DMVPN no hub to spoke traffic

Unanswered Question
Sep 22nd, 2009


I'm having an issue with the setup of a DMVPN. I have one spoke router and 2 hub routers ( R1 and R2 ).

When I configure the spoke router to connect to R1 everything works fine and an EIGRP neighbor is establed.

When I do a similar setup to R2 the ipsec tunnel is UP-ACTIVE and a I see a ping from the spoke router arriving at R2. R2 sends an echo-reply but the traffic isn't encrypted.

Has anybody seen this issue before ?

Due to IOS limitation I needed to a crypto map on both hub routers since the ipsec profile with VRF's isn't supported yet...

Both hub routers are running the same IOS and are in hardware identical machines ( 7206 ).

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 09/22/2009 - 09:26

Hello Wim,

sorry for the basic question consider it just a starting point:

basic question is the ACL used to define what traffic to encrypt on the second hub router correct?

it may need some changes from the one on router hub1.

Hope to help


wim_depauw Tue, 09/22/2009 - 23:24

Hi Giuseppe,

Here's the config that will make troubleshooting a little bit easier

ip vrf Argenta-GPRS

rd 100:725


ip vrf Argenta-Kantoor

rd 100:704


crypto keyring GPRS-RSA vrf Argenta-GPRS

rsa-pubkey name




crypto isakmp policy 5

encr aes 256

hash md5

group 2

lifetime 1440


crypto isakmp profile Argenta-GPRS

vrf Argenta-GPRS

keyring GPRS-RSA

self-identity fqdn

match identity host


crypto ipsec transform-set Argenta-GPRS esp-aes 256 esp-md5-hmac


crypto ipsec profile Argenta-GPRS

set transform-set Argenta-GPRS

set isakmp-profile Argenta-GPRS


crypto dynamic-map Argenta-GPRS 10

set transform-set Argenta-GPRS


interface Tunnel725

ip vrf forwarding Argenta-Kantoor

ip address

no ip redirects

ip mtu 1400

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 300

tunnel source FastEthernet0/1.725

tunnel mode gre multipoint

tunnel key 0

tunnel vrf Argenta-GPRS


interface FastEthernet0/1.725

description Argenta-GPRS

encapsulation dot1Q 725

ip vrf forwarding Argenta-GPRS

ip address X.X.X.X

crypto map Argenta-GPRS



crypto map Argenta-GPRS 10 ipsec-isakmp dynamic Argenta-GPRS


Output of show crypto ipsec


AEDE_VR1_CR_-1#sho crypto ipsec sa interface fa0/1.725

interface: FastEthernet0/1.725

Crypto map tag: Argenta-GPRS, local addr X.X.X.X

protected vrf: Argenta-GPRS

local ident (addr/mask/prot/port): (X.X.X.X/

remote ident (addr/mask/prot/port): (

current_peer port 500

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 79, #pkts decrypt: 79, #pkts verify: 79

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.:

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1.725

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

As you can see packets arrive and a debug icmp shows that a reply is sended , but nothing is encrypted. I did a debug ip packet and this shows that he is sending packets into tunnel 725 .

PS: I replaced the fixed ip address of the hub by X.X.X.X just for security...


This Discussion