Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Why wont my DMVPN get phased 1 isakmp?

 

I’m trying to setup a DMVPN solution with the hub behind a firewall using a static 1 to 1 NAT.

I can get the DMVPN to work fine, but once I add the ipsec policy it doesn’t go passed ISAKMP phase 1.

I have put rules in the firewall to allow NAT-T, GRE tunnels, ESP and AH, I have also put in a allow any any rule just in case I missed something! I was getting a NAT-T issue but then put in the command line no crypto ipsec nat-transparency udp-encapsulation and this solved the issue and ISAKMP phase 1 completed. I have also tried changing the mode from tunnel to transport and back again.

I have tried crypto maps as I wasn’t sure if it was a UDP header issue due to the NAT’ing

My setup is as follows:

Cisco 1941--------JUNIPER SXR-------CLOUD--------Cisco 382

(HUB)                     (FIREWALL)         (SW 3750)        (SPOKE)

                            (STATIC 1 2 1 NAT)

--------------HUB--------------------------

Cisco 1941 - HUB

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)

version 15.2
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
!
!
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
 mode transport
no crypto ipsec nat-transparency udp-encapsulation
!
crypto ipsec profile TTCP_PRO
 set transform-set TTCP_SET
!
!
interface Tunnel12345
 description DMVPN TUNNEL
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 12345
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile TTCP_PRO
!
!
interface GigabitEthernet0/0
 description LINK TO FW ON VLAN 1960
 ip address 192.168.10.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.20.254 255.255.255.0
 duplex auto
 speed auto
!
!
router ospf 1
 network 10.10.10.0 0.0.0.255 area 0
!
!
ip route 0.0.0.0 0.0.0.0 192.168.10.254

 


----------------------Spoke--------------------------

cisco 3825 - Spoke

Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)

version 15.1
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
!
!
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
 mode transport
no crypto ipsec nat-transparency udp-encapsulation
!
crypto ipsec profile TTCP_PRO
 set transform-set TTCP_SET
!
!
interface Tunnel12345
 description DMVPN TUNNEL
 ip address 10.10.10.2 255.255.255.0
 no ip redirects
 ip nhrp map 10.10.10.1 1.1.1.1
 ip nhrp map multicast 1.1.1.1
 ip nhrp network-id 12345
 ip nhrp nhs 10.10.10.1
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile TTCP_PRO
!
!
interface GigabitEthernet0/0
 description LINK TO INTERNET
 ip address 2.2.2.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 ip address 192.168.30.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
router ospf 1
 network 10.10.10.0 0.0.0.255 area 0
!
!
ip route 0.0.0.0 0.0.0.0 2.2.2.3

 

------------------------FIREWALL---------------------------

[edit]
Admin@UK_FIREWALL# show
## Last changed: 2014-07-23 19:54:53 UTC
version 10.4R6.5;
system {
    host-name FIREWALL;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.20.254;
            }
            pool 192.168.20.0/24 {
                address-range low 192.168.20.20 high 192.168.20.250;
                default-lease-time 3600;
                propagate-settings vlan.1960;
           
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 1.1.1.1/24;
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan1960;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
        unit 1960 {
            family inet {
                address 192.168.10.254/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 1.1.1.2;
    }
}
protocols {
    stp;
}
security {
    nat {
        static {
            rule-set STATIC_NAT_RS1 {
                from zone untrust;
                rule NAT_RULE {
                    match {
                        destination-address 1.1.1.1/32;
                    }
                    then {
                        static-nat prefix 192.168.10.10/32;
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address SERVER-1 192.168.10.10/32;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.1960 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            all;
                            ike;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                ge-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                            ike;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            all;
                            ike;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy PERMIT_ALL {
                match {
                    source-address SERVER-1;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy ALLOW_ESP {
                match {
                    source-address any;
                    destination-address any;
                    application ESP;
                }
                then {
                    permit;
                }
            }
            policy ALLOW_IKE_500 {
                match {
                    source-address any;
                    destination-address any;
                    application junos-ike;
                }
                then {
                    permit;
                }
            }
            policy ALLOW_PING {
                match {
                    source-address any;
                    destination-address any;
                    application junos-icmp-ping;
                }
                then {
                    permit;
                }
            }
            policy ALLOW_NAT-T {
                match {
                    source-address any;
                    destination-address any;
                    application junos-ike-nat;
                }
                then {
                    permit;
                }
            }
            policy ALLOW_GRE {
                match {
                    source-address any;
                    destination-address any;
                    application junos-gre;
                }
                then {
                    permit;
                }
            }
            policy AH_51 {
                match {
                    source-address any;
                    destination-address any;
                    application AH_PO_51;
                }
                then {
                    permit;
                }
            }
            policy ANY_ANY {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy ACCESS {
                match {
                    source-address any;
                    destination-address SERVER-1;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy ALLOW_ESP {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy ALLOW_IKE_500 {
                match {
                    source-address any;
                    destination-address any;
                    application junos-ike;
                }
                then {
                    permit;
                }
            }
            policy ALLOW_PING {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy ALLOW_GRE {
                match {
                    source-address any;
                    destination-address any;
                    application junos-gre;
                }
                then {
                    permit;
                }
            }
            policy ALLOW_NAT-T {
                match {
                    source-address any;
                    destination-address any;
                    application junos-ike-nat;
                }
                then {
                    permit;
                }
            }
            policy AH_51 {
                match {
                    source-address any;
                    destination-address any;
                    application AH_PO_51;
                }
                then {
                    permit;
                }
            }
            policy ANY_ANY {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
applications {
    application ESP protocol esp;
    application AH_PO_51 protocol ah;
}
vlans {
    vlan-trust {
        vlan-id 3;
    }
    vlan1960 {
        vlan-id 1960;
        interface {
            ge-0/0/7.0;
        }
        l3-interface vlan.1960;
    }
}

