Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Problems with VPN Router ASR-1000

I have configured a DMVPN on my router ASR-1000, but the VPN does not stay active, performed the test on a router 3845 and it worked correctly, but the ASR VPN is not maintained, have any idea what may be happening .

Below I copy the configuration:

HUB

!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 6 $IPROOT$ address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set $VPNNET$ esp-3des esp-md5-hmac 
!
crypto ipsec profile GREVPN
 set security-association lifetime seconds 86400
 set transform-set $VPNNET$ 
!

!
interface Tunnel0
 ip address 10.190.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip flow ingress
 ip nhrp map multicast dynamic
 ip nhrp network-id 10
 ip nhrp holdtime 600
 ip nhrp registration timeout 30
 no ip split-horizon eigrp 100
 ip tcp adjust-mss 1360
 qos pre-classify
 tunnel source 10.141.10.1
 tunnel mode gre multipoint
 tunnel protection ipsec profile GREVPN
!         

Spoke

!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 6 $IPROOT$ address 10.141.10.1
!
!
crypto ipsec transform-set $VPNNET$ esp-3des esp-md5-hmac 
!
crypto ipsec profile GREVPN
 set security-association lifetime seconds 86400
 set transform-set $VPNNET$ 
!

interface Tunnel0
 bandwidth 1024
 ip address 10.190.1.2 255.255.255.0
 ip mtu 1480
 ip nhrp map multicast 10.141.10.1
 ip nhrp map 10.190.1.1 10.141.10.1
 ip nhrp network-id 10
 ip nhrp holdtime 600
 ip nhrp nhs 10.190.1.1
 ip nhrp registration timeout 30
 ip route-cache flow
 qos pre-classify
 tunnel source 10.141.10.13
 tunnel destination 10.141.10.1
 tunnel protection ipsec profile GREVPN
!         

May 26 11:14:54.748: ISAKMP:(0:31:SW:1): processing KE payload. message ID = 0
May 26 11:14:54.820: ISAKMP:(0:31:SW:1): processing NONCE payload. message ID = 0
May 26 11:14:54.820: ISAKMP:(0:31:SW:1):found peer pre-shared key matching 10.141.10.1
May 26 11:14:54.820: ISAKMP:(0:31:SW:1):SKEYID state generated
May 26 11:14:54.820: ISAKMP:(0:31:SW:1): processing vendor id payload
May 26 11:14:54.820: ISAKMP:(0:31:SW:1): vendor ID is Unity
May 26 11:14:54.820: ISAKMP:(0:31:SW:1): processing vendor id payload
May 26 11:14:54.820: ISAKMP:(0:31:SW:1): vendor ID is DPD
May 26 11:14:54.820: ISAKMP:(0:31:SW:1): processing vendor id payload
May 26 11:14:54.820: ISAKMP:(0:31:SW:1): speaking to another IOS box!
May 26 11:14:54.820: ISAKMP:(0:31:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 26 11:14:54.820: ISAKMP:(0:31:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4 

May 26 11:14:54.824: ISAKMP:(0:31:SW:1):Send initial contact
May 26 11:14:54.824: ISAKMP:(0:31:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
May 26 11:14:54.824: ISAKMP (0:134217759): ID payload 
        next-payload : 8
        type         : 1 
        address      : 10.141.10.13 
        protocol     : 17 
        port         : 500 
        length       : 12
May 26 11:14:54.824: ISAKMP:(0:31:SW:1):Total payload length: 12
May 26 11:14:54.828: ISAKMP:(0:31:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
May 26 11:14:54.828: ISAKMP:(0:31:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 26 11:14:54.828: ISAKMP:(0:31:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5 

May 26 11:14:54.856: ISAKMP (0:134217759): received packet from 10.141.10.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
May 26 11:14:54.856: ISAKMP:(0:31:SW:1): processing ID payload. message ID = 0
May 26 11:14:54.856: ISAKMP (0:134217759): ID payload 
        next-payload : 8
        type         : 1 
        address      : 10.141.10.1 
        protocol     : 17 
        port         : 500 
        length       : 12
May 26 11:14:54.856: ISAKMP:(0:31:SW:1):: peer matches *none* of the profiles
May 26 11:14:54.856: ISAKMP:(0:31:SW:1): processing HASH payload. message ID = 0
May 26 11:14:54.856: ISAKMP:(0:31:SW:1):SA authentication status:
        authenticated
May 26 11:14:54.860: ISAKMP:(0:31:SW:1):SA has been authenticated with 10.141.10.1
May 26 11:14:54.860: ISAKMP: Trying to insert a peer 10.141.10.13/10.141.10.1/500/,  and inserted successfully 66271C54.
May 26 11:14:54.860: ISAKMP:(0:31:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 26 11:14:54.860: ISAKMP:(0:31:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6 

May 26 11:14:54.860: ISAKMP:(0:31:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 26 11:14:54.860: ISAKMP:(0:31:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6 

May 26 11:14:54.860: ISAKMP:(0:31:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 26 11:14:54.860: ISAKMP:(0:31:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE 

May 26 11:14:54.860: ISAKMP:(0:31:SW:1):beginning Quick Mode exchange, M-ID of -1087210433
May 26 11:14:54.864: ISAKMP:(0:31:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE      
May 26 11:14:54.864: ISAKMP:(0:31:SW:1):Node -1087210433, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 26 11:14:54.864: ISAKMP:(0:31:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
May 26 11:14:54.864: ISAKMP:(0:31:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 26 11:14:54.864: ISAKMP:(0:31:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

May 26 11:14:54.896: ISAKMP (0:134217759): received packet from 10.141.10.1 dport 500 sport 500 Global (I) QM_IDLE      
May 26 11:14:54.896: ISAKMP:(0:31:SW:1): processing HASH payload. message ID = -1087210433
May 26 11:14:54.900: ISAKMP:(0:31:SW:1): processing SA payload. message ID = -1087210433
May 26 11:14:54.900: ISAKMP:(0:31:SW:1):Checking IPSec proposal 1
May 26 11:14:54.900: ISAKMP: transform 1, ESP_3DES
May 26 11:14:54.900: ISAKMP:   attributes in transform:
May 26 11:14:54.900: ISAKMP:      encaps is 1 (Tunnel)
May 26 11:14:54.900: ISAKMP:      SA life type in seconds
May 26 11:14:54.900: ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80 
May 26 11:14:54.900: ISAKMP:      SA life type in kilobytes
May 26 11:14:54.900: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
May 26 11:14:54.900: ISAKMP:      authenticator is HMAC-MD5
May 26 11:14:54.900: ISAKMP:(0:31:SW:1):atts are acceptable.
May 26 11:14:54.900: ISAKMP:(0:31:SW:1): processing NONCE payload. message ID = -1087210433
May 26 11:14:54.900: ISAKMP:(0:31:SW:1): processing ID payload. message ID = -1087210433
May 26 11:14:54.900: ISAKMP:(0:31:SW:1): processing ID payload. message ID = -1087210433
May 26 11:14:54.900: ISAKMP: Locking peer struct 0x66271C54, IPSEC refcount 1 for for stuff_ke
May 26 11:14:54.900: ISAKMP:(0:31:SW:1): Creating IPSec SAs
May 26 11:14:54.900:         inbound SA from 10.141.10.1 to 10.141.10.13 (f/i)  0/ 0
        (proxy 10.141.10.1 to 10.141.10.13)
May 26 11:14:54.900:         has spi 0x565FB5B3 and conn_id 0 and flags 2
May 26 11:14:54.900:         lifetime of 86400 seconds
May 26 11:14:54.900:         lifetime of 4608000 kilobytes
May 26 11:14:54.904:         has client flags 0x0
May 26 11:14:54.904:         outbound SA from 10.141.10.13 to 10.141.10.1 (f/i) 0/0
        (proxy 10.141.10.13 to 10.141.10.1)
May 26 11:14:54.904:         has spi 1861909975 and conn_id 0 and flags A
May 26 11:14:54.904:         lifetime of 86400 seconds
May 26 11:14:54.904:         lifetime of 4608000 kilobytes
May 26 11:14:54.904:         has client flags 0x0
May 26 11:14:54.904: ISAKMP:(0:31:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE      
May 26 11:14:54.904: ISAKMP:(0:31:SW:1):deleting node -1087210433 error FALSE reason "No Error"
May 26 11:14:54.904: ISAKMP:(0:31:SW:1):Node -1087210433, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
May 26 11:14:54.904: ISAKMP:(0:31:SW:1):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
May 26 11:14:54.904: ISAKMP: Locking peer struct 0x66271C54, IPSEC refcount 2 for from create_transforms
May 26 11:14:54.904: ISAKMP: Unlocking IPSEC struct 0x66271C54 from create_transforms, count 1
May 26 11:15:40.911: ISAKMP:(0:30:SW:1):purging node -596953946
May 26 11:15:40.911: ISAKMP:(0:30:SW:1):purging node 68796087
May 26 11:15:44.899: ISAKMP:(0:31:SW:1):purging node -1087210433
May 26 11:15:50.919: ISAKMP:(0:30:SW:1):purging SA., sa=661832A8, delme=661832A8
May 26 11:18:37.820: ISAKMP (0:134217759): received packet from 10.141.10.1 dport 500 sport 500 Global (I) QM_IDLE      
May 26 11:18:37.820: ISAKMP: set new node -467164272 to QM_IDLE      
May 26 11:18:37.824: ISAKMP:(0:31:SW:1): processing HASH payload. message ID = -467164272
May 26 11:18:37.824: ISAKMP:(0:31:SW:1): processing DELETE payload. message ID = -467164272
May 26 11:18:37.824: ISAKMP:(0:31:SW:1):peer does not do paranoid keepalives.

May 26 11:18:37.824: ISAKMP:(0:31:SW:1):deleting node -467164272 error FALSE reason "Informational (in) state 1"
May 26 11:18:37.824: ISAKMP (0:134217759): received packet from 10.141.10.1 dport 500 sport 500 Global (I) QM_IDLE      
May 26 11:18:37.824: ISAKMP: set new node -485344748 to QM_IDLE      
May 26 11:18:37.824: ISAKMP:(0:31:SW:1): processing HASH payload. message ID = -485344748
May 26 11:18:37.824: ISAKMP:received payload type 18
May 26 11:18:37.824: ISAKMP:(0:31:SW:1): processing DELETE_WITH_REASON payload, message ID = -485344748, reason: Unknown delete reason!
May 26 11:18:37.824: ISAKMP:(0:31:SW:1):peer does not do paranoid keepalives.

May 26 11:18:37.824: ISAKMP:(0:31:SW:1):deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE       (peer 10.141.10.1)
May 26 11:18:37.824: ISAKMP:(0:31:SW:1):deleting node -485344748 error FALSE reason "Informational (in) state 1"
May 26 11:18:37.828: ISAKMP: Unlocking IPSEC struct 0x66271C54 from delete_siblings, count 0
May 26 11:18:37.828: ISAKMP: set new node 1355382028 to QM_IDLE      
May 26 11:18:37.828: ISAKMP:(0:31:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE      
May 26 11:18:37.828: ISAKMP:(0:31:SW:1):purging node 1355382028
May 26 11:18:37.828: ISAKMP:(0:31:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 26 11:18:37.828: ISAKMP:(0:31:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA 

May 26 11:18:37.832: ISAKMP:(0:31:SW:1):deleting SA reason "No reason" state (I) QM_IDLE       (peer 10.141.10.1) 
May 26 11:18:37.832: ISAKMP:(0:0:N/A:0):Can't decrement IKE Call Admisstion Control stat outgoing_active since it's already 0.
May 26 11:18:37.832: ISAKMP: Unlocking IKE struct 0x66271C54 for isadb_mark_sa_deleted(), count 0
May 26 11:18:37.832: ISAKMP: Deleting peer node by peer_reap for 10.141.10.1: 66271C54
May 26 11:18:37.832: ISAKMP:(0:31:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 26 11:18:37.832: ISAKMP:(0:31:SW:1):Old State = IKE_DEST_SA  New State = IKE_DEST_SA 

May 26 11:18:54.962: ISAKMP: received ke message (1/1)
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
May 26 11:18:54.962: ISAKMP: Created a peer struct for 10.141.10.1, peer port 500
May 26 11:18:54.962: ISAKMP: New peer created peer = 0x65BAAFEC peer_handle = 0x80000021
May 26 11:18:54.962: ISAKMP: Locking peer struct 0x65BAAFEC, IKE refcount 1 for isakmp_initiator
May 26 11:18:54.962: ISAKMP: local port 500, remote port 500
May 26 11:18:54.962: ISAKMP: set new node 0 to QM_IDLE      
May 26 11:18:54.962: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 662B7E58
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.141.10.1
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1 

May 26 11:18:54.962: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
May 26 11:18:55.002: ISAKMP (0:0): received packet from 10.141.10.1 dport 500 sport 500 Global (I) MM_NO_STATE
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2 

May 26 11:18:55.002: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
May 26 11:18:55.002: ISAKMP (0:0): vendor ID is NAT-T v7
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.141.10.1
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0): local preshared key found
May 26 11:18:55.002: ISAKMP : Scanning profiles for xauth ...
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
May 26 11:18:55.002: ISAKMP:      encryption 3DES-CBC
May 26 11:18:55.002: ISAKMP:      hash MD5
May 26 11:18:55.002: ISAKMP:      default group 2
May 26 11:18:55.002: ISAKMP:      auth pre-share
May 26 11:18:55.002: ISAKMP:      life type in seconds
May 26 11:18:55.002: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
May 26 11:18:55.058: ISAKMP:(0:32:SW:1): processing vendor id payload
May 26 11:18:55.058: ISAKMP:(0:32:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
May 26 11:18:55.058: ISAKMP (0:134217760): vendor ID is NAT-T v7
May 26 11:18:55.058: ISAKMP:(0:32:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 26 11:18:55.058: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2 

May 26 11:18:55.062: ISAKMP:(0:32:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
May 26 11:18:55.062: ISAKMP:(0:32:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 26 11:18:55.062: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3 

May 26 11:18:55.098: ISAKMP (0:134217760): received packet from 10.141.10.1 dport 500 sport 500 Global (I) MM_SA_SETUP
May 26 11:18:55.098: ISAKMP:(0:32:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 26 11:18:55.098: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4 

May 26 11:18:55.098: ISAKMP:(0:32:SW:1): processing KE payload. message ID = 0
May 26 11:18:55.166: ISAKMP:(0:32:SW:1): processing NONCE payload. message ID = 0
May 26 11:18:55.166: ISAKMP:(0:32:SW:1):found peer pre-shared key matching 10.141.10.1
May 26 11:18:55.166: ISAKMP:(0:32:SW:1):SKEYID state generated
May 26 11:18:55.170: ISAKMP:(0:32:SW:1): processing vendor id payload
May 26 11:18:55.170: ISAKMP:(0:32:SW:1): vendor ID is Unity
May 26 11:18:55.170: ISAKMP:(0:32:SW:1): processing vendor id payload
May 26 11:18:55.170: ISAKMP:(0:32:SW:1): vendor ID is DPD
May 26 11:18:55.170: ISAKMP:(0:32:SW:1): processing vendor id payload
May 26 11:18:55.170: ISAKMP:(0:32:SW:1): speaking to another IOS box!
May 26 11:18:55.170: ISAKMP:(0:32:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 26 11:18:55.170: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4 

May 26 11:18:55.170: ISAKMP:(0:32:SW:1):Send initial contact
May 26 11:18:55.170: ISAKMP:(0:32:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
May 26 11:18:55.174: ISAKMP (0:134217760): ID payload 
        next-payload : 8
        type         : 1 
        address      : 10.141.10.13 
        protocol     : 17 
        port         : 500 
        length       : 12
May 26 11:18:55.174: ISAKMP:(0:32:SW:1):Total payload length: 12
May 26 11:18:55.174: ISAKMP:(0:32:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
May 26 11:18:55.174: ISAKMP:(0:32:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 26 11:18:55.174: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5 

May 26 11:18:55.202: ISAKMP (0:134217760): received packet from 10.141.10.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
May 26 11:18:55.206: ISAKMP:(0:32:SW:1): processing ID payload. message ID = 0
May 26 11:18:55.206: ISAKMP (0:134217760): ID payload 
        next-payload : 8
        type         : 1 
        address      : 10.141.10.1 
        protocol     : 17 
        port         : 500 
        length       : 12
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):: peer matches *none* of the profiles
May 26 11:18:55.206: ISAKMP:(0:32:SW:1): processing HASH payload. message ID = 0
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):SA authentication status:
        authenticated
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):SA has been authenticated with 10.141.10.1
May 26 11:18:55.206: ISAKMP: Trying to insert a peer 10.141.10.13/10.141.10.1/500/,  and inserted successfully 65BAAFEC.
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6 

May 26 11:18:55.206: ISAKMP:(0:32:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6 

May 26 11:18:55.206: ISAKMP:(0:32:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE 

May 26 11:18:55.210: ISAKMP:(0:32:SW:1):beginning Quick Mode exchange, M-ID of 517495394
May 26 11:18:55.210: ISAKMP:(0:32:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE      
May 26 11:18:55.210: ISAKMP:(0:32:SW:1):Node 517495394, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 26 11:18:55.210: ISAKMP:(0:32:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
May 26 11:18:55.210: ISAKMP:(0:32:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 26 11:18:55.210: ISAKMP:(0:32:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

May 26 11:18:55.246: ISAKMP (0:134217760): received packet from 10.141.10.1 dport 500 sport 500 Global (I) QM_IDLE      
May 26 11:18:55.246: ISAKMP:(0:32:SW:1): processing HASH payload. message ID = 517495394
May 26 11:18:55.246: ISAKMP:(0:32:SW:1): processing SA payload. message ID = 517495394
May 26 11:18:55.246: ISAKMP:(0:32:SW:1):Checking IPSec proposal 1
May 26 11:18:55.246: ISAKMP: transform 1, ESP_3DES
May 26 11:18:55.246: ISAKMP:   attributes in transform:
May 26 11:18:55.246: ISAKMP:      encaps is 1 (Tunnel)
May 26 11:18:55.246: ISAKMP:      SA life type in seconds
May 26 11:18:55.246: ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80 
May 26 11:18:55.246: ISAKMP:      SA life type in kilobytes
May 26 11:18:55.246: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
May 26 11:18:55.246: ISAKMP:      authenticator is HMAC-MD5
May 26 11:18:55.246: ISAKMP:(0:32:SW:1):atts are acceptable.
May 26 11:18:55.246: ISAKMP:(0:32:SW:1): processing NONCE payload. message ID = 517495394
May 26 11:18:55.246: ISAKMP:(0:32:SW:1): processing ID payload. message ID = 517495394
May 26 11:18:55.246: ISAKMP:(0:32:SW:1): processing ID payload. message ID = 517495394
May 26 11:18:55.250: ISAKMP: Locking peer struct 0x65BAAFEC, IPSEC refcount 1 for for stuff_ke
May 26 11:18:55.250: ISAKMP:(0:32:SW:1): Creating IPSec SAs
May 26 11:18:55.250:         inbound SA from 10.141.10.1 to 10.141.10.13 (f/i)  0/ 0
        (proxy 10.141.10.1 to 10.141.10.13)
May 26 11:18:55.250:         has spi 0x677D14B2 and conn_id 0 and flags 2
May 26 11:18:55.250:         lifetime of 86400 seconds
May 26 11:18:55.250:         lifetime of 4608000 kilobytes
May 26 11:18:55.250:         has client flags 0x0
May 26 11:18:55.250:         outbound SA from 10.141.10.13 to 10.141.10.1 (f/i) 0/0
        (proxy 10.141.10.13 to 10.141.10.1)
May 26 11:18:55.250:         has spi 35145355 and conn_id 0 and flags A
May 26 11:18:55.250:         lifetime of 86400 seconds
May 26 11:18:55.250:         lifetime of 4608000 kilobytes
May 26 11:18:55.250:         has client flags 0x0
May 26 11:18:55.250: ISAKMP:(0:32:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE      
May 26 11:18:55.250: ISAKMP:(0:32:SW:1):deleting node 517495394 error FALSE reason "No Error"
May 26 11:18:55.250: ISAKMP:(0:32:SW:1):Node 517495394, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
May 26 11:18:55.250: ISAKMP:(0:32:SW:1):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
May 26 11:18:55.254: ISAKMP: Locking peer struct 0x65BAAFEC, IPSEC refcount 2 for from create_transforms
May 26 11:18:55.254: ISAKMP: Unlocking IPSEC struct 0x65BAAFEC from create_transforms, count 1

Thanks for the help you can lend

 

8 REPLIES
Hall of Fame Super Gold

Duplicate post. Go here:

Duplicate post.

 

Go here:  https://supportforums.cisco.com/discussion/12215736/problems-vpn-router-asr-1000

If you're not going to give

If you're not going to give solution, do not answer me.

Hello I see a couple of

Hello

 

I see a couple of possible misconfigurations between the hub and spoke(s)

Try and apply the following:

 

HUB
=====

ip tcp adjust-mss 1360
no ip next-hop-self eigrp 100
tunnel key 0
ip nhrp authentication PASSWORD


spoke
========

no crypto isakmp key 6 $IPROOT$ address 10.141.10.1
crypto isakmp key 6 $IPROOT$ address 0.0.0.0 0.0.0.0

ip mtu 1400
ip tcp adjust-mss 1360
no  tunnel destination 10.141.10.1
tunnel mode gre multipoint
tunnel key 0
ip nhrp authentication PASSWORD

 

res

Paul

 

Please don't forget to rate any posts that have been helpful. Thanks.

Hello Paul DriverThanks for

Hello Paul Driver

Thanks for answer me

I did as it told me, but still lift the VPN. Without the VPN as I said before, I do ping spoke.

Jun  4 14:31:43.071: ISAKMP: Unlocking IPSEC struct 0x65CC5CB0 from delete_siblings, count 1
Jun  4 14:31:43.071: ISAKMP: received ke message (3/1)
Jun  4 14:31:43.071: ISAKMP: set new node 515332146 to QM_IDLE      
Jun  4 14:31:43.071: ISAKMP:(0:2:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE      
Jun  4 14:31:43.071: ISAKMP:(0:2:SW:1):purging node 515332146
Jun  4 14:31:43.071: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
Jun  4 14:31:43.071: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jun  4 14:31:47.071: ISAKMP:(0:2:SW:1):purging node -746539650
Jun  4 14:31:50.402: ISAKMP (0:134217730): received packet from 10.141.10.1 dport 500 sport 500 Global (I) QM_IDLE      
Jun  4 14:31:50.406: ISAKMP: set new node -1119127387 to QM_IDLE      
Jun  4 14:31:50.406: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = -1119127387
Jun  4 14:31:50.406: ISAKMP:(0:2:SW:1): processing DELETE payload. message ID = -1119127387
Jun  4 14:31:50.406: ISAKMP:(0:2:SW:1):peer does not do paranoid keepalives.

Jun  4 14:31:50.406: ISAKMP:(0:2:SW:1):deleting node -1119127387 error FALSE reason "Informational (in) state 1"
Jun  4 14:31:50.406: ISAKMP (0:134217730): received packet from 10.141.10.1 dport 500 sport 500 Global (I) QM_IDLE      
Jun  4 14:31:50.406: ISAKMP: set new node 455556831 to QM_IDLE      
Jun  4 14:31:50.406: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 455556831
Jun  4 14:31:50.406: ISAKMP:received payload type 18
Jun  4 14:31:50.406: ISAKMP:(0:2:SW:1): processing DELETE_WITH_REASON payload, message ID = 455556831, reason: Unknown delete reason!
Jun  4 14:31:50.406: ISAKMP:(0:2:SW:1):peer does not do paranoid keepalives.

Jun  4 14:31:50.406: ISAKMP:(0:2:SW:1):deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE       (peer 10.141.10.1)
Jun  4 14:31:50.406: ISAKMP:(0:2:SW:1):deleting node 455556831 error FALSE reason "Informational (in) state 1"
Jun  4 14:31:50.410: ISAKMP: Unlocking IPSEC struct 0x65CC5CB0 from delete_siblings, count 0
Jun  4 14:31:50.410: ISAKMP: set new node -1971206576 to QM_IDLE      
Jun  4 14:31:50.410: ISAKMP:(0:2:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE      
Jun  4 14:31:50.410: ISAKMP:(0:2:SW:1):purging node -1971206576
Jun  4 14:31:50.410: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun  4 14:31:50.410: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Jun  4 14:31:50.414: ISAKMP:(0:2:SW:1):deleting SA reason "No reason" state (I) QM_IDLE       (peer 10.141.10.1)
Jun  4 14:31:50.414: ISAKMP:(0:0:N/A:0):Can't decrement IKE Call Admisstion Control stat outgoing_active since it's already 0.
Jun  4 14:31:50.414: ISAKMP: Unlocking IKE struct 0x65CC5CB0 for isadb_mark_sa_deleted(), count 0
Jun  4 14:31:50.414: ISAKMP: Deleting peer node by peer_reap for 10.141.10.1: 65CC5CB0
Jun  4 14:31:50.414: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun  4 14:31:50.414: ISAKMP:(0:2:SW:1):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Jun  4 14:31:57.038: ISAKMP: received ke message (1/1)
Jun  4 14:31:57.038: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Jun  4 14:31:57.038: ISAKMP: Created a peer struct for 10.141.10.1, peer port 500
Jun  4 14:31:57.038: ISAKMP: New peer created peer = 0x65F72440 peer_handle = 0x80000004
Jun  4 14:31:57.038: ISAKMP: Locking peer struct 0x65F72440, IKE refcount 1 for isakmp_initiator
Jun  4 14:31:57.038: ISAKMP: local port 500, remote port 500
Jun  4 14:31:57.038: ISAKMP: set new node 0 to QM_IDLE      
Jun  4 14:31:57.038: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 65E07C94
Jun  4 14:31:57.038: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Jun  4 14:31:57.038: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.141.10.1
Jun  4 14:31:57.038: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Jun  4 14:31:57.038: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Jun  4 14:31:57.038: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Jun  4 14:31:57.038: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jun  4 14:31:57.038: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

Jun  4 14:31:57.038: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Jun  4 14:31:57.042: ISAKMP:(0:0:N/A:0): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Jun  4 14:31:57.202: ISAKMP (0:0): received packet from 10.141.10.1 dport 500 sport 500 Global (I) MM_NO_STATE
Jun  4 14:31:57.202: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun  4 14:31:57.202: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Jun  4 14:31:57.202: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Jun  4 14:31:57.202: ISAKMP:(0:0:N/A:0): processing vendor id payload
Jun  4 14:31:57.202: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
Jun  4 14:31:57.202: ISAKMP (0:0): vendor ID is NAT-T v7
Jun  4 14:31:57.202: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.141.10.1
Jun  4 14:31:57.206: ISAKMP:(0:0:N/A:0): local preshared key found
Jun  4 14:31:57.206: ISAKMP : Scanning profiles for xauth ...
Jun  4 14:31:57.206: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
Jun  4 14:31:57.206: ISAKMP:      encryption 3DES-CBC
Jun  4 14:31:57.206: ISAKMP:      hash MD5
Jun  4 14:31:57.206: ISAKMP:      default group 2
Jun  4 14:31:57.206: ISAKMP:      auth pre-share
Jun  4 14:31:57.206: ISAKMP:      life type in seconds
Jun  4 14:31:57.206: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Jun  4 14:31:57.206: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
Jun  4 14:31:57.258: ISAKMP:(0:3:SW:1): processing vendor id payload
Jun  4 14:31:57.258: ISAKMP:(0:3:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
Jun  4 14:31:57.258: ISAKMP (0:134217731): vendor ID is NAT-T v7
Jun  4 14:31:57.262: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun  4 14:31:57.262: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

Jun  4 14:31:57.262: ISAKMP:(0:3:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jun  4 14:31:57.262: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun  4 14:31:57.262: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

Jun  4 14:31:57.350: ISAKMP (0:134217731): received packet from 10.141.10.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Jun  4 14:31:57.354: ISAKMP:(0:3:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun  4 14:31:57.354: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

Jun  4 14:31:57.354: ISAKMP:(0:3:SW:1): processing KE payload. message ID = 0
Jun  4 14:31:57.422: ISAKMP:(0:3:SW:1): processing NONCE payload. message ID = 0
Jun  4 14:31:57.422: ISAKMP:(0:3:SW:1):found peer pre-shared key matching 10.141.10.1
Jun  4 14:31:57.426: ISAKMP:(0:3:SW:1):SKEYID state generated
Jun  4 14:31:57.426: ISAKMP:(0:3:SW:1): processing vendor id payload
Jun  4 14:31:57.426: ISAKMP:(0:3:SW:1): vendor ID is Unity
Jun  4 14:31:57.426: ISAKMP:(0:3:SW:1): processing vendor id payload
Jun  4 14:31:57.426: ISAKMP:(0:3:SW:1): vendor ID is DPD
Jun  4 14:31:57.426: ISAKMP:(0:3:SW:1): processing vendor id payload
Jun  4 14:31:57.426: ISAKMP:(0:3:SW:1): speaking to another IOS box!
Jun  4 14:31:57.426: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun  4 14:31:57.426: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

Jun  4 14:31:57.426: ISAKMP:(0:3:SW:1):Send initial contact
Jun  4 14:31:57.426: ISAKMP:(0:3:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jun  4 14:31:57.430: ISAKMP (0:134217731): ID payload
        next-payload : 8
        type         : 1
        address      : 10.141.10.13
        protocol     : 17
        port         : 500
        length       : 12
Jun  4 14:31:57.430: ISAKMP:(0:3:SW:1):Total payload length: 12
Jun  4 14:31:57.430: ISAKMP:(0:3:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jun  4 14:31:57.430: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun  4 14:31:57.430: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

Jun  4 14:31:57.738: ISAKMP (0:134217731): received packet from 10.141.10.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jun  4 14:31:57.738: ISAKMP:(0:3:SW:1): processing ID payload. message ID = 0
Jun  4 14:31:57.738: ISAKMP (0:134217731): ID payload
        next-payload : 8
        type         : 1
        address      : 10.141.10.1
        protocol     : 17
        port         : 500
        length       : 12
Jun  4 14:31:57.738: ISAKMP:(0:3:SW:1):: peer matches *none* of the profiles
Jun  4 14:31:57.738: ISAKMP:(0:3:SW:1): processing HASH payload. message ID = 0
Jun  4 14:31:57.738: ISAKMP:(0:3:SW:1):SA authentication status:
        authenticated
Jun  4 14:31:57.738: ISAKMP:(0:3:SW:1):SA has been authenticated with 10.141.10.1
Jun  4 14:31:57.738: ISAKMP:(0:3:SW:1):IKE_DPD is enabled, initializing timers
Jun  4 14:31:57.738: ISAKMP: Trying to insert a peer 10.141.10.13/10.141.10.1/500/,  and inserted successfully 65F72440.
Jun  4 14:31:57.738: ISAKMP:(0:3:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun  4 14:31:57.738: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6

Jun  4 14:31:57.738: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun  4 14:31:57.738: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6

Jun  4 14:31:57.742: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun  4 14:31:57.742: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Jun  4 14:31:57.742: ISAKMP:(0:3:SW:1):beginning Quick Mode exchange, M-ID of -76061614
Jun  4 14:31:57.742: ISAKMP:(0:3:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE      
Jun  4 14:31:57.742: ISAKMP:(0:3:SW:1):Node -76061614, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jun  4 14:31:57.742: ISAKMP:(0:3:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Jun  4 14:31:57.746: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun  4 14:31:57.746: ISAKMP:(0:3:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Jun  4 14:31:58.106: ISAKMP (0:134217731): received packet from 10.141.10.1 dport 500 sport 500 Global (I) QM_IDLE      
Jun  4 14:31:58.110: ISAKMP:(0:3:SW:1): processing HASH payload. message ID = -76061614
Jun  4 14:31:58.110: ISAKMP:(0:3:SW:1): processing SA payload. message ID = -76061614
Jun  4 14:31:58.110: ISAKMP:(0:3:SW:1):Checking IPSec proposal 1
Jun  4 14:31:58.110: ISAKMP: transform 1, ESP_3DES
Jun  4 14:31:58.110: ISAKMP:   attributes in transform:
Jun  4 14:31:58.110: ISAKMP:      encaps is 1 (Tunnel)
Jun  4 14:31:58.110: ISAKMP:      SA life type in seconds
Jun  4 14:31:58.110: ISAKMP:      SA life duration (basic) of 120
Jun  4 14:31:58.110: ISAKMP:      SA life type in kilobytes
Jun  4 14:31:58.110: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Jun  4 14:31:58.110: ISAKMP:      authenticator is HMAC-SHA
Jun  4 14:31:58.110: ISAKMP:(0:3:SW:1):atts are acceptable.
Jun  4 14:31:58.110: ISAKMP:(0:3:SW:1): processing NONCE payload. message ID = -76061614
Jun  4 14:31:58.110: ISAKMP:(0:3:SW:1): processing ID payload. message ID = -76061614
Jun  4 14:31:58.110: ISAKMP:(0:3:SW:1): processing ID payload. message ID = -76061614
Jun  4 14:31:58.110: ISAKMP: Locking peer struct 0x65F72440, IPSEC refcount 1 for for stuff_ke
Jun  4 14:31:58.110: ISAKMP:(0:3:SW:1): Creating IPSec SAs
Jun  4 14:31:58.114:         inbound SA from 10.141.10.1 to 10.141.10.13 (f/i)  0/ 0
        (proxy 10.141.10.1 to 10.141.10.13)
Jun  4 14:31:58.114:         has spi 0x6AE01706 and conn_id 0 and flags 2
Jun  4 14:31:58.114:         lifetime of 120 seconds
Jun  4 14:31:58.114:         lifetime of 4608000 kilobytes
Jun  4 14:31:58.114:         has client flags 0x0
Jun  4 14:31:58.114:         outbound SA from 10.141.10.13 to 10.141.10.1 (f/i) 0/0
        (proxy 10.141.10.13 to 10.141.10.1)
Jun  4 14:31:58.114:         has spi -1683084853 and conn_id 0 and flags A
Jun  4 14:31:58.114:         lifetime of 120 seconds
Jun  4 14:31:58.114:         lifetime of 4608000 kilobytes
Jun  4 14:31:58.114:         has client flags 0x0
Jun  4 14:31:58.114: ISAKMP:(0:3:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE      
Jun  4 14:31:58.114: ISAKMP:(0:3:SW:1):deleting node -76061614 error FALSE reason "No Error"
Jun  4 14:31:58.114: ISAKMP:(0:3:SW:1):Node -76061614, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun  4 14:31:58.114: ISAKMP:(0:3:SW:1):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
Jun  4 14:31:58.114: ISAKMP: Locking peer struct 0x65F72440, IPSEC refcount 2 for from create_transforms
Jun  4 14:31:58.114: ISAKMP: Unlocking IPSEC struct 0x65F72440 from create_transforms, count 1
Jun  4 14:32:00.761: ISAKMP:(0:2:SW:1):purging node 379003309

HUB------------------------------

!         
interface Tunnel0
 ip address 10.190.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip flow ingress
 ip nhrp authentication PASSWORD
 ip nhrp map multicast dynamic
 ip nhrp network-id 10
 ip nhrp holdtime 600
 ip nhrp registration timeout 30
 no ip split-horizon eigrp 100
 ip tcp adjust-mss 1360
 qos pre-classify
 tunnel source FastEthernet0/1/3.775
 tunnel mode gre multipoint
 tunnel key 10

!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 6 $IPROOT$ address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto ipsec security-association replay disable
!
crypto ipsec transform-set $VPNNET$ esp-3des esp-sha-hmac
!
crypto ipsec profile GREVPN
 set security-association lifetime seconds 120
 set transform-set $VPNNET$
!

 

Spoke-----------------------------------------

!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key $IPROOT$ address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto ipsec security-association replay disable
!
crypto ipsec transform-set $VPNNET$ esp-3des esp-sha-hmac
!
crypto ipsec profile GREVPN
 set security-association lifetime seconds 120
 set transform-set $VPNNET$
!

interface Tunnel0
 bandwidth 1024
 ip address 10.190.1.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication PASSWORD
 ip nhrp map multicast 10.141.10.1
 ip nhrp map 10.190.1.1 10.141.10.1
 ip nhrp network-id 10
 ip nhrp holdtime 600
 ip nhrp nhs 10.190.1.1
 ip nhrp registration timeout 30
 ip route-cache flow
 ip tcp adjust-mss 1360
 qos pre-classify
 tunnel source FastEthernet0/1.775
 tunnel mode gre multipoint
 tunnel key 10
 tunnel protection ipsec profile GREVPN
!  

If you have additional recomendation, I would appreciate.  

regards,

    

 

 

HelloWhat routing are you

Hello

What routing are you using to reach the reach the internal networks?
Also can you post the output of these show commands:

sh crypto ipsec sa
sh crypto isakmp sa
sh dmvpn detail
sh ip nhrp

 

res

Paul

 

Please don't forget to rate any posts that have been helpful. Thanks.

HelloI would like to talk to

Hello

I would like to talk to you about something, I have this same configuration in a backup link with a 3845 router and it is working without any problem.

sh crypto isakmp sa
dst             src             state          conn-id slot status
10.141.10.1     10.141.10.13    QM_IDLE             13    0 ACTIVE

 

sh crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 10.141.10.13

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.141.10.13/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.141.10.1/255.255.255.255/47/0)
   current_peer 10.141.10.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 174, #pkts encrypt: 174, #pkts digest: 174
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 12, #recv errors 0

     local crypto endpt.: 10.141.10.13, remote crypto endpt.: 10.141.10.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1.775
     current outbound spi: 0xDCE6326B(3706073707)

     inbound esp sas:
      spi: 0xECB44BAF(3971238831)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4403252/55)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xDCE6326B(3706073707)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4403251/55)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

 

sh ip nhrp
10.190.1.1/32 via 10.190.1.1, Tunnel0 created 00:55:29, never expire
  Type: static, Flags: authoritative used
  NBMA address: 10.141.10.1

 

sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket, T1 - Route Installed
        T2 - next-hop-override
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

 

 

HelloCan you add this to the

Hello

All looks okay now from a configuration perspective but you don't say if you are dynamically routing, advertising the inside physical interface and tunnel ip addresses - I would suggest to use eigrp and disable split horizon and next hop on the hub

 

and aslo apply this:

crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport

 

 

res

Paul

 

Please don't forget to rate any posts that have been helpful. Thanks.

Hello PualAdd the following

Hello Pual

Add the following settings:
crypto ipsec transform-set $ VPNNET $ esp-3des esp-md5-hmac
  transport mode
!
But still without looking up VPN :-(

I still think it may be the IOS

Thanks

137
Views
0
Helpful
8
Replies