Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
725
Views
0
Helpful
3
Replies

DMVPN is not working on back to back test setup

skrao_mandalapu
Level 1
Level 1

‎10-16-2012 04:31 AM - edited ‎03-04-2019 05:52 PM

Hi,

I am trying to check DMVPN on below back to back setup. IPSec is not coming up.

R1 Fa1/0 [switch port] ----------------[switch port] Fa1/0 R2

hostname R1
!
interface Vlan1
ip address 172.16.1.1 255.255.255.252
!
interface lo0
ip address 1.1.1.1 255.255.255.255
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
interface Fa1/0
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source 172.16.1.1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
router eigrp 90
network 1.1.1.1 0.0.0.0
network 192.168.1.0
no auto-summary
!

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

hostname R2
!
interface Vlan1
ip address 172.16.1.2 255.255.255.252
!
interface lo0
ip address 2.2.2.2 255.255.255.255
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
interface Fa1/0
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source 172.16.1.2
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
router eigrp 90
network 2.2.2.2 0.0.0.0
network 192.168.1.0
no auto-summary
!

Regards

Siva Kondala Rao

Labels:
0 Helpful
3 Replies 3

nickbonifacio
Level 1
Level 1

‎10-16-2012 04:42 AM

HI Siva,

Can you do a "debug cyrpto ipsec" on both routers and see if you get any output?

Also, you have verified connectivity between 172.16.1.2 and 172.16.1.1?

The only thing else I would add under t0 is "ip nhrp holdtime x"

Thanks!

Nick

Nick Bonifacio CCIE #38473
0 Helpful

skrao_mandalapu
Level 1
Level 1
In response to nickbonifacio

‎10-16-2012 07:29 AM

Hi Nick,

I am able to ping tunnel source IP address. I gave " ip nhrp holdtime 5"

I am seeing below messages at R1 side.

R1#debug crypto ipsec sa     

Crypto IPSEC debugging is on

R1#

*Oct 16 14:58:48.691: IPSEC(validate_proposal_request): proposal part #1

*Oct 16 14:58:48.691: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 172.16.1.1, remote= 172.16.1.2,

    local_proxy= 172.16.1.1/255.255.255.255/47/0 (type=1),

    remote_proxy= 172.16.1.2/255.255.255.255/47/0 (type=1),

    protocol= ESP, transform= NONE  (Transport),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Oct 16 14:58:48.691: map_db_find_best did not find matching map

*Oct 16 14:58:48.691: IPSEC(ipsec_process_proposal): proxy identities not supported

*Oct 16 14:58:48.691: IPSEC(validate_proposal_request): proposal part #1

*Oct 16 14:58:48.691: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 172.16.1.1, remote= 172.16.1.2,

    local_proxy= 172.16.1.1/255.255.255.255/47/0 (type=1),

    remote_proxy= 172.16.1.2/255.255.255.255/47/0 (type=1),

    protocol= ESP, transform= NONE  (Transport),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Oct 16 14:58:48.695: map_db_find_best did not find matching map

*Oct 16 14:58:48.695: IPSEC(ipsec_process_proposal): proxy identities not supported

*Oct 16 14:58:48.695: IPSEC(ipsec_process_proposal): proxy identities not supported
R1#

R2 side:

R2#debug crypto ipsec

Crypto IPSEC debugging is on

R2#

*Oct 16 14:39:23.855: IPSEC(key_engine): request timer fired: count = 1,

  (identity) local= 172.16.1.2, remote= 172.16.1.1,

    local_proxy= 172.16.1.2/255.255.255.255/47/0 (type=1),

    remote_proxy= 172.16.1.1/255.255.255.255/47/0 (type=1)

*Oct 16 14:39:23.855: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 172.16.1.2, remote= 172.16.1.1,

    local_proxy= 172.16.1.2/255.255.255.255/47/0 (type=1),

    remote_proxy= 172.16.1.1/255.255.255.255/47/0 (type=1),

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Transport),

    lifedur= 120s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2000

*Oct 16 14:39:23.855: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 172.16.1.2, remote= 172.16.1.1,

    local_proxy= 172.16.1.2/255.255.255.255/47/0 (type=1),

    remote_proxy= 172.16.1.1/255.255.255.255/47/0 (type=1),

    protocol= ESP, transform= esp-3des esp-sha-hmac  (Transport),

    lifedur= 120s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

R2#

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.1.1      172.16.1.2      QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh crypto ipsec sa

R1#sh crypto isakmp profile

R1#sh crypto ipsec profile
IPSEC profile cisco
Security association lifetime: 4608000 kilobytes/120 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
  strong:  { esp-3des esp-md5-hmac  } ,
}

R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.1.1      172.16.1.2      QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

R2#sh crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 172.16.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
   current_peer 172.16.1.1 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2603, #recv errors 0

     local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.16.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Vlan1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
R2#                 sh crypto isakmp profile

R2#sh crypto ipsec profile
IPSEC profile cisco
Security association lifetime: 4608000 kilobytes/120 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
  strong:  { esp-3des esp-md5-hmac  } ,
}

Regards

Siva Kondala Rao

0 Helpful

nickbonifacio
Level 1
Level 1
In response to skrao_mandalapu

‎10-16-2012 07:42 AM

Hi Siva,

What is the router model number and version of IOS you are using?

Also, are you using the protection profile on any other tunnels on the router, i.e. t3, t4, etc?  If you are you will need to change

"tunnel protection ipsec profile cisco" to "tunnel protection ipsec profile cisco shared".

Thanks!

Nick

Nick Bonifacio CCIE #38473
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card