 

------------------------------DEBUG------------------------------

-----------Cisco 1941-----------------

HUB#sh cry is sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.10.1  2.2.2.2   QM_IDLE           1006 ACTIVE

IPv6 Crypto ISAKMP SA

UK_HUB#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

UK_HUB# debug dm al al

*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is OFF
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is ON
*Jul 25 12:22:58.976: ISAKMP:(1006):purging node 1130853900
*Jul 25 12:23:14.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP: set new node 670880728 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006): processing HASH payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006): processing SA payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:14.708: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:14.708: ISAKMP:   attributes in transform:
*Jul 25 12:23:14.708: ISAKMP:      encaps is 2 (Transport)
*Jul 25 12:23:14.708: ISAKMP:      SA life type in seconds
*Jul 25 12:23:14.708: ISAKMP:      SA life duration (basic) of 3600
*Jul 25 12:23:14.708: ISAKMP:      SA life type in kilobytes
*Jul 25 12:23:14.708: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Jul 25 12:23:14.708: ISAKMP:      authenticator is HMAC-SHA
*Jul 25 12:23:14.708: ISAKMP:      key length is 128
*Jul 25 12:23:14.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
    local_proxy= 1.1.1.1/255.255.255.255/47/0,
    remote_proxy= 2.2.2.2/255.255.255.255/47/0,
    protocol= ESP, transform= NONE  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:14.708: map_db_find_best did not find matching map
*Jul 25 12:23:14.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:14.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:14.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:14.708: ISAKMP: set new node 2125889339 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 838208952, message ID = 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:14.708: ISAKMP:(1006):purging node 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006):deleting node 670880728 error TRUE reason "QM rejected"
*Jul 25 12:23:14.708: ISAKMP:(1006):Node 670880728, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:14.708: ISAKMP:(1006):Old State = IKE_QM_READY  New State = IKE_QM_READY
*Jul 25 12:23:28.976: ISAKMP:(1006):purging node 720369228
*Jul 25 12:23:44.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:44.704: ISAKMP: set new node -1528560613 to QM_IDLE
*Jul 25 12:23:44.704: ISAKMP:(1006): processing HASH payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006): processing SA payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:44.704: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:44.704: ISAKMP:   attributes in transform:
*Jul 25 12:23:44.704: ISAKMP:      encaps is 2 (Transport)
*Jul 25 12:23:44.704: ISAKMP:      SA life type in seconds
*Jul 25 12:23:44.704: ISAKMP:      SA life duration (basic) of 3600
*Jul 25 12:23:44.704: ISAKMP:      SA life type in kilobytes
*Jul 25 12:23:44.704: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Jul 25 12:23:44.708: ISAKMP:      authenticator is HMAC-SHA
*Jul 25 12:23:44.708: ISAKMP:      key length is 128
*Jul 25 12:23:44.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
    local_proxy= 1.1.1.1/255.255.255.255/47/0,
    remote_proxy= 2.2.2.2/255.255.255.255/47/0,
    protocol= ESP, transform= NONE  (Transport),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:44.708: map_db_find_best did not find matching map
*Jul 25 12:23:44.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:44.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:44.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:44.708: ISAKMP: set new node 1569673109 to QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 838208952, message ID = 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:44.708: ISAKMP:(1006):purging node 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006):deleting node -1528560613 error TRUE reason "QM rejected"
*Jul 25 12:23:44.708: ISAKMP:(1006):Node 2766406683, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:44.708: ISAKMP:(1006):Old State = IKE_QM_READY  New State = IKE_QM_READY


---------Cisco 3825------------------

SPOKE_1#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel12345, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1   1.1.1.1      10.10.10.1 IPSEC    1d22h     S

SPOKE_1#sh cry is sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
1.1.1.1   2.2.2.2   QM_IDLE           1006 ACTIVE

IPv6 Crypto ISAKMP SA

SPOKE_1#debug dm all all

*Jul 25 12:50:23.520: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
    local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
    remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Transport),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:23.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:23.520: SA has outstanding requests  (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:23.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Jul 25 12:50:23.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 1627587566
*Jul 25 12:50:23.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:23.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:23.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:23.520: ISAKMP:(1006):Node 1627587566, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:23.520: ISAKMP:(1006):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Jul 25 12:50:23.524: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:23.524: ISAKMP: set new node -1682318828 to QM_IDLE
*Jul 25 12:50:23.524: ISAKMP:(1006): processing HASH payload. message ID = 2612648468
*Jul 25 12:50:23.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 484617190, message ID = 2612648468, sa = 0x70B05F14
*Jul 25 12:50:23.524: ISAKMP:(1006): deleting spi 484617190 message ID = 1627587566
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node 1627587566 error TRUE reason "Delete Larval"
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node -1682318828 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:23.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:23.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Jul 25 12:50:34.972: NHRP: Setting retrans delay to 64 for nhs  dst 10.10.10.1
*Jul 25 12:50:34.972: IPSEC-IFC MGRE/Tu12345(2.2.2.2/1.1.1.1): connection lookup returned 691EDEF4
*Jul 25 12:50:34.972: NHRP: Attempting to send packet via DEST 10.10.10.1
*Jul 25 12:50:34.972: NHRP: NHRP successfully resolved 10.10.10.1 to NBMA 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Encapsulation succeeded.  Tunnel IP addr 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Send Registration Request via Tunnel12345 vrf 0, packet size: 92
*Jul 25 12:50:34.972:  src: 10.12.34.1, dst: 10.10.10.1
*Jul 25 12:50:34.972:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Jul 25 12:50:34.972:      shtl: 4(NSAP), sstl: 0(NSAP)
*Jul 25 12:50:34.972:      pktsz: 92 extoff: 52
*Jul 25 12:50:34.972:  (M) flags: "unique nat ", reqid: 65537
*Jul 25 12:50:34.972:      src NBMA: 2.2.2.2
*Jul 25 12:50:34.972:      src protocol: 10.12.34.1, dst protocol: 10.10.10.1
*Jul 25 12:50:34.972:  (C-1) code: no error(0)
*Jul 25 12:50:34.972:        prefix: 32, mtu: 17916, hd_time: 7200
*Jul 25 12:50:34.972:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Jul 25 12:50:34.972: Responder Address Extension(3):
*Jul 25 12:50:34.972: Forward Transit NHS Record Extension(4):
*Jul 25 12:50:34.972: Reverse Transit NHS Record Extension(5):
*Jul 25 12:50:34.972: NAT address Extension(9):
*Jul 25 12:50:34.972:  (C-1) code: no error(0)
*Jul 25 12:50:34.972:        prefix: 32, mtu: 17916, hd_time: 0
*Jul 25 12:50:34.972:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Jul 25 12:50:34.972:        client NBMA: 1.1.1.1
*Jul 25 12:50:34.972:        client protocol: 10.10.10.1
*Jul 25 12:50:34.972: NHRP: 116 bytes out Tunnel12345
*Jul 25 12:50:34.972: NHRP-RATE: Retransmitting Registration Request for 10.10.10.1, reqid 65537, (retrans ivl 64 sec)
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 1566291204
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 742410882
*Jul 25 12:50:53.520: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 2.2.2.2:0, remote= 1.1.1.1:0,
    local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
    remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1)
*Jul 25 12:50:53.520: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
    local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
    remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Transport),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:53.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:53.520: SA has outstanding requests  (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:53.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Jul 25 12:50:53.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 2055556995
*Jul 25 12:50:53.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:53.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:53.520: ISAKMP:(1006):Node 2055556995, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:53.520: ISAKMP:(1006):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Jul 25 12:50:53.520: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP: set new node -1428573279 to QM_IDLE
*Jul 25 12:50:53.524: ISAKMP:(1006): processing HASH payload. message ID = 2866394017
*Jul 25 12:50:53.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2888331328, message ID = 2866394017, sa = 0x70B05F14
*Jul 25 12:50:53.524: ISAKMP:(1006): deleting spi 2888331328 message ID = 2055556995
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node 2055556995 error TRUE reason "Delete Larval"
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node -1428573279 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:53.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:53.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Everyone's tags (1)
1 REPLY
VIP Purple

Some time ago I was running a

Some time ago I was running a similar setup, but the firewall was an ASA, not a Juniper.

Some comments:

  1. You shouldn't disable NAT-transparence. It should work with the default-setting which is "enabled"
  2. The firewall only has to allow UDP/500 and UDP4500. It will never see any other traffic between the hub and spoke.
  3. The firewall shouldn't do any inspections etc. on the traffic to the hub.
  4. You shouldn't use wildcard-PSKs. The better solution is to use digital certificates.
  5. You probably need some MTU/MSS-settings like "ip mtu 1400" and "ip tcp adjust mss 1360".
  6. For running ospf through DMVPN make sure the Hub is the DR and set the network-type to broadcast.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
329
Views
0
Helpful
1
Replies
CreatePlease to create content