Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DmVPN help needed

Hello guys

I would really appreciate if someone could take a look at these configs and see if i made any errors. The HUB router was configured by someone else and it is working, i know this because there are other sites connected to it already that works. It seems to me isakmp has established but ipsec has not, im totally a newbie when configuring dmvpn's.

I have changed the public addresses in these configs just to be "anonymous", so HUB router has 10.10.10.10 as public ip and Spoke router has 20.20.20.20. The already working spoke i have changed to 30.30.30.30.

Here is some output of commands that i ran to check connectivity and tunnel status.

###SPOKE ROUTER COMMANDS###

Spoke#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     1  10.10.10.10   192.168.253.1 IPSEC 01:07:52     S

##Show crypto isakmp sa##

Spoke#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

10.10.10.10  20.20.20.20  QM_IDLE           2004 ACTIVE

IPv6 Crypto ISAKMP SA

##Show crypto ipsec sa##

Spoke#Show crypto ipsec sa

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 20.20.20.20

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (20.20.20.20/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/47/0)

   current_peer 10.10.10.10 port 500

     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1029, #recv errors 0

     local crypto endpt.: 20.20.20.20, remote crypto endpt.: 10.10.10.10

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

###HUB ROUTER COMMANDS###

##This shows a working tunnel to another site###

HUB#Show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

        UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel10, IPv4 NHRP Details

Type:Hub, NHRP Peers:1,

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

     1     172.16.4.10   192.168.253.3    UP     5w5d     D

##Show crypto isakmp sa##

HUB#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

10.10.10.10 30.30.30.30   QM_IDLE           4223 ACTIVE

10.10.10.10  20.20.20.20  QM_IDLE           4224 ACTIVE

IPv6 Crypto ISAKMP SA

##Show crypto ipsec sa##

HUB#Show crypto ipsec sa

interface: Tunnel10

    Crypto map tag: Tunnel10-head-0, local addr 10.10.10.10

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (172.16.4.10/255.255.255.255/47/0)

   current_peer 30.30.30.30 port 4500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 783219, #pkts encrypt: 783219, #pkts digest: 783219

    #pkts decaps: 783023, #pkts decrypt: 783023, #pkts verify: 783023

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 10.10.10.10, remote crypto endpt.: 30.30.30.30

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0xA383C251(2743321169)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound esp sas:

      spi: 0x4D743FC8(1299464136)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2053, flow_id: Onboard VPN:53, sibling_flags 80000046, crypto m                                                                                                                                                             ap: Tunnel10-head-0

        sa timing: remaining key lifetime (k/sec): (4604026/633)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xA383C251(2743321169)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2054, flow_id: Onboard VPN:54, sibling_flags 80000046, crypto m                                                                                                                                                             ap: Tunnel10-head-0

        sa timing: remaining key lifetime (k/sec): (4604125/633)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

###HUB ROUTER CONF###

Current configuration : 2714 bytes

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname HUB

!

boot-start-marker

boot-end-marker

!

!

!

no aaa new-model

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

ip domain name company.com

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

license boot module c1900 technology-package securityk9

!

!

!

redundancy

!

!

!

!

!

crypto keyring TRNSS-KEYRING

  pre-shared-key address 0.0.0.0 0.0.0.0 key Cisco123

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp profile TRNSS-DMVPN-ISAKMP

   keyring TRNSS-KEYRING

   match identity address 0.0.0.0

   keepalive 15 retry 10

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile TRNSS-DMVPN-IPSEC

set transform-set ESP-3DES-SHA

set isakmp-profile TRNSS-DMVPN-ISAKMP

!

!

!

!

!

!

interface Tunnel0

no ip address

!

interface Tunnel10

description SIMSERVICE mGRE

bandwidth 1000

ip address 192.168.253.1 255.255.255.0

no ip redirects

ip mtu 1400

ip hold-time eigrp 10 35

ip nhrp authentication Cisco123

ip nhrp map multicast dynamic

ip nhrp network-id 101

ip nhrp holdtime 360

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 101

tunnel protection ipsec profile TRNSS-DMVPN-IPSEC

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 10.10.10.10 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.65.5 255.255.255.240

duplex auto

speed auto

!

!

router eigrp 10

network 192.168.65.0 0.0.0.15

network 192.168.253.0

redistribute ospf 10 metric 10000 10 40 10 1400

!

router ospf 10

redistribute eigrp 10 subnets

network 192.168.65.0 0.0.0.15 area 5

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 10.10.10.10

!

access-list 20 permit 10.100.0.45

!

!

!

!

!

snmp-server community publickO314plyA RO 20

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

exec-timeout 0 0

login local

transport input ssh

line vty 5 15

login

transport input ssh

!

scheduler allocate 20000 1000

end

###SPOKE ROUTER CONF###

Current configuration : 2555 bytes

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Spoke1

!

boot-start-marker

boot-end-marker

!

!

!

no aaa new-model

!

memory-size iomem 10

crypto pki token default removal timeout 0

!

!

ip source-route

!

!

!

!

!

ip cef

no ip domain lookup

ip domain name company.com

no ipv6 cef

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

ip ssh version 2

!

crypto keyring SIMSERVICE

  pre-shared-key address 10.10.10.10 key Cisco123

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp profile SIMSERVICE-DMVPN-ISAKMP

   keyring SIMSERVICE

   match identity address 0.0.0.0

   keepalive 15 retry 10

!

!

crypto ipsec transform-set SIMSERVICE-TRANSFORM-SET esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile SIMSERVICE-DMVPN-IPSEC

set transform-set SIMSERVICE-TRANSFORM-SET

set isakmp-profile SIMSERVICE-DMVPN-ISAKMP

!

!

!

!

!

!

interface Tunnel0

bandwidth 1000

ip address 192.168.253.6 255.255.255.0

no ip redirects

ip mtu 1400

ip hold-time eigrp 10 35

no ip next-hop-self eigrp 10

ip nhrp authentication Cisco123

ip nhrp map 192.168.253.1 10.10.10.10

ip nhrp map multicast 10.10.10.10

ip nhrp network-id 101

ip nhrp holdtime 360

ip nhrp nhs 192.168.253.1

ip tcp adjust-mss 1360

no ip split-horizon eigrp 10

tunnel source FastEthernet4

tunnel mode gre multipoint

tunnel key 101

tunnel protection ipsec profile SIMSERVICE-DMVPN-IPSEC

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

shutdown

!

interface FastEthernet2

no ip address

shutdown

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description internet

ip address 20.20.20.20 255.255.255.252

duplex auto

speed auto

!

interface Vlan1

ip address 172.30.9.1 255.255.0.0

!

!

router eigrp 10

network 172.30.0.0

network 192.168.253.0

eigrp stub connected

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 20.20.20.20

ip route 192.168.253.0 255.255.255.0 Tunnel0

!

!

!

!

!

!

control-plane

!

!

line con 0

login local

line aux 0

login local

line vty 0 4

exec-timeout 0 0

login local

transport input ssh

!

end

2 REPLIES

Re: DmVPN help needed

The spoke router has mode transport defined in the transform-set and the hub router doesn't.

Sent from Cisco Technical Support iPad App

New Member

Re: DmVPN help needed

Thank you for reply, i removed the transport mode and the tunnel went straight up So really big thanks to you Jeff!

/Tuomo

576
Views
0
Helpful
2
Replies
CreatePlease login to create content