dmvpn configuration on 2800 series

mwertejuk · ‎01-13-2006

Hello,

I'm trying to connect several 871 routers to a 2821 router and the first 871 gets connected fine, but the next one doesn't, seems like a configuration issue but I don't have a clue where to look at.

show crypto session on the 2821:

Crypto session current status

Interface: Tunnel0

Session status: UP-ACTIVE

Peer: --client1ip-- port 500

IKE SA: local --dmvpnhubip--/500 remote --client1ip--/500 Active

IPSEC FLOW: permit 47 host --dmvpnhubip-- host

--client1ip-- Active SAs: 2, origin: crypto map

Interface: GigabitEthernet0/0

Session status: DOWN-NEGOTIATING

Peer: --client2ip-- port 500

IKE SA: local --dmvpnhubip--/500 remote --client2ip--/500 Inactive

I think the problem is the interface of the second session, it's gi0/0 instead of tunnel0, what am I doing wrong or what other information do you need to help me?

Do I have to create a tunnel interface for every 871 which should connect to the 2821? I've heard something about using templates for automatic tunnel interface creation but don't know if it is what I need here.

Thank you

mwertejuk · ‎01-13-2006

Ok I got client2 running, forgot to set no-xauth on the hub for client2 but client3 is still not working, seems as if the provider of client3 is filtering some traffic, any ideas what I should try to debug?

aacole · ‎01-16-2006

Try to connect client3 then have a look at sh crypto isakmp sa and show crypto ipsec sa. If the isakmp is at QM_IDLE then your phase 1 key exchange is ok.You should be able to see packets on the ipsec tunnel as well.

If you still think the ISP is blocking your crypto traffic try a debug ip packet using an acl to trap just the packets your interested in. Note this can be CPU intensive. Also you will need to switch off CEF and fast switching otherwise you debug may not see the traffic anyway.