VRF aware GETVPN

Hi,

I’m trying configure VRF-aware GETVPN. With FVRF global and set IVRF  I don’t have any problems (communication between KS and GMs is in global VRF, only ‘business’ traffic  between GMs is tagged). I tried to set VRF also for KS and GM (interface for communication with KS) but it doesn’t work.

I found Cisco example but it doesn’t work too - by Cisco, KS should be without VRF an GM traffic with VRF tag: 

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/deployment_guide_c07-624088.html

Is there a way to configure VRF for interfaces between KS and GMs ? Attached configuration doesn’t work for me

Appreciate any advice
Hubert

Configuration:

-------------------------------------------------------------
R1:
-------------------------------------------------------------
conf t
hostname r1
!
ip vrf MNG
!
int gig0/0
no sh
ip vrf forw MNG
ip address 10.0.0.1 255.255.255.0
!


!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 hash sh
!
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC-PRF
 set transform-set TS
!
crypto gdoi group GETVPN-GRP
 identity number 1
 server local
  rekey lifetime seconds 86400
  rekey retransmit 10 number 2
  rekey transport unicast
  sa ipsec 1
   profile IPSEC-PRF
   match address ipv4 101
  address ipv4 10.0.0.1
!
!
access-list 101 deny udp any eq 848 any eq 848
access-list 101 permit ip any any
!
-------------------------------------------------------------
R2:
-------------------------------------------------------------
conf t
hostname r2
!
ip vrf MNG
!
ip vrf C1
!
int gig0/0
no sh
!
int gig0/0.1
ip vrf forwa MNG
encapsu dot1q 1
ip address 10.0.0.2 255.255.255.0
!
int gig0/0.2
ip vrf forw C1
encaps dot1q 20
ip address 20.0.0.2 255.255.255.0
!
int loop1
ip vrf forw C1
ip address 12.12.12.12 255.255.255.0
!
ip route vrf C1 13.13.13.13 255.255.255.255 20.0.0.3
!

!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 hash sh
!
crypto isakmp key cisco address 0.0.0.0
!
!
crypto gdoi group GETVPN-GRP
 identity number 1
 server address ipv4 10.0.0.1
client registration interface gig0/0.1

!
crypto map MAPA 10 gdoi
 set group GETVPN-GRP
!
interface Gig0/0.2
 crypto map MAPA
!
!


-------------------------------------------------------------
R3:
-------------------------------------------------------------

conf t
hostname r3
!
ip vrf MNG
!
ip vrf C1
!
int gig0/0
no sh
!
int gig0/0.1
ip vrf forw MNG
encapsu dot1 1
ip address 10.0.0.3 255.255.255.0
!
int gig0/0.2
ip vrf forwa C1
encapsulat dot1q 20
ip address 20.0.0.3 255.255.255.0
!
int Loop1
ip vrf forwa C1
ip address 13.13.13.13 255.255.255.0
!
ip route vrf C1 12.12.12.12 255.255.255.255 20.0.0.2
!

!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 hash sh
!
crypto isakmp key cisco address 0.0.0.0
!
!
crypto gdoi group GETVPN-GRP
 identity number 1
 server address ipv4 10.0.0.1
client registration interface gig0/0.1

!
crypto map MAPA 10 gdoi
 set group GETVPN-GRP
!
interface gig0/0.2
 crypto map MAPA
!
!