02-05-2014 04:19 PM - edited 03-04-2019 10:16 PM
Hi,
we have a bunch of homes office which i am connecting over dmvpn.
the set up is working fine when i am not using ip sec, but when i am configuring ip sec the tunnel going down after 15 min, and failing to renegotiate the isakmp key.
if i am not implementing ipsec the setup not working with 3G or 4G modems but DSL Broadband working fine.
if i am implementing ipsec then viceversa. i am totally clueless what is going on..
topoly is like
HUB---------------Internet--------DSL broadband----------(DHCP ip to)------------>Spoke
here is my config
HUB without IPSec
_____________________
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key XXXX address 0.0.0.0 0.0.0.0
interface Tunnel0
ip address 172.18.18.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication XXXX
ip nhrp map multicast dynamic
ip nhrp network-id 200
ip nhrp registration no-unique
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 150
SPOKE without IPSec
---------------------------------
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key XXXX address <hub public ip>
interface Tunnel0
bandwidth 1024
ip address 172.18.18.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication XXXX
ip nhrp map multicast <hub public ip>
ip nhrp map 172.18.18.1 <hub public ip>
ip nhrp network-id 200
ip nhrp nhs 172.18.18.1
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet4
tunnel destination <public ip>
tunnel key 150
---------------------------------------------------------------------------------------------------------------------
IPSEC config for hub
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key XXXX address 0.0.0.0 0.0.0.0
crypto ipsec transform-set yyyy esp-3des esp-md5-hmac
!
crypto ipsec profile prof1
set security-association lifetime seconds 900
set transform-set yyyy
interface Tunnel0
bandwidth 1024
ip address 172.18.18.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication XXXX
ip nhrp map multicast < hub public ip>
ip nhrp map 172.18.18.1 <hub public ip>
ip nhrp network-id 200
ip nhrp nhs 172.18.18.1
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet4
tunnel destination <hub public ip>
tunnel key 150
tunnel protection ipsec profile prof1
Spoke With IPSEC
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key XXXX address <hub public ip>
crypto ipsec transform-set yyyy esp-3des esp-md5-hmac
!
crypto ipsec profile prof1
set security-association lifetime seconds 900
set transform-set yyyy
interface Tunnel0
bandwidth 1024
ip address 172.18.18.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication XXXX
ip nhrp map multicast <hub public ip>
ip nhrp map 172.18.18.1 <hub public ip>
ip nhrp network-id 200
ip nhrp nhs 172.18.18.1
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet4
tunnel destination <public ip>
tunnel key 150
tunnel protection ipsec profile prof1
There is no firewall between hub and spoke to block any ports and no NAT.
02-08-2014 09:37 AM
Hello, Asif.
To troubleshoot isakmp, you need to use "debug crypto isakmp" (please collect logs during the issue).
I would also suggest to add commands:
crypto isakmp invalid-spi
crypto isakmp keepalive 10 3
PS: if you connect home offices, it could be better to use EasyVPN instead of DMVPN (less admin and deployment overhead + support for end-stations).
02-08-2014 09:40 AM
PS:
3G/4G doesn't work without IPSec, as providers assign you private IP-addresses and does not forward you GRE traffic (going from Hub to Spoke).
I have no idea why DSL does not work with IPSecin your case... it's better to ask your provider if they block ESP traffic.
02-10-2014 01:11 PM
Hi Mikhail,
Thank you for the excellent answers..
i implemented two tunnels one with IPSec for 3G/4G and one with plain GRE for DSL by getting two internet connections now its working fine.
but i am looking for some for hassle free solution, i read your EasyVPN suggetion but how it is different than DMVPN.
can i implement both Easy vpn and DMVPN on sigle router and single internet connection as a Fail over to one another.
02-11-2014 12:30 AM
Hello, Asif.
If EasyVPN suits you, then there is no need for DMVPN
EasyVPN is much simpler than DMVPN in terms of client configuration! It also supports user authentication, so you could use cisco client to establish VPN from laptops.
PS: I recommend you to investigate the issue on your DSL with IPSec, as the issue could affect some other traffic as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide