Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
297
Views
2
Helpful
5
Replies

Having issue while estabisling Tunnel using ikev2 and ipsec.

Go to solution
Ammartehsein
Level 1
Level 1

‎08-30-2024 07:54 AM

I am testing tunnel in lab but it is not working. Topology is very simple only 2 routers. I router is acting like a hub and 1 is as client. On Hub router 1 loopback interface.

 

Client router config:

Building configuration...

Current configuration : 4823 bytes
!
! Last configuration change at 14:42:21 UTC Fri Aug 30 2024
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Najam-Abha
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!
!
redundancy
!
no cdp run
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
track 3 list boolean or
object 1
object 2
object 4
!
track 4 ip sla 4 reachability
!
!
!
crypto ikev2 proposal default
encryption des 3des
integrity md5
group 1 2
!
crypto ikev2 policy default
match fvrf any
proposal default
!
crypto ikev2 keyring key
peer ANY
address 0.0.0.0 0.0.0.0
identity address 0.0.0.0
pre-shared-key act123456
!
!
!
crypto ikev2 profile prof
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local key
!
crypto ikev2 dpd 10 2 periodic
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set test_trans esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set new_test_port1 esp-3des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile newprof
set transform-set new_test_port1
set pfs group2
set ikev2-profile prof
!
crypto ipsec profile test_profile
set transform-set test_trans
set ikev2-profile prof
!
!
!
!
!
!
interface Tunnel10
ip address 172.27.10.30 255.255.252.0
no ip redirects
ip mtu 1200
ip nhrp network-id 11
ip nhrp nhs 172.27.10.1 nbma 157.175.8.17 multicast priority 1
ip nhrp shortcut
ip tcp adjust-mss 1190
tunnel source GigabitEthernet0/1
tunnel destination 157.175.8.17
tunnel protection ipsec profile newprof
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 185.62.177.81 255.255.255.252
ip virtual-reassembly in
rate-limit input 13024000 2442000 4884000 conform-action continue exceed-action drop
rate-limit output 13024000 2442000 4884000 conform-action continue exceed-action drop
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 157.175.8.17 255.255.255.255 GigabitEthernet0/1
!
ipv6 ioam timestamp
!
!

 

 

 

HUB config:

Building configuration...

Current configuration : 4298 bytes
!
! Last configuration change at 14:30:19 UTC Fri Aug 30 2024
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Hub_CiscoTeltonika
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
crypto ikev2 proposal default
encryption 3des
integrity md5
group 2
!
crypto ikev2 policy default
match fvrf any
proposal default
!
crypto ikev2 keyring key
peer Spoke1-KEY
address 0.0.0.0 0.0.0.0
identity address 0.0.0.0
pre-shared-key act123456
!
!
!
crypto ikev2 profile prof
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local key
!
crypto ikev2 dpd 10 2 periodic
!
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set test_trans esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set DMVPN2 esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN2
set security-association lifetime seconds 86400
set transform-set DMVPN2
set pfs group2
!
crypto ipsec profile DMVPN_hub
set transform-set test_trans
set pfs group2
set ikev2-profile prof
!
!
!
!
!
!
!
interface Loopback1
ip address 157.175.8.17 255.255.255.255
!
interface Tunnel1
description "Portabella 2 for Cisco and Teltonika Spokes"
ip address 172.27.10.1 255.255.252.0
no ip redirects
ip mtu 1200
ip nhrp network-id 11
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN_hub
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 185.62.177.82 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ipv6 ioam timestamp
!

 

Labels:
Preview file
9 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ammartehsein
Level 1
Level 1
In response to MHM Cisco World

‎08-30-2024 11:03 AM

It is multipoint gre tunnel so mode should be multipoint at hub.

No need to create separate proposal other than default. The issue was minor tunnel source at hub should be loopback.


View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎08-30-2024 07:58 AM - edited ‎08-30-2024 11:05 AM

 

MHM

0 Helpful

Go to solution
Ammartehsein
Level 1
Level 1
In response to MHM Cisco World

‎08-30-2024 11:03 AM

It is multipoint gre tunnel so mode should be multipoint at hub.

No need to create separate proposal other than default. The issue was minor tunnel source at hub should be loopback.


Go to solution
MHM Cisco World
VIP
VIP
In response to Ammartehsein

‎08-30-2024 11:08 AM - edited ‎08-30-2024 11:08 AM

tunnel destination 157.175.8.17 <<- in spoke remove this command 

In spoke under tunnel add

Tunnel mode gre multipoint 

In spoke abd hub under tunnel add 

Tunnel key 11 

For LO use by hub are this LO is reachable from spoke ?

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎08-30-2024 11:51 AM

I sure bring good luck' when I reply the issue is solved immediately.

Maybe you can put my name in your car for more good luck lol...

MHM

0 Helpful

Go to solution
Ammartehsein
Level 1
Level 1
In response to MHM Cisco World

‎08-30-2024 12:43 PM

Thanks buddy for quick response. You are indeed lucky

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card