19.31.31
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/5/6 ms
R31#ping vrf IVRF 172.18.22.22 source 172.19.31.31
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.22.22, timeout is 2 seconds:
Packet sent with a source address of 172.19.31.31
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/10 ms

Configuration Summary

Here is a summary of the newly added R31 configurations.

R31 VRF-aware DMVPN

hostname R31
!
ip vrf FVRF
 rd 65001:100
!
ip vrf IVRF
 rd 65001:200
!
crypto keyring KEY vrf FVRF
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile IPSEC
 set transform-set TS
!
interface Loopback0
 ip vrf forwarding FVRF
 ip address 10.0.0.31 255.255.255.255
!
interface Loopback31
 ip vrf forwarding IVRF
 ip address 172.19.31.31 255.255.255.0
!
interface Tunnel0
 ip vrf forwarding IVRF
 ip address 172.16.0.31 255.255.255.0
 no ip redirects
 ip nhrp map multicast 10.0.0.11
 ip nhrp map 172.16.0.11 10.0.0.11
 ip nhrp network-id 1000
 ip nhrp nhs 172.16.0.11
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel vrf FVRF
 tunnel protection ipsec profile IPSEC
!
interface Ethernet0/0
 ip vrf forwarding FVRF
 ip address 10.0.31.31 255.255.255.0
!
router eigrp 1
 !
 address-family ipv4 vrf IVRF autonomous-system 1
  network 172.16.0.0
  network 172.19.0.0
 exit-address-family
 eigrp router-id 31.31.31.31
!
router ospf 1 vrf FVRF
 router-id 31.31.31.31
 network 10.0.0.31 0.0.0.0 area 0
 network 10.0.31.31 0.0.0.0 area 0

And then there is the change in the EIGRP configuration on R11.

R11 Hub & Spoke EIGRP

interface Tunnel0
 no ip next-hop-self eigrp 1
 no ip split-horizon eigrp 1