Problems with DVTI and Easy-vpn

wim_depauw · ‎05-19-2010

Hi,

I created a test setup with Easy-vpn and DVTI between 2 * 3725. Although my tunnel comes up I can't send a ping from the hub to the spoke . I did some troubleshooting and noticed the following:

When I ping from the server at the hub site my packet isn't encrypted and I receive an error message a the spoke site that I received an unencrypted packet which should have been encrypted.

When I ping from the client at the spoke to the server , the packet is encrypted in the spoke and decrypted in the hub router.

So the most logical conclusion is that there is something wrong at the hub but I can't find out what the problem is....

Hereby the config of both routers

HUB router

-------------

Current configuration : 1936 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 password 0 cisco
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto isakmp client configuration group cisco
key cisco
dns 6.0.0.2
wins 7.0.0.1
domain cisco.com
acl 101
crypto isakmp profile vi
   match identity group cisco
   isakmp authorization list default
!
!
crypto ipsec transform-set set esp-3des esp-sha-hmac
!
crypto ipsec profile vi
set transform-set set
set isakmp-profile vi
!
!
crypto dynamic-map dynmap 1
set transform-set set
!
!
crypto map dynmap isakmp authorization list default
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.149.0.221 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile vi
!
ip local pool dpool 5.0.0.1 5.0.0.3
ip local pool dynpool 10.149.0.1 10.149.0.100
ip forward-protocol nd
ip route 192.168.1.2 255.255.255.255 10.149.0.220
!
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 any log
access-list 101 permit ip any any
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

Spoke router

-------------------

R1# sho run
Building configuration...

Current configuration : 1228 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 password 0 cisco
archive
log config
hidekeys
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
!
!
!
crypto ipsec client ezvpn ez
connect auto
group cisco key cisco
local-address FastEthernet0/0
mode network-extension
peer 10.149.0.221
virtual-interface 1
xauth userid mode interactive
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.149.0.220 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn ez
!
interface FastEthernet0/1
ip address 192.168.1.4 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn ez inside
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
ip forward-protocol nd
ip route 192.168.2.2 255.255.255.255 10.149.0.221
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

HUB Troubleshooting

--------------------------------

R2#sho crypto session det
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
F - IKE Fragmentation

Interface: Virtual-Access2
Profile: vi
Group: cisco
Uptime: 00:46:53
Session status: UP-ACTIVE
Peer: 10.149.0.220 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: cisco
      Desc: (none)
IKE SA: local 10.149.0.221/500 remote 10.149.0.220/500 Active
          Capabilities:CD connid:1007 lifetime:23:13:05
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 192.168.1.0/255.255.255.0
        Active SAs: 2, origin: crypto map
        Inbound: #pkts dec'ed 10 drop 0 life (KB/Sec) 4604343/786
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4604345/786

Spoke troubleshooting

-------------------------------------

R1#sho crypto session det
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
F - IKE Fragmentation

Interface: FastEthernet0/0
Uptime: 00:27:11
Session status: UP-ACTIVE
Peer: 10.149.0.221 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.149.0.221
      Desc: (none)
IKE SA: local 10.149.0.220/500 remote 10.149.0.221/500 Active
          Capabilities:CD connid:1007 lifetime:23:32:23
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map
        Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4514884/1957
        Outbound: #pkts enc'ed 10 drop 0 life (KB/Sec) 4514882/1957