DMVPN + Cisco VPN Client = trouble?

leonvd79 · ‎11-29-2005

For a while three routers where connected through DMVPN hub-and-spoke tunnels.

On the central router split horizon was disabled to distribute routing information accross the tunnels to the remote site which is like the central site running EIGRP.

The central router is used as Cisco VPN Client server. Last wednesday I configured both spoke routers to accept client VPN connections. Since last sunday the tunnels stop transporting traffic. When viewing EIGRP neighbor table I see that the neighboring router stop responding. I am unable to ping the other end of the tunnel from hub-to-spoke and vice versa.

I guess it's the changes I've made on wednesday, but what prevents traffic to access the tunnel?

Router#sh ip nhrp detail

192.168.0.1/32 via 192.168.0.1, Tunnel0 created 00:23:22, never expire

Type: static, Flags: authoritative

NBMA address: 66.55.44.1

Router#sh int tu0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Description: spoke-to-hub

Internet address is 192.168.0.2/24

MTU 1514 bytes, BW 8000 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 88.77.66.1 (Serial0/0/1), destination 66.55.44.1

Tunnel protocol/transport GRE/IP, key 0x8000, sequencing disabled

Tunnel TTL 255

Checksumming of packets disabled, fast tunneling enabled

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "SDM_Profile1")

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 346

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp policy 20

hash md5

authentication pre-share

crypto isakmp key TunnelSecret address 66.x.x.1

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 30 5

crypto isakmp xauth timeout 10

crypto isakmp client configuration group Cisco

key CiscoVPNClient

dns 172.16.0.1

wins 172.16.0.1

domain network.local

pool SDM_POOL_1

acl ClientVPNRoute

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec profile SDM_Profile1

set transform-set 3DES-SHA

set pfs group2

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set 3DES-SHA

reverse-route

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

interface Tunnel0

description spoke-to-hub

bandwidth 8000

ip address 192.168.0.2 255.255.255.0

ip mtu 1500

ip nhrp authentication DMVPN

ip nhrp map 192.168.192.1 66.55.44.1

ip nhrp map multicast 66.55.44.1

ip nhrp network-id 1

ip nhrp nhs 192.168.0.1

tunnel source Serial0/0/1

tunnel destination 66.55.44.1

tunnel key xxx

tunnel protection ipsec profile SDM_Profile1

ip local pool SDM_POOL_1 172.16.0.128 172.16.0.191

ip access-list extended ClientVPNRoute

permit ip 172.16.0.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any

Any help would be appreciated.

TIA

smahbub · ‎12-05-2005

If you have enabled XAUTH for the VPN clients and the site-to-site IPSec tunnel is also on that interface, then the site-to-site tunnel will try to have XAUTH and will fail. You need to disable XAUTH for the site-to-site tunnel.