DMVPN. Spoke to Spoke

Dmitri Popkov · ‎05-26-2014

Всем привет. Имеется DMVPN Phase 2 закрытый IPSECом. Возникла проблема Spoke не общаются между собой, проблема в установлении первоначального IKE канала. Ввиду того, ведь обмен данными идет через Hub. Не могу понять в чем причина. Подскажите пожалуйста.

Hi all.

We've created a DMVPN Phase 2 topology with IPSec. But spokes didnt communicate with each other, all communication are through Hub. There is a problem in Phase one i think. Can you help please

Config - Hub-MAIN

crypto keyring DMVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key !QAZ1qaz

crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2

crypto isakmp profile DMVPN
keyring DMVPN
match identity address 0.0.0.0

crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
mode transport

crypto ipsec profile DMVPN
set transform-set DMVPN
set isakmp-profile DMVPN

interface Tunnel10
description HUB
bandwidth 1000000
ip address 172.16.10.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp authentication 12345
ip nhrp map multicast dynamic
ip nhrp network-id 10
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile DMVPN shared

interface FastEthernet0/0
ip add 20.20.20.1 255.255.255.0

interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
ip ospf priority 50
ip ospf 1 area 0
duplex auto
speed auto

router eigrp 1
no auto-summary
network 10.0.0.0 0.0.0.255
network 172.16.10.0 0.0.0.255

Конфиг Hub-BACK

crypto keyring DMVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key !QAZ1qaz

crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2

crypto isakmp profile DMVPN
keyring DMVPN
match identity address 0.0.0.0

crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
mode transport

crypto ipsec profile DMVPN
set transform-set DMVPN
set isakmp-profile DMVPN

interface Tunnel10
description HUB
bandwidth 1000000
ip address 172.16.20.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp authentication 12345
ip nhrp map multicast dynamic
ip nhrp network-id 20
delay 10000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 20
tunnel protection ipsec profile DMVPN shared

interface FastEthernet0/0
ip add 30.30.30.1 255.255.255.0

interface FastEthernet0/1
ip address 10.20.0.1 255.255.255.0
ip ospf priority 50
ip ospf 1 area 0
duplex auto
speed auto

router eigrp 1
no auto-summary
network 10.20.0.0 0.0.0.255
network 172.16.20.0 0.0.0.255

Config - Spoke1

crypto keyring DMVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key !QAZ1qaz

crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2

crypto isakmp profile DMVPN
keyring DMVPN
match identity address 0.0.0.0

crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
mode transport

interface Tunnel10
description SPOKE1-MAIN
bandwidth 1000000
ip address 172.16.10.100 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication 12345
ip nhrp map multicast 20.20.20.1
ip nhrp map 172.16.10.1 20.20.20.1
ip nhrp nhs 172.16.10.1
ip nhrp network-id 10
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile DMVPN shared

interface Tunnel11
description SPOKE1-BACK
bandwidth 1000000
ip address 172.16.20.100 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast 30.30.30.1
ip nhrp map 172.16.20.1 30.30.30.1
ip nhrp nhs 172.16.20.1
ip nhrp network-id 20
delay 10000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 20
tunnel protection ipsec profile DMVPN shared

interface FastEthernet0/1
ip address 10.0.1.1 255.255.255.0
ip ospf priority 50
ip ospf 1 area 0
duplex auto
speed auto

router eigrp 1
no auto-summary
network 10.0.1.0 0.0.0.255
network 172.16.10.0 0.0.0.255
network 172.16.20.0 0.0.0.255

Config - Spoke2

crypto keyring DMVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key !QAZ1qaz

crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2

crypto isakmp profile DMVPN
keyring DMVPN
match identity address 0.0.0.0

crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
mode transport

interface Tunnel10
description SPOKE1-MAIN
bandwidth 1000000
ip address 172.16.10.200 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication 12345
ip nhrp map multicast 20.20.20.1
ip nhrp map 172.16.10.1 20.20.20.1
ip nhrp nhs 172.16.10.1
ip nhrp network-id 10
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile DMVPN shared

interface Tunnel11
description SPOKE1-BACK
bandwidth 1000000
ip address 172.16.20.200 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast 30.30.30.1
ip nhrp map 172.16.20.1 30.30.30.1
ip nhrp nhs 172.16.20.1
ip nhrp network-id 20
delay 10000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 20
tunnel protection ipsec profile DMVPN shared

interface FastEthernet0/1
ip address 10.0.2.1 255.255.255.0
ip ospf priority 50
ip ospf 1 area 0
duplex auto
speed auto

router eigrp 1
no auto-summary
network 10.0.2.0 0.0.0.255
network 172.16.10.0 0.0.0.255
network 172.16.20.0 0.0.0.255

Spokes see each other

ISAKMP stops in this step

1.2.3.4 10.11.12.13 CONF_XAUTH 1005 ACTIVE
1.2.3.4 10.11.12.13 MM_NO_STATE 1004 ACTIVE (deleted)

Here is debug

May 12 05:24:18.576: ISAKMP:(0):Proposed key length does not match policy
May 12 05:24:18.576: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 12 05:24:18.576: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 12 05:24:18.576: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 12 05:24:33.936: ISAKMP:(1006):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) CONF_XAUTH (peer 10.11.12.13 )
May 12 05:24:33.940: ISAKMP:(1006):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) CONF_XAUTH (peer 1 10.11.12.13 )

Dmitri Popkov · ‎05-28-2014

Can anyone help?