DMVPN no hub to spoke traffic

wim_depauw · ‎09-22-2009

Hi,

I'm having an issue with the setup of a DMVPN. I have one spoke router and 2 hub routers ( R1 and R2 ).

When I configure the spoke router to connect to R1 everything works fine and an EIGRP neighbor is establed.

When I do a similar setup to R2 the ipsec tunnel is UP-ACTIVE and a I see a ping from the spoke router arriving at R2. R2 sends an echo-reply but the traffic isn't encrypted.

Has anybody seen this issue before ?

Due to IOS limitation I needed to a crypto map on both hub routers since the ipsec profile with VRF's isn't supported yet...

Both hub routers are running the same IOS and are in hardware identical machines ( 7206 ).

Giuseppe Larosa · ‎09-22-2009

Hello Wim,

sorry for the basic question consider it just a starting point:

basic question is the ACL used to define what traffic to encrypt on the second hub router correct?

it may need some changes from the one on router hub1.

Hope to help

Giuseppe

wim_depauw · ‎09-22-2009

Hi Giuseppe,

Here's the config that will make troubleshooting a little bit easier

ip vrf Argenta-GPRS

rd 100:725

!

ip vrf Argenta-Kantoor

rd 100:704

!

crypto keyring GPRS-RSA vrf Argenta-GPRS

rsa-pubkey name Argenta-GPRS.argenta.be

key-string

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

quit

crypto isakmp policy 5

encr aes 256

hash md5

group 2

lifetime 1440

!

crypto isakmp profile Argenta-GPRS

vrf Argenta-GPRS

keyring GPRS-RSA

self-identity fqdn

match identity host Argenta-GPRS.argenta.be

!

crypto ipsec transform-set Argenta-GPRS esp-aes 256 esp-md5-hmac

!

crypto ipsec profile Argenta-GPRS

set transform-set Argenta-GPRS

set isakmp-profile Argenta-GPRS

!

crypto dynamic-map Argenta-GPRS 10

set transform-set Argenta-GPRS

!

interface Tunnel725

ip vrf forwarding Argenta-Kantoor

ip address 10.50.145.146 255.255.255.240

no ip redirects

ip mtu 1400

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 300

tunnel source FastEthernet0/1.725

tunnel mode gre multipoint

tunnel key 0

tunnel vrf Argenta-GPRS

!

interface FastEthernet0/1.725

description Argenta-GPRS

encapsulation dot1Q 725

ip vrf forwarding Argenta-GPRS

ip address X.X.X.X 255.255.255.248

crypto map Argenta-GPRS

!

crypto map Argenta-GPRS 10 ipsec-isakmp dynamic Argenta-GPRS

!

Output of show crypto ipsec

-----------------------------

AEDE_VR1_CR_-1#sho crypto ipsec sa interface fa0/1.725

interface: FastEthernet0/1.725

Crypto map tag: Argenta-GPRS, local addr X.X.X.X

protected vrf: Argenta-GPRS

local ident (addr/mask/prot/port): (X.X.X.X/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (81.169.101.44/255.255.255.255/47/0)

current_peer 81.169.101.44 port 500

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 79, #pkts decrypt: 79, #pkts verify: 79

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: 81.169.101.44

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1.725

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

As you can see packets arrive and a debug icmp shows that a reply is sended , but nothing is encrypted. I did a debug ip packet and this shows that he is sending packets into tunnel 725 .

PS: I replaced the fixed ip address of the hub by X.X.X.X just for security...