Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
660
Views
0
Helpful
12
Replies

DMVPN IPSec isse - spokes can't communicate

D@1984
Level 1
Level 1

‎01-19-2025 06:11 PM

Hi,

I have a simple hub and 2 spokes topology, with ospf routing. 

after configuring dmvpn, my tunnels come up and  spokes can ping each other and learn each others routes.

However after adding ipsec, although spokes still learn the routes via ospf, Im not able to ping one spoke from another  ( ping from spoke to hub works).

looking at debugs, I see :

ISAKMP:(0):No pre-shared key with 192.168.2.1! - ***this is other spoke wan interface*** 

ISAKMP:(0): No Cert or pre-shared address key.

* ISAKMP:(0): construct_initial_message: Can not start Main mode
ISAKMP: Unlocking peer struct 0x6AD6789C for isadb_unlock_peer_delete_sa(), count 0
ISAKMP: Deleting peer node by peer_reap for 192.168.2.1: 6AD6789C
ISAKMP:(0):purging SA., sa=6AD893F8, delme=6AD893F8
ISAKMP:(0):purging node -1228187533
ISAKMP: Error while processing SA request: Failed to initialize SA
ISAKMP: Error while processing KMI message 0, error 2.
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC:(SESSION ID = 1) (ERROR) crypto_notify_rp Rejected notify RP, elapse time 0 < 1000

 

on the hub I have:

crypto isakmp policy 1
encr aes 256
hash sha256
group 2
crypto isakmp key cisco address 0.0.0.0
!
!
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
mode tunnel
!
!
crypto ipsec profile myprofile
set transform-set myset

interface Tunnel0
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile myprofile

I have same config on spokes but:

crypto isakmp key cisco address ***address of hub wan interface***

 

any idea where the problem could be? 

 

Routerhub#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.3.1 192.168.2.1 QM_IDLE 1006 ACTIVE
192.168.3.1 192.168.1.1 QM_IDLE 1005 ACTIVE

spake1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.1.1 192.168.3.1 QM_IDLE 1004 ACTIVE

 

spoke2##show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.2.1 192.168.3.1 QM_IDLE 1002 ACTIVE

 

 

 

 

Labels:
0 Helpful
12 Replies 12

MHM Cisco World
VIP
VIP

‎01-19-2025 09:01 PM - edited ‎01-19-2025 09:01 PM

This not dmvpn it simply ipsec over gre. And it wrong config with multipoint. 

Dmvpn need nhs/nhrp command which I don't see

MHM

0 Helpful

D@1984
Level 1
Level 1
In response to MHM Cisco World

‎01-20-2025 02:12 AM

I didn’t put dmvpn config but as I know it’s working. As mentioned before adding IPsec, I could ping from spoke 1 to 2.

0 Helpful

MHM Cisco World
VIP
VIP
In response to D@1984

‎01-20-2025 02:47 AM

Ohh ok' 

The key must config with address 0.0.0.0

Because the ipsec tunnel not form with only hub but with other spokes

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎01-21-2025 12:52 AM

What Paul mention is same what I suggest'

The spoke form IPsec one with hub and others with other spoke

Under spoke you specify address of hub in isakmp key that why ipsec failed to form between spokes.

MHM

0 Helpful

paul driver
VIP
VIP

‎01-19-2025 11:40 PM

Hello
try adding.

crypto isakmp policy 1
authentication pre-share 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

D@1984
Level 1
Level 1
In response to paul driver

‎01-20-2025 02:13 AM

I have tried with authentication pre-shared as well. Unfortunately still the same. 

0 Helpful

paul driver
VIP
VIP
In response to D@1984

‎01-20-2025 03:47 AM

Hello

You nee the same isakmp policy and ipsec on both hub /spokes ( including the pre-share authentication and key)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

D@1984
Level 1
Level 1
In response to paul driver

‎01-20-2025 12:13 PM

config is exactly the same the only difference is:

crypto isakmp key cisco address 0.0.0.0 (on hub)

crypto isakmp key cisco address 192.168.3.1  ( on spokes)

0 Helpful

paul driver
VIP
VIP
In response to D@1984

‎01-20-2025 05:52 PM

D@1984 wrote:

config is exactly the same the only difference is:

crypto isakmp key cisco address 0.0.0.0 (on hub)

crypto isakmp key cisco address 192.168.3.1  ( on spokes)

 

 

crypto isakmp key cisco address 0.0.0.0 (on spoke)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

D@1984
Level 1
Level 1
In response to paul driver

‎01-23-2025 02:51 AM

requirement was to configure static address for the spokes.

I'm doing this in the eve-ng and its a weird one as when I reboot the router it starts working! 

0 Helpful

MHM Cisco World
VIP
VIP
In response to D@1984

‎01-23-2025 02:56 AM

Requirements use static? That  not correct' dmvpn need to use address of key 0.0.0.0 or use other authc like router ID or other.

After that it works <<- with static and it work not meaning that traffic is spoke-to-spoke it can spoke-hub-spoke 

Check show dmvpn see if there is dynamic tunnel build in each spokes

MHM

0 Helpful

MHM Cisco World
VIP
VIP

‎01-20-2025 09:41 AM

So in end this issue solved or NOT??

MHM

0 Helpful
Customers Also Viewed These Support Documents