cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

934
Views
30
Helpful
21
Replies
Participant

DMVPN ,EIGRP And IPsec with CA

Dear All,

I would request to help me to fix DMVPN error.I try to configure DMVPN with ipsec .before I apply ipsec profile to DMVPN tunnel ,DMVPN is working.after applying ipsec profile ,DMVPN is down.why I don't know.I can say Ipsec configuration correct because it is work propely site to site VPN in operation.But this configuration is doesn't work with DMVPN.I don't know why? Please help me.

received_782380952128182.png

 

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2019.01.20 00:33:07 =~=~=~=~=~=~=~=~=~=~=~=

*Jan 20 00:33:02.395: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /110.110.110.1, src_addr= 130.130.130.1, prot= 47
Cbtme-Hub(config-if)#sh run

 

 

end
Cbtme-Hub#len

Cbtme-Hub#len
*Jan 20 00:33:13.323: %SYS-5-CONFIG_I: Configured from console by console
Cbtme-Hub#len
termi
Cbtme-Hub#terminal len
Cbtme-Hub#terminal length 0
Cbtme-Hub#sh run
Building configuration...

Current configuration : 9508 bytes
!
! Last configuration change at 00:33:13 UTC Sun Jan 20 2019
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Cbtme-Hub
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
ip domain name crypto.local
no ipv6 cef
!
!
multilink bundle-name authenticated
!
crypto pki trustpoint my-ca
enrollment terminal
serial-number none
fqdn cbtme-hub.crypto.local
ip-address none
subject-name cn=cbtme-hub.crypto.local
revocation-check none
!
!
crypto pki certificate chain my-ca
certificate 3C000000168AF8583CBDCFD97E000000000016
30820583 3082046B A0030201 0202133C 00000016 8AF8583C BDCFD97E 00000000
0016300D 06092A86 4886F70D 01010B05 00304B31 15301306 0A099226 8993F22C
64011916 056C6F63 616C3116 3014060A 09922689 93F22C64 01191606 63727970
746F311A 30180603 55040313 11637279 70746F2D 53554243 412D4341 2D31301E
170D3139 30313139 31363135 35395A17 0D323031 31323930 39313833 305A3021
311F301D 06035504 03131663 62746D65 2D687562 2E637279 70746F2E 6C6F6361
6C308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201 0A028201
0100CCB4 CD4686C9 64BF82D3 D43F09D9 13CA4EE6 A119D003 91333E6F 9F227516
636817EC 818787B2 AFDF1DC4 8758F227 06073797 0F0053AD F0857EB3 99A1F434
FCC8290F 111A7CD3 68480BE1 5643522E BC28D137 9B70C99C 1648EF92 208D4876
1428598B BDAC373C 4A9435E7 59304E52 7B1BA07A A6267129 364B2ED4 D5D4E9AF
5BCE236A 3FE2F32D C3CE5D99 7FEB3643 B08C301C 82F71333 950A76ED 9F1749E7
7531734B 3C252BE9 6D191148 0D947BBD 282D199C 9ECC9DC4 1DC11D76 0AD70432
D3B2EC71 B61AFBEB 81700DB0 9CC92FF4 499376B2 DFD8687F 5B6E6D8D 526E98EE
0F0FDC53 3120C2E3 672DA207 C70E6B68 FCE09C79 02394335 5259B259 127573F2
063B0203 010001A3 82028830 82028430 0E060355 1D0F0101 FF040403 0205A030
1D060355 1D0E0416 0414D5F4 250CB031 74A99CA0 0B39E4A9 0BD548CF 0E82301F
0603551D 23041830 1680145A 5B753B27 2969744B F221001B 7A52CDC9 58765E30
81CE0603 551D1F04 81C63081 C33081C0 A081BDA0 81BA8681 B76C6461 703A2F2F
2F434E3D 63727970 746F2D53 55424341 2D43412D 312C434E 3D537562 43412C43
4E3D4344 502C434E 3D507562 6C696325 32304B65 79253230 53657276 69636573
2C434E3D 53657276 69636573 2C434E3D 436F6E66 69677572 6174696F 6E2C4443
3D637279 70746F2C 44433D6C 6F63616C 3F636572 74696669 63617465 5265766F
63617469 6F6E4C69 73743F62 6173653F 6F626A65 6374436C 6173733D 63524C44
69737472 69627574 696F6E50 6F696E74 3081C406 082B0601 05050701 010481B7
3081B430 81B10608 2B060105 05073002 8681A46C 6461703A 2F2F2F43 4E3D6372
7970746F 2D535542 43412D43 412D312C 434E3D41 49412C43 4E3D5075 626C6963
2532304B 65792532 30536572 76696365 732C434E 3D536572 76696365 732C434E
3D436F6E 66696775 72617469 6F6E2C44 433D6372 7970746F 2C44433D 6C6F6361
6C3F6341 43657274 69666963 6174653F 62617365 3F6F626A 65637443 6C617373
3D636572 74696669 63617469 6F6E4175 74686F72 69747930 3C06092B 06010401
82371507 042F302D 06252B06 01040182 371508C6 9D6A81EB 9E5184C5 8F3C82F7
E70482F1 DE7B813C 87FB9D35 F9F72102 01640201 04302706 03551D25 0420301E
06082B06 01050507 03060608 2B060105 05080202 06082B06 01050507 03023033
06092B06 01040182 37150A04 26302430 0A06082B 06010505 07030630 0A06082B
06010505 08020230 0A06082B 06010505 07030230 0D06092A 864886F7 0D01010B
05000382 01010078 38B2FEDF 15D36505 9DF4BBEA 45E808ED 3A3C498A 6A271604
2A86C908 8681EC3F DF597FA0 126785E4 D657D7A7 3ACAF40B DCB1698A B64B8995
CE254154 B4B60EDC 731E51E7 F91AF78B 4197C3F2 DF96E455 27251DD1 8C9AC426
DC9274EC 8088B62B 43B5EB51 C2AC7B78 FE21CE6B 18E77936 06426AB1 C6596B9B
00B598E7 D5B5818E 17EAFD16 1917BED9 CC98B4E6 ED0EBD25 CBD4CD9C 18B74F69
E1504FA9 56EDF9E0 21FFA552 982B6C3E 3AB44CE7 195EA185 E35AF71C DC3D877E
9871674E A0C875B0 72AD47FE 502F4E89 358335B8 ADAC41B8 F252F561 7DC93654
8A59EAA8 6C6196F3 2496D22E FB95C4A0 3BCDE38A 55FC55DA 1A29C5FB B6A296A3
057E3A5F FA7458
quit
certificate ca 540000000278F61229E46F3DDB000000000002
3082054D 30820435 A0030201 02021354 00000002 78F61229 E46F3DDB 00000000
0002300D 06092A86 4886F70D 01010B05 00304A31 15301306 0A099226 8993F22C
64011916 056C6F63 616C3116 3014060A 09922689 93F22C64 01191606 63727970
746F3119 30170603 55040313 10637279 70746F2D 524F4F54 43412D43 41301E17
0D313831 31323930 39303833 305A170D 32303131 32393039 31383330 5A304B31
15301306 0A099226 8993F22C 64011916 056C6F63 616C3116 3014060A 09922689
93F22C64 01191606 63727970 746F311A 30180603 55040313 11637279 70746F2D
53554243 412D4341 2D313082 0122300D 06092A86 4886F70D 01010105 00038201
0F003082 010A0282 010100BA 351C4BF6 9CCACBCF D34D9D1D A66D6ACD 97F50EFD
E5D04A86 665AFAF6 F8A38E41 4C9094B2 56983D88 0271E33E D88B5C2C 1BE1F3C5
0B071B2F 495C65DA 16F35FED 797B0083 6EFE0AFA 792C2FF8 ED68A7A3 FC023786
FC8E07E5 FBBF2F6D 6CA4DA10 B011967A 50721DB1 55417D3F 6D4D6EA6 3A6C5669
2C971388 02995D2F 90C58C42 0D693F64 47FA2182 50F3D37C 0C14A968 A6498963
FFCC24D9 AE68DF55 8404F5C7 4A628962 E46DA5BE 1610352A E0869FE1 3A426CD5
49C0EB70 90244D34 4834B7E4 45F803E0 ADB4291D CB033DF7 D50147E2 4C468624
6614E623 8A869EB6 9D5320FE BE8A0DDC 58F91AE9 37D397A7 8A7AA8BB 8B0BFC8A
61655720 B96B0464 8A4FA702 03010001 A3820229 30820225 30100609 2B060104
01823715 01040302 0100301D 0603551D 0E041604 145A5B75 3B272969 744BF221
001B7A52 CDC95876 5E301906 092B0601 04018237 1402040C 1E0A0053 00750062
00430041 300E0603 551D0F01 01FF0404 03020186 300F0603 551D1301 01FF0405
30030101 FF301F06 03551D23 04183016 8014EAE7 98FDF125 A1E58467 80EFFFC7
83928290 3CED3081 CE060355 1D1F0481 C63081C3 3081C0A0 81BDA081 BA8681B7
6C646170 3A2F2F2F 434E3D63 72797074 6F2D524F 4F544341 2D43412C 434E3D52
6F6F7443 412C434E 3D434450 2C434E3D 5075626C 69632532 304B6579 25323053
65727669 6365732C 434E3D53 65727669 6365732C 434E3D43 6F6E6669 67757261
74696F6E 2C44433D 63727970 746F2C44 433D6C6F 63616C3F 63657274 69666963
61746552 65766F63 6174696F 6E4C6973 743F6261 73653F6F 626A6563 74436C61
73733D63 524C4469 73747269 62757469 6F6E506F 696E7430 81C30608 2B060105
05070101 0481B630 81B33081 B006082B 06010505 07300286 81A36C64 61703A2F
2F2F434E 3D637279 70746F2D 524F4F54 43412D43 412C434E 3D414941 2C434E3D
5075626C 69632532 304B6579 25323053 65727669 6365732C 434E3D53 65727669
6365732C 434E3D43 6F6E6669 67757261 74696F6E 2C44433D 63727970 746F2C44
433D6C6F 63616C3F 63414365 72746966 69636174 653F6261 73653F6F 626A6563
74436C61 73733D63 65727469 66696361 74696F6E 41757468 6F726974 79300D06
092A8648 86F70D01 010B0500 03820101 0035B7D1 A2D72FB8 6A87DA5E EF20D5FE
200B5502 298D2792 C0D21AD3 003A57DE C52FD774 9E24D28C AB7E9B06 114B1789
8668CF66 7ECDDC0B 3C62E120 EDD70912 77612379 104187A8 561C9410 06EBC267
22D5D4D3 C8F38806 6C10F16E 3F4F9370 FCFB7E1A 544C6382 C6D3FCFE 43EE4144
A137BF03 177C56D6 C22948E2 75062245 1A47A6B8 CDC04EA8 2A870010 F532EB9B
45FDE964 0AD5D8AE A4555293 314BB317 9ACC3361 46D0DF36 FA6EF533 F32FE149
75E08FEE 9372F000 87D0C012 3297696D 0E08A9E7 D93F4ED1 141C0D85 6A016720
3D0B82B0 757A25D9 60FCD394 8E6437F4 49175569 BD73A215 BAA1DFA5 DFD2A8C7
F79277D7 63755C50 B7BD3437 AFBB7BB1 14
quit
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
crypto ikev2 proposal aes-cbc-256-proposal1
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy policy
match address local 110.110.110.1
proposal aes-cbc-256-proposal1
!
!
crypto ikev2 profile profile
description IKEv2 profile
match identity remote address 120.120.120.2 255.255.255.255
identity local address 110.110.110.1
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoin my-ca
!
!
!
crypto ipsec transform-set TS-ESP-AES-SHA esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IPSecProfile
set transform-set TS-ESP-AES-SHA
set ikev2-profile profile
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Loopback1
ip address 11.11.11.11 255.255.255.0
!
interface Tunnel0
ip address 192.168.200.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 200
shutdown
tunnel source 150.150.150.1
tunnel mode gre multipoint
tunnel key 1
!
interface Tunnel1
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip split-horizon eigrp 10
ip nhrp map multicast dynamic
ip nhrp network-id 111
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source 110.110.110.1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile IPSecProfile
!
interface FastEthernet0/0
ip address 110.110.110.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
ip address 150.150.150.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
!
router eigrp 10
network 1.1.1.0 0.0.0.255
network 11.11.11.0 0.0.0.255
network 192.168.100.1 0.0.0.0
!
router bgp 101
bgp log-neighbor-changes
neighbor 110.110.110.2 remote-as 100
neighbor 150.150.150.2 remote-as 100
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

Cbtme-Hub#wr
Building configuration...
[OK]
Cbtme-Hub#
*Jan 20 00:34:03.835: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /110.110.110.1, src_addr= 130.130.130.1, prot= 47
Cbtme-Hub#dm s do dmvp

Cbtme-Hub#do dmvpn
^
% Invalid input detected at '^' marker.

Cbtme-Hub#do sh dmvpn
^
% Invalid input detected at '^' marker.

Cbtme-Hub#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Cbtme-Hub#

Everyone's tags (1)
21 REPLIES 21
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: DMVPN ,EIGRP And IPsec with CA

Hi,
Can you provide the output of the IKEv2 debugs:-

debug crypto ikev2 platform 100
debug crypto ikev2 protocol 100

I assume the routers can route and ping each other?
Participant

Re: DMVPN ,EIGRP And IPsec with CA

Hi,

I cannot put your command :

debug crypto ikev2 platform 100
debug crypto ikev2 protocol 100  because I am using c7200-adventerprisek9-mz.152-4.M7.image for GNS3.It is gns3 error ? please see debug output

debug crypto ikev2 packet

debug crypto ikev2 error

debug crypto ikev2 internal

and let me know how set to remote identity ? is should be any because we are using DMVPN. can  I also use key -id ?

 

Cbtme-Spoke1#debug crypto ikev2 client ?
  flexvpn  FlexVPN
Cbtme-Spoke1#
*Jan 20 11:03:58.043: IKEv2:No Matching policy with fvrf 0, local addr 120.120.1                                                                             20.1
*Jan 20 11:03:58.063: IKEv2:Failed to initiate sa
Cbtme-Spoke1#
*Jan 20 11:04:28.419: IKEv2:No Matching policy with fvrf 0, local addr 120.120.1                                                                             20.1
*Jan 20 11:04:28.419: IKEv2:Failed to initiate sa
Cbtme-Spoke1#
*Jan 20 11:04:58.419: IKEv2:No Matching policy with fvrf 0, local addr 120.120.1                                                                             20.1
*Jan 20 11:04:58.423: IKEv2:Failed to initiate sa
Cbtme-Spoke1#
*Jan 20 11:05:28.431: IKEv2:No Matching policy with fvrf 0, local addr 120.120.1                                                                             20.1
*Jan 20 11:05:28.435: IKEv2:Failed to initiate sa
Cbtme-Spoke1#
*Jan 20 11:05:58.427: IKEv2:No Matching policy with fvrf 0, local addr 120.120.1                                                                             20.1
*Jan 20 11:05:58.431: IKEv2:Failed to initiate sa
Cbtme-Spoke1#
*Jan 20 11:06:28.427: IKEv2:No Matching policy with fvrf 0, local addr 120.120.1                                                                             20.1
*Jan 20 11:06:28.427: IKEv2:Failed to initiate sa
Everyone's tags (1)

Re: DMVPN ,EIGRP And IPsec with CA

 

If you have another VPN using the same IPSec Profile, you will need to add the "shared" keyword (eg. tunnel protection IPsec profile IPSecProfile shared).

 

For more explanation, please look at the following link:-  https://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-2mt/sec-conn-dmvpn-share-ipsec-w-tun-protect.html#GUID-09997D8E-1E96-4593-BD92-E1BFE3678433

 

HTH,

Meheretab

Participant

Re: DMVPN ,EIGRP And IPsec with CA

Hi Meheretab Mengistu,

I alittle confuse on share IPSec Profile .DMVPN need to used shared profile. if I tested hub and spoke 1 only,still need use share IPSec profile ? I tested point to point IPSec  in other lab.That lab is ok .But when  I applied this setting to dmvpn tunnel , that setting is doesn't work. I think ipsec phase 1 doesn't up.let me know how troubleshoot ?

Re: DMVPN ,EIGRP And IPsec with CA


If you are not sharing the IPSec profile, you do not need the "shared" keyword. Please look at the link I shared with you in the previous post to get detailed explanation.

After you configure DMVPN, did you send interesting traffic (eg. ping the tunnel interface IP address) to initiate the ipsec negotiation?

Generally, when you configure DMVPN with IPSec, you will need to do your troubleshooting as follows:
1) Are the IP addresses (tunnel destination IP addresses) reachable? If not, please troubleshoot.
2) Is DMVPN configured correctly, and is it working without IPSec applied? If yes, continue to step 4.
3) When you applied IPSec profile and send interesting traffic (eg. ping to the IP address of the remote tunnel interface), did IPSec negotiate correctly?
4) If not, troubleshoot IPSec first.
Good resource:- https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/115934-technote-ikev2-00.html

HTH,
Meheretab
Participant

Re: DMVPN ,EIGRP And IPsec with CA

Hi Meheretab Mengistu,

1.Tunnel IP address can reachable before IPSec profile apply.But after ipsec profile apply cannot ping.

2.DMVPN is working before IPSec profile apply.

3.When I applied IPSec profile and send interesting traffic ,IPSec didn't negotiate correctly

 

 

Everyone's tags (3)
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: DMVPN ,EIGRP And IPsec with CA

Hi,
Did you apply the ipsec profile to a GRE tunnel that was already up? If so can you shutdown the tunnel and ensure there is no gre tunnel up, then try again. Please can you provide the debug logs from both the hub and spoke.
Participant

Re: DMVPN ,EIGRP And IPsec with CA

Hi RJI,
I applied the ipsec profile to a GRE tunnel that was already up.now i shutdown and please debug message as below.

Everyone's tags (2)
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: DMVPN ,EIGRP And IPsec with CA

Was there any more debug output after you uploaded those debugs?

Can you provide the output of "show crypto pki certificates verbose" please?, the last few messages in the debugs relate to "auth", so should probably check the authentication.
Participant

Re: DMVPN ,EIGRP And IPsec with CA

Hi RJI,

Please see below and help. i also inform to you now i tested with preshare key and i also got same problem.

Cbtme-Hub#show crypto pki certificates verbose
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 3C0000001C155259B46CF9F9B900000000001C
Certificate Usage: General Purpose
Issuer:
cn=crypto-SUBCA-CA-1
dc=crypto
dc=local
Subject:
Name: cbtme-hub.crypto.local
cn=cbtme-hub.crypto.local
CRL Distribution Points:
ldap:///CN=crypto-SUBCA-CA-1,CN=SubCA,CN=CDP,CN=Public%20Key%20Services,CN=S ervices,CN=Configuration,DC=crypto,DC=local?certificateRevocationList?base?objec tClass=cRLDistributionPoint
Validity Date:
start date: 16:08:53 UTC Jan 20 2019
end date: 09:18:30 UTC Nov 29 2020
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 2FFAADC6 DBC6FCFF 3B396902 4A38A0DB
Fingerprint SHA1: DA184D67 6323A719 94C76C70 A4EAF111 69C63C2F
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: D5F4250C B03174A9 9CA00B39 E4A90BD5 48CF0E82
X509v3 Authority Key ID: 5A5B753B 27296974 4BF22100 1B7A52CD C958765E
Authority Info Access:
Extended Key Usage:
Client Auth
1.3.6.1.5.5.8.2.2
IPSEC Tunnel
Associated Trustpoints: my-ca
Key Label: Cbtme-Hub.crypto.local
Key storage device: private config

CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 540000000278F61229E46F3DDB000000000002
Certificate Usage: Signature
Issuer:
cn=crypto-ROOTCA-CA
dc=crypto
dc=local
Subject:
cn=crypto-SUBCA-CA-1
dc=crypto
dc=local
CRL Distribution Points:
ldap:///CN=crypto-ROOTCA-CA,CN=RootCA,CN=CDP,CN=Public%20Key%20Services,CN=S ervices,CN=Configuration,DC=crypto,DC=local?certificateRevocationList?base?objec tClass=cRLDistributionPoint
Validity Date:
start date: 09:08:30 UTC Nov 29 2018
end date: 09:18:30 UTC Nov 29 2020
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: FCB6869A D1BC2817 06BD2C11 05DD9524
Fingerprint SHA1: 74EB383E 222320DA A928E502 AAF5C7B9 798199AD
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 5A5B753B 27296974 4BF22100 1B7A52CD C958765E
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: EAE798FD F125A1E5 846780EF FFC78392 82903CED
Authority Info Access:
Associated Trustpoints: my-ca

====================================================================================================

Cbtme-Spoke1#show crypto pki certificates verbose
*Jan 21 00:26:01.303: %SYS-5-CONFIG_I: Configured from console by console
Cbtme-Spoke1#show crypto pki certificates verbose
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 3C0000001DC9C2A5A55C8DD27800000000001D
Certificate Usage: General Purpose
Issuer:
cn=crypto-SUBCA-CA-1
dc=crypto
dc=local
Subject:
Name: cbtme-spoke1.crypto.local
cn=cbtme-spoke1.crypto.local
CRL Distribution Points:
ldap:///CN=crypto-SUBCA-CA-1,CN=SubCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=crypto,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 16:10:53 UTC Jan 20 2019
end date: 09:18:30 UTC Nov 29 2020
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: C211E13E 787AF59E 510D47EA 8FBEFB3E
Fingerprint SHA1: E7677321 0AFF278A 81C960DE BBB08379 D5ACD3CD
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: 0BAF9287 E0A5C825 72FDC8A7 8FB43A28 A9DDA16A
X509v3 Authority Key ID: 5A5B753B 27296974 4BF22100 1B7A52CD C958765E
Authority Info Access:
Extended Key Usage:
Client Auth
1.3.6.1.5.5.8.2.2
IPSEC Tunnel
Associated Trustpoints: my-ca
Key Label: Cbtme-Spoke1.crypto.local
Key storage device: private config

CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 540000000278F61229E46F3DDB000000000002
Certificate Usage: Signature
Issuer:
cn=crypto-ROOTCA-CA
dc=crypto
dc=local
Subject:
cn=crypto-SUBCA-CA-1
dc=crypto
dc=local
CRL Distribution Points:
ldap:///CN=crypto-ROOTCA-CA,CN=RootCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=crypto,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 09:08:30 UTC Nov 29 2018
end date: 09:18:30 UTC Nov 29 2020
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: FCB6869A D1BC2817 06BD2C11 05DD9524
Fingerprint SHA1: 74EB383E 222320DA A928E502 AAF5C7B9 798199AD
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 5A5B753B 27296974 4BF22100 1B7A52CD C958765E
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: EAE798FD F125A1E5 846780EF FFC78392 82903CED
Authority Info Access:
Associated Trustpoints: my-ca

 

 

 

Everyone's tags (1)
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: DMVPN ,EIGRP And IPsec with CA

Ok, I think I've spotted your issue, it's probably not matching on the remote identity.

 

The spoke's IP address is 120.120.120.1, but the ikev2 profile on the hub is configured to expect the remote identity address as 120.120.120.2.

 

EDIT: I've researched this a bit more, even though the remote identity isn't the real IP address of the spoke router. It should still match because the spoke's local identity is correct as far as the hub in concerned. So I don't think changing the remote identity is the issue.

 

Please post your current upto date configuration of the hub and spoke, when using PSK.

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: DMVPN ,EIGRP And IPsec with CA

Hi,
Well the errors indicate "No matching policy". I would amend your ikev2 policy to remove the match statements, this is what I usually do.

crypto ikev2 policy policy
proposal aes-cbc-256-proposal1

Try again, upload the ikev2 debug logs if necessary.
Participant

Re: DMVPN ,EIGRP And IPsec with CA

Hi RJI,
After i applied your advice ,i still got error. Please see below debug message and please help me.
POLICY
*Jan 20 22:36:08.967: IKEv2:Adding Proposal aes-cbc-256-proposal1 to toolkit policy
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_INIT Event: EV_PROC_MSG
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_INIT Event: EV_DETECT_NAT
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):Process NAT discovery notify
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):Proces
Cbtme-Hub#sing nat detect src notify
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):Remote address matched
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):Processing nat detect dst notify
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):Local address matched
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):No NAT found
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_INIT Event: EV_CHK_CONFIG_MODE
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_SET_POLICY
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):Setting configured policies
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_CHK_AUTH4PKI
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_BLD_INIT Event:
Cbtme-Hub# EV_PKI_SESH_OPEN
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):Opening a PKI session
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_GEN_DH_KEY
*Jan 20 22:36:08.967: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_NO_EVENT
*Jan 20 22:36:08.971: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
*Jan 20 22:36:08.971: IKEv2:(SA ID = 2):Action: Action_Null
*Jan 20 22:36:08.971: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_GEN_DH_SECRET
*Jan 20 22:36:09.239: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_NO_EVENT
*Jan 20 22:36:09.239
Cbtme-Hub#: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_OK_RECD_DH_SECRET_RESP
*Jan 20 22:36:09.239: IKEv2:(SA ID = 2):Action: Action_Null
*Jan 20 22:36:09.239: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_GEN_SKEYID
*Jan 20 22:36:09.239: IKEv2:(SA ID = 2):Generate skeyid
*Jan 20 22:36:09.243: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_GET_CONFIG_MODE
*Jan 20 22:36:09.243: IKEv2:No config data to send to toolkit:
*Jan 20 22:36:09.243: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_BLD_INIT Event: EV_BLD_MSG
*Jan 20 22:36:09.243: IKEv2:Construct Vendor Specific Payload: DELETE-REASON
*Jan 20 22:36:09.243: IKEv2:Construct Vendor Specific Payload: (CUSTOM)
*Jan 20 22:3
Cbtme-Hub#6:09.243: IKEv2:Construct Notify Payload: NAT_DETECTION_SOURCE_IP
*Jan 20 22:36:09.243: IKEv2:Construct Notify Payload: NAT_DETECTION_DESTINATION_IP
*Jan 20 22:36:09.243: IKEv2:Construct Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED
*Jan 20 22:36:09.243: IKEv2:(SA ID = 2):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 517
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 48
last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
KE Next payload: N, reserved: 0x0, length: 26
Cbtme-Hub#4
DH group: 14, Reserved: 0x0
N Next payload: VID, reserved: 0x0, length: 24
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: NOTIFY, reserved: 0x0, length: 21
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: CERTREQ, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
CERTREQ Next payload: NOTIFY, reserved: 0x0, length: 45
Cert encoding Hash and URL of PKIX
NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED

*Jan 20 22:36:09.243: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
*Jan 20 22:36:09.243: IKEv2:(SA ID = 2):Cisco DeleteReason
Cbtme-Hub#Notify is enabled
*Jan 20 22:36:09.243: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
*Jan 20 22:36:09.243: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: INIT_DONE Event: EV_START_TMR
*Jan 20 22:36:09.243: IKEv2:(SA ID = 2):SM Trace-> SA: I_SPI=B211EDCAC8ACC2D6 R_SPI=54DEC600BEFFAA70 (R) MsgID = 00000000 CurState: R_WAIT_AUTH Event: EV_NO_EVENT
*Jan 20 22:36:09.303: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=8ECCC7ED5ED76666 R_SPI=647A6C72A385E6B2 (R) MsgID = 00000000 CurState: R_WAIT_AUTH Event: EV_WAIT4_AUTH_TMO
*Jan 20 22:36:09.303: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=8ECCC7ED5ED76666 R_SPI=647A6C72A385E6B2 (R) MsgID = 00000000 CurState: AUTH_DONE Event: EV_FAIL
*Jan 20 22:36:09.303: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=8ECCC7ED5ED76666 R_SPI=647A6C72A385E6B2 (R) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
*Jan 20
Cbtme-Hub#22:36:09.303: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=8ECCC7ED5ED76666 R_SPI=647A6C72A385E6B2 (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
*Jan 20 22:36:09.303: IKEv2:Negotiating SA request deleted
*Jan 20 22:36:09.303: IKEv2:Decrement count for incoming negotiating
*Jan 20 22:36:09.303: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=8ECCC7ED5ED76666 R_SPI=647A6C72A385E6B2 (R) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
Highlighted
Participant

Re: DMVPN ,EIGRP And IPsec with CA

Hi Dear All,

Now i change configuration to below. After changing to below config ,tunnel is up and DMVPN is now working but spoke 2 is doesn't work.Let me know pros and cons of below config ( fvrt any ). and please help me to troubleshoot why other spoke 2 is doesn't work.

 

crypto pki certificate map CERT-MAP-DMVPN-IKEv2 10
subject-name co crypto.local
!
crypto ikev2 proposal IKEv2-PROPOSAL
encryption aes-cbc-256 aes-cbc-192 3des
integrity sha512 sha256 md5
group 14 5 2
!
crypto ikev2 policy IKEv2-POLICY
match fvrf any
proposal IKEv2-PROPOSAL

!
crypto ikev2 profile DMVPN-ISAKMP-IKEv2
match certificate CERT-MAP-DMVPN-IKEv2
identity local fqdn cbtme-spoke.crypto.local
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint dmvpn-ca

Everyone's tags (3)
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here