- Cisco Community
- Technology and Support
- Security
- VPN
- Why wont my DMVPN get phased 1 isakmp?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Why wont my DMVPN get phased 1 isakmp?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2014 06:58 AM - edited 02-21-2020 07:45 PM
I’m trying to setup a DMVPN solution with the hub behind a firewall using a static 1 to 1 NAT.
I can get the DMVPN to work fine, but once I add the ipsec policy it doesn’t go passed ISAKMP phase 1.
I have put rules in the firewall to allow NAT-T, GRE tunnels, ESP and AH, I have also put in a allow any any rule just in case I missed something! I was getting a NAT-T issue but then put in the command line no crypto ipsec nat-transparency udp-encapsulation and this solved the issue and ISAKMP phase 1 completed. I have also tried changing the mode from tunnel to transport and back again.
I have tried crypto maps as I wasn’t sure if it was a UDP header issue due to the NAT’ing
My setup is as follows:
Cisco 1941--------JUNIPER SXR-------CLOUD--------Cisco 382
(HUB) (FIREWALL) (SW 3750) (SPOKE)
(STATIC 1 2 1 NAT)
--------------HUB--------------------------
Cisco 1941 - HUB
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
version 15.2
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
!
!
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
!
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
!
!
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 12345
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
!
!
interface GigabitEthernet0/0
description LINK TO FW ON VLAN 1960
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.20.254 255.255.255.0
duplex auto
speed auto
!
!
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
!
!
ip route 0.0.0.0 0.0.0.0 192.168.10.254
----------------------Spoke--------------------------
cisco 3825 - Spoke
Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)
version 15.1
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
!
!
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
!
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
!
!
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.2 255.255.255.0
no ip redirects
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 12345
ip nhrp nhs 10.10.10.1
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
!
!
interface GigabitEthernet0/0
description LINK TO INTERNET
ip address 2.2.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 192.168.30.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
!
!
ip route 0.0.0.0 0.0.0.0 2.2.2.3
------------------------FIREWALL---------------------------
[edit]
Admin@UK_FIREWALL# show
## Last changed: 2014-07-23 19:54:53 UTC
version 10.4R6.5;
system {
host-name FIREWALL;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.20.254;
}
pool 192.168.20.0/24 {
address-range low 192.168.20.20 high 192.168.20.250;
default-lease-time 3600;
propagate-settings vlan.1960;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan1960;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
unit 1960 {
family inet {
address 192.168.10.254/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
}
}
protocols {
stp;
}
security {
nat {
static {
rule-set STATIC_NAT_RS1 {
from zone untrust;
rule NAT_RULE {
match {
destination-address 1.1.1.1/32;
}
then {
static-nat prefix 192.168.10.10/32;
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
address-book {
address SERVER-1 192.168.10.10/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.1960 {
host-inbound-traffic {
system-services {
dhcp;
all;
ike;
}
protocols {
all;
}
}
}
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
ike;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
all;
ike;
}
protocols {
all;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy PERMIT_ALL {
match {
source-address SERVER-1;
destination-address any;
application any;
}
then {
permit;
}
}
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application ESP;
}
then {
permit;
}
}
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
}
then {
permit;
}
}
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application junos-icmp-ping;
}
then {
permit;
}
}
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
}
then {
permit;
}
}
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
}
then {
permit;
}
}
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
}
then {
permit;
}
}
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy ACCESS {
match {
source-address any;
destination-address SERVER-1;
application any;
}
then {
permit;
}
}
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
}
then {
permit;
}
}
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
}
then {
permit;
}
}
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
}
then {
permit;
}
}
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
}
then {
permit;
}
}
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
applications {
application ESP protocol esp;
application AH_PO_51 protocol ah;
}
vlans {
vlan-trust {
vlan-id 3;
}
vlan1960 {
vlan-id 1960;
interface {
ge-0/0/7.0;
}
l3-interface vlan.1960;
}
}
------------------------------DEBUG------------------------------
-----------Cisco 1941-----------------
HUB#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.10.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
UK_HUB#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
UK_HUB# debug dm al al
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is OFF
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is ON
*Jul 25 12:22:58.976: ISAKMP:(1006):purging node 1130853900
*Jul 25 12:23:14.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP: set new node 670880728 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006): processing HASH payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006): processing SA payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:14.708: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:14.708: ISAKMP: attributes in transform:
*Jul 25 12:23:14.708: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:14.708: ISAKMP: SA life type in seconds
*Jul 25 12:23:14.708: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:14.708: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:14.708: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:14.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:14.708: ISAKMP: key length is 128
*Jul 25 12:23:14.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:14.708: map_db_find_best did not find matching map
*Jul 25 12:23:14.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:14.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:14.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:14.708: ISAKMP: set new node 2125889339 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:14.708: ISAKMP:(1006):purging node 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006):deleting node 670880728 error TRUE reason "QM rejected"
*Jul 25 12:23:14.708: ISAKMP:(1006):Node 670880728, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:14.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
*Jul 25 12:23:28.976: ISAKMP:(1006):purging node 720369228
*Jul 25 12:23:44.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:44.704: ISAKMP: set new node -1528560613 to QM_IDLE
*Jul 25 12:23:44.704: ISAKMP:(1006): processing HASH payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006): processing SA payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:44.704: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:44.704: ISAKMP: attributes in transform:
*Jul 25 12:23:44.704: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:44.704: ISAKMP: SA life type in seconds
*Jul 25 12:23:44.704: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:44.704: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:44.704: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:44.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:44.708: ISAKMP: key length is 128
*Jul 25 12:23:44.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:44.708: map_db_find_best did not find matching map
*Jul 25 12:23:44.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:44.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:44.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:44.708: ISAKMP: set new node 1569673109 to QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:44.708: ISAKMP:(1006):purging node 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006):deleting node -1528560613 error TRUE reason "QM rejected"
*Jul 25 12:23:44.708: ISAKMP:(1006):Node 2766406683, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:44.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
---------Cisco 3825------------------
SPOKE_1#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel12345, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 1.1.1.1 10.10.10.1 IPSEC 1d22h S
SPOKE_1#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
SPOKE_1#debug dm all all
*Jul 25 12:50:23.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:23.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:23.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:23.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:23.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 1627587566
*Jul 25 12:50:23.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:23.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:23.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:23.520: ISAKMP:(1006):Node 1627587566, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:23.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:23.524: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:23.524: ISAKMP: set new node -1682318828 to QM_IDLE
*Jul 25 12:50:23.524: ISAKMP:(1006): processing HASH payload. message ID = 2612648468
*Jul 25 12:50:23.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 484617190, message ID = 2612648468, sa = 0x70B05F14
*Jul 25 12:50:23.524: ISAKMP:(1006): deleting spi 484617190 message ID = 1627587566
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node 1627587566 error TRUE reason "Delete Larval"
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node -1682318828 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:23.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:23.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 25 12:50:34.972: NHRP: Setting retrans delay to 64 for nhs dst 10.10.10.1
*Jul 25 12:50:34.972: IPSEC-IFC MGRE/Tu12345(2.2.2.2/1.1.1.1): connection lookup returned 691EDEF4
*Jul 25 12:50:34.972: NHRP: Attempting to send packet via DEST 10.10.10.1
*Jul 25 12:50:34.972: NHRP: NHRP successfully resolved 10.10.10.1 to NBMA 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Encapsulation succeeded. Tunnel IP addr 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Send Registration Request via Tunnel12345 vrf 0, packet size: 92
*Jul 25 12:50:34.972: src: 10.12.34.1, dst: 10.10.10.1
*Jul 25 12:50:34.972: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Jul 25 12:50:34.972: shtl: 4(NSAP), sstl: 0(NSAP)
*Jul 25 12:50:34.972: pktsz: 92 extoff: 52
*Jul 25 12:50:34.972: (M) flags: "unique nat ", reqid: 65537
*Jul 25 12:50:34.972: src NBMA: 2.2.2.2
*Jul 25 12:50:34.972: src protocol: 10.12.34.1, dst protocol: 10.10.10.1
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 7200
*Jul 25 12:50:34.972: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Jul 25 12:50:34.972: Responder Address Extension(3):
*Jul 25 12:50:34.972: Forward Transit NHS Record Extension(4):
*Jul 25 12:50:34.972: Reverse Transit NHS Record Extension(5):
*Jul 25 12:50:34.972: NAT address Extension(9):
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 0
*Jul 25 12:50:34.972: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Jul 25 12:50:34.972: client NBMA: 1.1.1.1
*Jul 25 12:50:34.972: client protocol: 10.10.10.1
*Jul 25 12:50:34.972: NHRP: 116 bytes out Tunnel12345
*Jul 25 12:50:34.972: NHRP-RATE: Retransmitting Registration Request for 10.10.10.1, reqid 65537, (retrans ivl 64 sec)
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 1566291204
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 742410882
*Jul 25 12:50:53.520: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 2.2.2.2:0, remote= 1.1.1.1:0,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1)
*Jul 25 12:50:53.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:53.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:53.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:53.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:53.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 2055556995
*Jul 25 12:50:53.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:53.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:53.520: ISAKMP:(1006):Node 2055556995, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:53.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:53.520: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP: set new node -1428573279 to QM_IDLE
*Jul 25 12:50:53.524: ISAKMP:(1006): processing HASH payload. message ID = 2866394017
*Jul 25 12:50:53.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2888331328, message ID = 2866394017, sa = 0x70B05F14
*Jul 25 12:50:53.524: ISAKMP:(1006): deleting spi 2888331328 message ID = 2055556995
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node 2055556995 error TRUE reason "Delete Larval"
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node -1428573279 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:53.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:53.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
- Labels:
-
DMVPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2014 08:52 AM
Some time ago I was running a similar setup, but the firewall was an ASA, not a Juniper.
Some comments:
- You shouldn't disable NAT-transparence. It should work with the default-setting which is "enabled"
- The firewall only has to allow UDP/500 and UDP4500. It will never see any other traffic between the hub and spoke.
- The firewall shouldn't do any inspections etc. on the traffic to the hub.
- You shouldn't use wildcard-PSKs. The better solution is to use digital certificates.
- You probably need some MTU/MSS-settings like "ip mtu 1400" and "ip tcp adjust mss 1360".
- For running ospf through DMVPN make sure the Hub is the DR and set the network-type to broadcast.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: