DMVPN over IPSec

mdasifsm1 · ‎02-05-2014

Hi,

we have a bunch of homes office which i am connecting over dmvpn.

the set up is working fine when i am not using ip sec, but when i am configuring ip sec the tunnel going down after 15 min, and failing to renegotiate the isakmp key.

if i am not implementing ipsec the setup not working with 3G or 4G modems but DSL Broadband working fine.

if i am implementing ipsec then viceversa. i am totally clueless what is going on..

topoly is like

HUB---------------Internet--------DSL broadband----------(DHCP ip to)------------>Spoke

here is my config

HUB without IPSec

_____________________

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key XXXX address 0.0.0.0 0.0.0.0

interface Tunnel0

ip address 172.18.18.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication XXXX

ip nhrp map multicast dynamic

ip nhrp network-id 200

ip nhrp registration no-unique

ip tcp adjust-mss 1360

delay 1000

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 150

SPOKE without IPSec

---------------------------------

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key XXXX address <hub public ip>

interface Tunnel0

bandwidth 1024

ip address 172.18.18.2 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication XXXX

ip nhrp map multicast <hub public ip>

ip nhrp map 172.18.18.1 <hub public ip>

ip nhrp network-id 200

ip nhrp nhs 172.18.18.1

ip tcp adjust-mss 1360

delay 1000

tunnel source FastEthernet4

tunnel destination <public ip>

tunnel key 150

---------------------------------------------------------------------------------------------------------------------

IPSEC config for hub

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key XXXX address 0.0.0.0 0.0.0.0

crypto ipsec transform-set yyyy esp-3des esp-md5-hmac

!

crypto ipsec profile prof1

set security-association lifetime seconds 900

set transform-set yyyy

interface Tunnel0

bandwidth 1024

ip address 172.18.18.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication XXXX

ip nhrp map multicast < hub public ip>

ip nhrp map 172.18.18.1 <hub public ip>

ip nhrp network-id 200

ip nhrp nhs 172.18.18.1

ip tcp adjust-mss 1360

delay 1000

tunnel source FastEthernet4

tunnel destination <hub public ip>

tunnel key 150

tunnel protection ipsec profile prof1

Spoke With IPSEC

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key XXXX address <hub public ip>

crypto ipsec transform-set yyyy esp-3des esp-md5-hmac

!

crypto ipsec profile prof1

set security-association lifetime seconds 900

set transform-set yyyy

interface Tunnel0

bandwidth 1024

ip address 172.18.18.2 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication XXXX

ip nhrp map multicast <hub public ip>

ip nhrp map 172.18.18.1 <hub public ip>

ip nhrp network-id 200

ip nhrp nhs 172.18.18.1

ip tcp adjust-mss 1360

delay 1000

tunnel source FastEthernet4

tunnel destination <public ip>

tunnel key 150

tunnel protection ipsec profile prof1

There is no firewall between hub and spoke to block any ports and no NAT.

Vasilii Mikhailovskii · ‎02-08-2014

Hello, Asif.

To troubleshoot isakmp, you need to use "debug crypto isakmp" (please collect logs during the issue).

I would also suggest to add commands:

crypto isakmp invalid-spi

crypto isakmp keepalive 10 3

PS: if you connect home offices, it could be better to use EasyVPN instead of DMVPN (less admin and deployment overhead + support for end-stations).

Vasilii Mikhailovskii · ‎02-08-2014

PS:

3G/4G doesn't work without IPSec, as providers assign you private IP-addresses and does not forward you GRE traffic (going from Hub to Spoke).

I have no idea why DSL does not work with IPSecin your case... it's better to ask your provider if they block ESP traffic.

mdasifsm1 · ‎02-10-2014

Hi Mikhail,

Thank you for the excellent answers..

i implemented two tunnels one with IPSec for 3G/4G and one with plain GRE for DSL by getting two internet connections now its working fine.

but i am looking for some for hassle free solution, i read your EasyVPN suggetion but how it is different than DMVPN.

can i implement both Easy vpn and DMVPN on sigle router and single internet connection as a Fail over to one another.

Vasilii Mikhailovskii · ‎02-11-2014

Hello, Asif.

If EasyVPN suits you, then there is no need for DMVPN

EasyVPN is much simpler than DMVPN in terms of client configuration! It also supports user authentication, so you could use cisco client to establish VPN from laptops.

PS: I recommend you to investigate the issue on your DSL with IPSec, as the issue could affect some other traffic as well.