09-22-2009 07:09 AM - edited 03-04-2019 06:07 AM
Hi,
I'm having an issue with the setup of a DMVPN. I have one spoke router and 2 hub routers ( R1 and R2 ).
When I configure the spoke router to connect to R1 everything works fine and an EIGRP neighbor is establed.
When I do a similar setup to R2 the ipsec tunnel is UP-ACTIVE and a I see a ping from the spoke router arriving at R2. R2 sends an echo-reply but the traffic isn't encrypted.
Has anybody seen this issue before ?
Due to IOS limitation I needed to a crypto map on both hub routers since the ipsec profile with VRF's isn't supported yet...
Both hub routers are running the same IOS and are in hardware identical machines ( 7206 ).
09-22-2009 09:26 AM
Hello Wim,
sorry for the basic question consider it just a starting point:
basic question is the ACL used to define what traffic to encrypt on the second hub router correct?
it may need some changes from the one on router hub1.
Hope to help
Giuseppe
09-22-2009 11:24 PM
Hi Giuseppe,
Here's the config that will make troubleshooting a little bit easier
ip vrf Argenta-GPRS
rd 100:725
!
ip vrf Argenta-Kantoor
rd 100:704
!
crypto keyring GPRS-RSA vrf Argenta-GPRS
rsa-pubkey name Argenta-GPRS.argenta.be
key-string
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
quit
crypto isakmp policy 5
encr aes 256
hash md5
group 2
lifetime 1440
!
crypto isakmp profile Argenta-GPRS
vrf Argenta-GPRS
keyring GPRS-RSA
self-identity fqdn
match identity host Argenta-GPRS.argenta.be
!
crypto ipsec transform-set Argenta-GPRS esp-aes 256 esp-md5-hmac
!
crypto ipsec profile Argenta-GPRS
set transform-set Argenta-GPRS
set isakmp-profile Argenta-GPRS
!
crypto dynamic-map Argenta-GPRS 10
set transform-set Argenta-GPRS
!
interface Tunnel725
ip vrf forwarding Argenta-Kantoor
ip address 10.50.145.146 255.255.255.240
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 300
tunnel source FastEthernet0/1.725
tunnel mode gre multipoint
tunnel key 0
tunnel vrf Argenta-GPRS
!
interface FastEthernet0/1.725
description Argenta-GPRS
encapsulation dot1Q 725
ip vrf forwarding Argenta-GPRS
ip address X.X.X.X 255.255.255.248
crypto map Argenta-GPRS
!
!
crypto map Argenta-GPRS 10 ipsec-isakmp dynamic Argenta-GPRS
!
Output of show crypto ipsec
-----------------------------
AEDE_VR1_CR_-1#sho crypto ipsec sa interface fa0/1.725
interface: FastEthernet0/1.725
Crypto map tag: Argenta-GPRS, local addr X.X.X.X
protected vrf: Argenta-GPRS
local ident (addr/mask/prot/port): (X.X.X.X/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (81.169.101.44/255.255.255.255/47/0)
current_peer 81.169.101.44 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 79, #pkts decrypt: 79, #pkts verify: 79
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: X.X.X.X, remote crypto endpt.: 81.169.101.44
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1.725
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
As you can see packets arrive and a debug icmp shows that a reply is sended , but nothing is encrypted. I did a debug ip packet and this shows that he is sending packets into tunnel 725 .
PS: I replaced the fixed ip address of the hub by X.X.X.X just for security...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: