03-16-2023 05:06 AM
I have now got two CSR1000v's running and I am hitting the same issue on each one.
If they connect to the current DMVPN hub on our network, they are working fine. But we need to configure them to become the DMVPN hub once our physical DC is closed down.
When I connect up a spoke site to the AWS routers
On the spoke I get
sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
35.177.x.x 81.150.x.x QM_IDLE 2181 ACTIVE
On the AWS I get
sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.22.x.x 81.150.x.x QM_IDLE 1019 ACTIVE
Show dmvpn on the AWS does not show a tunnel, but on the spoke I get
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 35.177.x.x 10.100.x.x IKE 00:07:37 S
I just can not work out the missing pice to get these to work
03-16-2023 05:09 AM
I should have said the two AWS routers are.
1 with a single interface and 1 with dual interfaces on private and public sides
03-16-2023 05:10 AM
1 35.177.x.x 10.100.x.x IKE 00:07:37 S <<- it IKE not UP so there is issue with IPSec PhaseII, check the proposal matching between hub and spokes.
if you can share it here I will make check.
03-16-2023 05:22 AM
Here they are
AWS router
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
hash md5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set xxx-SET2 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile xxx-Global1
set security-association lifetime seconds 900
set transform-set xxx-SET2
!
!
interface Tunnel10
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel protection ipsec profile xxx-Global1 shared
spoke
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
hash md5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set xxx-SET2 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile xxx-Global1
set security-association lifetime seconds 900
set transform-set xxx-SET2
!
!
!
interface Tunnel10
tunnel mode gre multipoint
tunnel protection ipsec profile xxx-Global1 shared
03-16-2023 05:40 AM
If I remove 'tunnel protection ipsec profile xxx-Global1 shared' from the spoke side, the tunnel comes up, but no ISA or IPSEC SA's
03-16-2023 05:59 AM - edited 03-16-2023 06:00 AM
Yes I check the config
shared keyword not need here in your config, since you have only one tunnel per tunnel source.
please keep tunnel profile and remove the shared keyword from profile in only Spoke.
03-16-2023 07:16 AM
I tried this and it did not make any difference
03-16-2023 07:20 AM
are Spoke behind NAT ?
03-16-2023 07:21 AM
Spoke is a public IP
03-16-2023 09:15 AM
#show dmvpn detail <<- share this please
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide