I have a problem with the following topology (just focus on R12 and ASR1K, SPOKE and HUB)
R12 (spoke) has two tricks:
1) Dynamic IP on WAN interface (to the HUB), given by a Internet Service Provider
2) port forwarding is needed on port udp 500 and 4500 because behind it some remote sites (i.e. R10) could connect via IPSec
Since the objective is to manage the R12 site via IPSec (from the HUB, ASR1k), what I want is to reach from CDG a "management" loopback configured on R12, and I want this traffic to be encrypted (IPSec). To do this, (always by allowing the port forwarding working on R12), a mGRE is built between ASR1k and R12 with public loopbacks. Hence, on ASR1k another loopback (within a customer vrf) is used for the IPSec part.
crypto isakmp profile DMVPN keyring KEY match identity address 0.0.0.0 ! ! crypto ipsec transform-set transformada esp-3des esp-md5-hmac ! crypto map mymap 10 ipsec-isakmp set peer 188.8.131.52 set transform-set transformada set isakmp-profile DMVPN match address 100 ! ! ! interface Loopback100 description loopback GRE ip address 10.10.10.2 255.255.255.255 ! interface Loopback200 description Loopback IPSec ip address 184.108.40.206 255.255.255.255 crypto map mymap ! interface Loopback800 ip address 220.127.116.11 255.255.255.255 ! interface Tunnel1 ip address 192.168.1.2 255.255.255.0 no ip redirects ip mtu 1440 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp map 192.168.1.1 10.10.10.1 ip nhrp map multicast 10.10.10.1 ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs 192.168.1.1 no ip split-horizon eigrp 10 tunnel source Loopback100 tunnel mode gre multipoint tunnel key 1
interface FastEthernet1/0 ip address 172.16.30.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet2/0 ip address 192.168.10.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! router bgp 65000 bgp log-neighbor-changes neighbor 18.104.22.168 remote-as 1234 neighbor 22.214.171.124 ebgp-multihop 3 ! address-family ipv4 redistribute connected neighbor 126.96.36.199 activate neighbor 188.8.131.52 route-map ONLY_MGMT out no auto-summary no synchronization exit-address-family !
ip route 10.10.10.1 255.255.255.255 FastEthernet1/0 172.16.30.2 ip route 184.108.40.206 255.255.255.255 Tunnel1 192.168.1.1
ip nat inside source route-map NAV interface FastEthernet1/0 overload ip nat inside source static udp 192.168.10.200 500 interface FastEthernet1/0 500 ip nat inside source static udp 192.168.10.200 4500 interface FastEthernet1/0 4500 !
ip access-list extended NAVEGACION deny udp any eq isakmp any deny udp any eq non500-isakmp any deny udp any any eq isakmp deny udp any any eq non500-isakmp permit ip any any ! ! ip prefix-list loopback_gestion seq 5 permit 220.127.116.11/32
access-list 100 permit ip any any ! route-map ONLY_MGMT permit 5 match ip address prefix-list loopback_gestion ! route-map NAV permit 10 match ip address NAVEGACION ! !
The config for ASR1k (HUB):
! Last configuration change at 03:30:45 UTC Fri Oct 31 2014
crypto isakmp profile DMVPN keyring KEY match identity address 0.0.0.0 ! ! crypto ipsec transform-set transformada esp-3des esp-md5-hmac mode tunnel ! crypto ipsec profile cisco set security-association lifetime seconds 86400 set transform-set transformada set isakmp-profile DMVPN ! ! ! crypto map mymap 10 ipsec-isakmp set peer 18.104.22.168 set transform-set transformada set isakmp-profile DMVPN match address 100 !
interface Loopback0 ip address 22.214.171.124 255.255.255.255 ! interface Loopback1 ip address 126.96.36.199 255.255.255.255 ! interface Loopback100 description IP Loopback GRE ip address 10.10.10.1 255.255.255.255 ! interface Loopback200 description IPSec Loopback ip vrf forwarding vpn_1234_1 ip address 188.8.131.52 255.255.255.255 crypto map mymap ! interface Tunnel1 ip vrf forwarding vpn_1234_1 ip address 192.168.1.1 255.255.255.0 no ip redirects ip mtu 1440 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 300 tunnel source Loopback100 tunnel mode gre multipoint tunnel key 1 !
It looks like the problem is in where you're putting your crypto map. The crypto map needs to be assigned to the egress interface for your traffic, so in this case it should be on the forwarding interface used to reach 184.108.40.206.
However, your ACL defining the IPv4 addresses to be tunnelled cover all IPv4 sources and destinations, so all communications to and from your router will be halted as soon as you apply it. Best to narrow down the ACL to cover only the traffic you want to send across the tunnel.
For DMVPN, the best practice is to avoid using crypto maps at all. By defining your IPSec in the DMVPN tunnel definition itself, you get a lot more flexibility and a lot less configuration management.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :