ā04-10-2020 07:29 AM
Hi ALL, I studying DMVPN phase 3 and would like to ask if you can answer some of my question and issue that I'm working on right now.
Description: From the topology, I have 3 sites A, B and C and all routers are DMVPN configured. From the topology also you can see that Site B and C (spoke-to-spoke) communication is working but Site A & B is not working.
Questions:
example:
Site A - R2 (tunnel 0 - 192.168.1.10/24)
Site B - R (tunnel 0 - 192.168.1.20/24)
SiteA# ping 192.168.1.20 source 192.168.1.10
Result: Working
SiteA# trace 192.168.1.20 source 192.168.1.10
Result: 2hops away - HUB -> SITEB ROUTER
Same result with Siteb to Sitea ping and trace.
4. All spoke routers have IPSEC profile configured but Site A and Site B spoke-to-spoke communication unable to fully form phase2 IPSEC. All policies, attributes are the same since we cannot form an adjacency with hub if there something missing... So believe this is due to the fact we cannot form a spoke-to-spoke communication because of the preferred path? BTW im using the tunnel interfaces to test (see #3 sample).
Debug Output from SITEA router2:
46 CEST: ISAKMP-PAK: (15727):received packet from 222.1.1.1 dport 500 sport 500 INTERNET (R) QM_IDLE
46 CEST: ISAKMP: (15727):set new node 1832717634 to QM_IDLE
46 CEST: ISAKMP: (15727):processing HASH payload. message ID = 1832717634
46 CEST: ISAKMP: (15727):processing SA payload. message ID = 1832717634
46 CEST: ISAKMP: (15727):Checking IPSec proposal 1
46 CEST: ISAKMP: (15727):transform 1, ESP_AES
46 CEST: ISAKMP: (15727): attributes in transform:
46 CEST: ISAKMP: (15727): encaps is 2 (Transport)
46 CEST: ISAKMP: (15727): SA life type in seconds
46 CEST: ISAKMP: (15727): SA life duration (basic) of 3600
46 CEST: ISAKMP: (15727): SA life type in kilobytes
46 CEST: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
46 CEST: ISAKMP: (15727): authenticator is HMAC-SHA
46 CEST: ISAKMP: (15727): key length is 256
46 CEST: ISAKMP: (15727):atts are acceptable.
46 CEST: IPSEC(ipsec_process_proposal): peer address 222.1.1.1 not found
46 CEST: ISAKMP-ERROR: (15727):IPSec policy invalidated proposal with error 64
46 CEST: ISAKMP-ERROR: (15727):phase 2 SA policy not acceptable! (local 59.46.230.254 remote 222.1.1.1)
46 CEST: ISAKMP: (15727):set new node 3820497615 to QM_IDLE
46 CEST: ISAKMP: (15727):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 140005555332392, message ID = 3820497615
46 CEST: ISAKMP-PAK: (15727):sending packet to 222.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
46 CEST: ISAKMP: (15727):Sending an IKE IPv4 Packet.
46 CEST: ISAKMP: (15727):purging node 3820497615
46 CEST: ISAKMP-ERROR: (15727):deleting node 1832717634 error TRUE reason "QM rejected"
Can we have technical inputs about this?
46 CEST: IPSEC(ipsec_process_proposal): peer address 222.1.1.1 not found
46 CEST: ISAKMP-ERROR: (15727):IPSec policy invalidated proposal with error 64
46 CEST: ISAKMP-ERROR: (15727):phase 2 SA policy not acceptable! (local 59.46.230.254 remote 222.1.1.1)
Thank you
ā04-10-2020 08:48 AM
Good morning,
I have a question regarding 3650/3850 layer 3 switches if I they can support secure tunnel IPsec/GRE for DMVPN ?
We are enabling bunch of our developers to be able connect to our data centers from home but we don't have enough routers but we have bunch of layer 3 3650 and 3850 switches.
Thanks
Aref
ā04-10-2020 11:31 AM
Hello,
I don't think IPSec VPNs are supported on the 3850.
Check the data sheet:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide