cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1318
Views
0
Helpful
9
Replies

CSR1000v DMVPN still having issues

Richard Tapp
Level 1
Level 1

I have now got two CSR1000v's running and I am hitting the same issue on each one.

If they connect to the current DMVPN hub on our network, they are working fine. But we need to configure them to become the DMVPN hub once our physical DC is closed down.

When I connect up a spoke site to the AWS routers

On the spoke I get
sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
35.177.x.x 81.150.x.x QM_IDLE 2181 ACTIVE

On the AWS I get
sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.22.x.x 81.150.x.x QM_IDLE 1019 ACTIVE

Show dmvpn on the AWS does not show a tunnel, but on the spoke I get

Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 35.177.x.x 10.100.x.x IKE 00:07:37 S

I just can not work out the missing pice to get these to work

9 Replies 9

Richard Tapp
Level 1
Level 1

I should have said the two AWS routers are.

1 with a single interface and 1 with dual interfaces on private and public sides

1 35.177.x.x 10.100.x.x IKE 00:07:37 S <<- it IKE not UP so there is issue with IPSec PhaseII, check the proposal matching between hub and spokes. 
if you can share it here I will make check.

Here they are


AWS router
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
hash md5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set xxx-SET2 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile xxx-Global1
set security-association lifetime seconds 900
set transform-set xxx-SET2
!

!
interface Tunnel10

tunnel source GigabitEthernet1
tunnel mode gre multipoint

tunnel protection ipsec profile xxx-Global1 shared


spoke


crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
hash md5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
!

crypto ipsec transform-set xxx-SET2 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile xxx-Global1
set security-association lifetime seconds 900
set transform-set xxx-SET2
!
!

!
interface Tunnel10

tunnel mode gre multipoint

tunnel protection ipsec profile xxx-Global1 shared

Richard Tapp
Level 1
Level 1

 If I remove 'tunnel protection ipsec profile xxx-Global1 shared' from the spoke side, the tunnel comes up, but no ISA or IPSEC SA's

Yes I check the config 
shared keyword not need here in your config, since you have only one tunnel per tunnel source. 
please keep tunnel profile and remove the shared keyword from profile in only Spoke. 

Richard Tapp
Level 1
Level 1

I tried this and it did not make any difference

are Spoke behind NAT ?

Richard Tapp
Level 1
Level 1

Spoke is a public IP

#show dmvpn detail <<- share this please