cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2048
Views
5
Helpful
8
Replies

DMvpn spoke & hub state is IKE

prabinchand
Level 1
Level 1

Hello experts!

i am just practicing DMVPN with random topology which has 2 hub & 2 spoke. The problem is 2hub & 2spoke state is in IKE. What is the reason ? suprisingly i can ping  from HUB loopback to SPOKE  loopack address.

NOTE: Toplogy & State:IKE is attached below.

 

CONFIGURATION

HUB-1:

HUB-1#sh run
Building configuration...

Current configuration : 1765 bytes
!
! Last configuration change at 17:09:25 UTC Wed Feb 2 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HUB-1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 60
crypto isakmp key prabin address 0.0.0.0
!
!
crypto ipsec transform-set dmvpn esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile PRABIN
set security-association lifetime kilobytes disable
set transform-set dmvpn
!
!
!
!
!
!
!
interface Loopback1
ip address 192.168.10.10 255.255.255.248
!
interface Tunnel1
ip address 50.50.50.1 255.255.255.248
no ip redirects
ip nhrp authentication prabin
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile PRABIN
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.248
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
!
router eigrp 100
network 50.50.50.0 0.0.0.7
network 192.168.10.10 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

 

HUB-2:

HUB-2#sh run
Building configuration...

Current configuration : 1765 bytes
!
! Last configuration change at 17:10:16 UTC Wed Feb 2 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HUB-2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 60
crypto isakmp key prabin address 0.0.0.0
!
!
crypto ipsec transform-set dmvpn esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile PRABIN
set security-association lifetime kilobytes disable
set transform-set dmvpn
!
!
!
!
!
!
!
interface Loopback1
ip address 192.168.30.30 255.255.255.255
!
interface Tunnel1
ip address 50.50.50.3 255.255.255.248
no ip redirects
ip nhrp authentication prabin
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile PRABIN
!
interface FastEthernet0/0
ip address 1.1.1.3 255.255.255.248
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
!
router eigrp 100
network 50.50.50.0 0.0.0.7
network 192.168.30.30 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

SPOKE-1:

SPOKE-1#sh run
Building configuration...

Current configuration : 1906 bytes
!
! Last configuration change at 17:10:49 UTC Wed Feb 2 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname SPOKE-1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 60
crypto isakmp key prabin address 1.1.1.1
crypto isakmp key prabin address 1.1.1.3
!
!
crypto ipsec transform-set dmvpn esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile PRABIN
set transform-set dmvpn
!
!
!
!
!
!
!
interface Loopback1
ip address 192.168.20.20 255.255.255.255
!
interface Tunnel1
ip address 50.50.50.2 255.255.255.248
no ip redirects
ip nhrp authentication prabin
ip nhrp map 50.50.50.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp map 50.50.50.3 1.1.1.3
ip nhrp map multicast 1.1.1.3
ip nhrp network-id 1
ip nhrp nhs 50.50.50.1
ip nhrp nhs 50.50.50.3
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile PRABIN
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.248
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
!
router eigrp 100
network 50.50.50.0 0.0.0.7
network 192.168.20.20 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

SPOKE-2:

SPOKE-2#sh run
Building configuration...

Current configuration : 1957 bytes
!
! Last configuration change at 17:10:49 UTC Wed Feb 2 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname SPOKE-2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 60
crypto isakmp key prabin address 1.1.1.1
crypto isakmp key prabin address 1.1.1.3
!
!
crypto ipsec transform-set dmvpn esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile PRABIN
set security-association lifetime kilobytes disable
set transform-set dmvpn
!
!
!
!
!
!
!
interface Loopback1
ip address 192.168.40.40 255.255.255.255
!
interface Tunnel1
ip address 50.50.50.4 255.255.255.0
no ip redirects
ip nhrp authentication prabin
ip nhrp map 50.50.50.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp map 50.50.50.3 1.1.1.3
ip nhrp map multicast 1.1.1.3
ip nhrp network-id 1
ip nhrp nhs 50.50.50.1
ip nhrp nhs 50.50.50.3
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile PRABIN
!
interface FastEthernet0/0
ip address 1.1.1.4 255.255.255.248
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
!
router eigrp 100
network 50.50.50.0 0.0.0.7
network 192.168.40.40 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

 

8 Replies 8

shared key not use the Hub source tunnel IP address But use the Hub Tunnel IP address. 
change it.

Sir,

i did not get anything what you want to say?

 

Please be specific with words.

You use preshared key for ipsec with address 1.1.1.1, replace it with 50.50.50.1.
if that not work config the Spoke pre shared key with 0.0.0.0.

From SOKE perspective :

ipsec preshared key must be HUB wan ip, not an tunnel ip i guess

what's your point?

the DMVPN is GRE protect by IPSec, 
there are two header one which is the Tunnel source and Tunnel destination, 
other is original IP header 

IPSec when send from Spoke to Hub, the outer which is Tunnel Source and Tunnel Destination config in Spoke tunnel 
other "inner" is the tunnel IP which use by both Spoke and Hub to build the IPSec SA.
here the IPSec is pass the IKE phase 1 but stop in Phase 2 because the Outer IP header is different than that use for IPSec Identity. so we must make it same. 
by config the pre shared key in IPSec with tunnel IP not the the tunnel source.

vencislav.metev
Level 1
Level 1

Hi,

 

Can you try to remove "set security-association lifetime kilobytes disable" from all devices?

Restart the tunnels and check again

 

Regards,

Ventsi

Bro, not worked

vencislav.metev
Level 1
Level 1

Hi,

 

Can you save and attach packet tracer lab?

 

Regards,

Ventsi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco