10-16-2012 04:31 AM - edited 03-04-2019 05:52 PM
Hi,
I am trying to check DMVPN on below back to back setup. IPSec is not coming up.
R1 Fa1/0 [switch port] ----------------[switch port] Fa1/0 R2
hostname R1
!
interface Vlan1
ip address 172.16.1.1 255.255.255.252
!
interface lo0
ip address 1.1.1.1 255.255.255.255
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
interface Fa1/0
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source 172.16.1.1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
router eigrp 90
network 1.1.1.1 0.0.0.0
network 192.168.1.0
no auto-summary
!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
hostname R2
!
interface Vlan1
ip address 172.16.1.2 255.255.255.252
!
interface lo0
ip address 2.2.2.2 255.255.255.255
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
interface Fa1/0
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source 172.16.1.2
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
router eigrp 90
network 2.2.2.2 0.0.0.0
network 192.168.1.0
no auto-summary
!
Regards
Siva Kondala Rao
10-16-2012 04:42 AM
HI Siva,
Can you do a "debug cyrpto ipsec" on both routers and see if you get any output?
Also, you have verified connectivity between 172.16.1.2 and 172.16.1.1?
The only thing else I would add under t0 is "ip nhrp holdtime x"
Thanks!
Nick
10-16-2012 07:29 AM
Hi Nick,
I am able to ping tunnel source IP address. I gave " ip nhrp holdtime 5"
I am seeing below messages at R1 side.
R1#debug crypto ipsec sa
Crypto IPSEC debugging is on
R1#
*Oct 16 14:58:48.691: IPSEC(validate_proposal_request): proposal part #1
*Oct 16 14:58:48.691: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.16.1.1, remote= 172.16.1.2,
local_proxy= 172.16.1.1/255.255.255.255/47/0 (type=1),
remote_proxy= 172.16.1.2/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Oct 16 14:58:48.691: map_db_find_best did not find matching map
*Oct 16 14:58:48.691: IPSEC(ipsec_process_proposal): proxy identities not supported
*Oct 16 14:58:48.691: IPSEC(validate_proposal_request): proposal part #1
*Oct 16 14:58:48.691: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.16.1.1, remote= 172.16.1.2,
local_proxy= 172.16.1.1/255.255.255.255/47/0 (type=1),
remote_proxy= 172.16.1.2/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct 16 14:58:48.695: map_db_find_best did not find matching map
*Oct 16 14:58:48.695: IPSEC(ipsec_process_proposal): proxy identities not supported
*Oct 16 14:58:48.695: IPSEC(ipsec_process_proposal): proxy identities not supported
R1#
R2 side:
R2#debug crypto ipsec
Crypto IPSEC debugging is on
R2#
*Oct 16 14:39:23.855: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 172.16.1.2, remote= 172.16.1.1,
local_proxy= 172.16.1.2/255.255.255.255/47/0 (type=1),
remote_proxy= 172.16.1.1/255.255.255.255/47/0 (type=1)
*Oct 16 14:39:23.855: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.16.1.2, remote= 172.16.1.1,
local_proxy= 172.16.1.2/255.255.255.255/47/0 (type=1),
remote_proxy= 172.16.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 120s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2000
*Oct 16 14:39:23.855: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.16.1.2, remote= 172.16.1.1,
local_proxy= 172.16.1.2/255.255.255.255/47/0 (type=1),
remote_proxy= 172.16.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport),
lifedur= 120s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
R2#
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.16.1.1 172.16.1.2 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
R1#sh crypto ipsec sa
R1#sh crypto isakmp profile
R1#sh crypto ipsec profile
IPSEC profile cisco
Security association lifetime: 4608000 kilobytes/120 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
strong: { esp-3des esp-md5-hmac } ,
}
R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.16.1.1 172.16.1.2 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
R2#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.16.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
current_peer 172.16.1.1 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2603, #recv errors 0
local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.16.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Vlan1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R2# sh crypto isakmp profile
R2#sh crypto ipsec profile
IPSEC profile cisco
Security association lifetime: 4608000 kilobytes/120 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
strong: { esp-3des esp-md5-hmac } ,
}
Regards
Siva Kondala Rao
10-16-2012 07:42 AM
Hi Siva,
What is the router model number and version of IOS you are using?
Also, are you using the protection profile on any other tunnels on the router, i.e. t3, t4, etc? If you are you will need to change
"tunnel protection ipsec profile cisco" to "tunnel protection ipsec profile cisco shared".
Thanks!
Nick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide