Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2753
Views
5
Helpful
8
Replies

DMvpn spoke & hub state is IKE

prabinchand
Level 1
Level 1

‎02-02-2022 03:28 AM

Hello experts!

i am just practicing DMVPN with random topology which has 2 hub & 2 spoke. The problem is 2hub & 2spoke state is in IKE. What is the reason ? suprisingly i can ping  from HUB loopback to SPOKE  loopack address.

NOTE: Toplogy & State:IKE is attached below.

 

CONFIGURATION

HUB-1:

HUB-1#sh run
Building configuration...

Current configuration : 1765 bytes
!
! Last configuration change at 17:09:25 UTC Wed Feb 2 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HUB-1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 60
crypto isakmp key prabin address 0.0.0.0
!
!
crypto ipsec transform-set dmvpn esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile PRABIN
set security-association lifetime kilobytes disable
set transform-set dmvpn
!
!
!
!
!
!
!
interface Loopback1
ip address 192.168.10.10 255.255.255.248
!
interface Tunnel1
ip address 50.50.50.1 255.255.255.248
no ip redirects
ip nhrp authentication prabin
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile PRABIN
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.248
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
!
router eigrp 100
network 50.50.50.0 0.0.0.7
network 192.168.10.10 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

 

HUB-2:

HUB-2#sh run
Building configuration...

Current configuration : 1765 bytes
!
! Last configuration change at 17:10:16 UTC Wed Feb 2 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HUB-2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 60
crypto isakmp key prabin address 0.0.0.0
!
!
crypto ipsec transform-set dmvpn esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile PRABIN
set security-association lifetime kilobytes disable
set transform-set dmvpn
!
!
!
!
!
!
!
interface Loopback1
ip address 192.168.30.30 255.255.255.255
!
interface Tunnel1
ip address 50.50.50.3 255.255.255.248
no ip redirects
ip nhrp authentication prabin
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile PRABIN
!
interface FastEthernet0/0
ip address 1.1.1.3 255.255.255.248
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
!
router eigrp 100
network 50.50.50.0 0.0.0.7
network 192.168.30.30 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

SPOKE-1:

SPOKE-1#sh run
Building configuration...

Current configuration : 1906 bytes
!
! Last configuration change at 17:10:49 UTC Wed Feb 2 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname SPOKE-1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 60
crypto isakmp key prabin address 1.1.1.1
crypto isakmp key prabin address 1.1.1.3
!
!
crypto ipsec transform-set dmvpn esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile PRABIN
set transform-set dmvpn
!
!
!
!
!
!
!
interface Loopback1
ip address 192.168.20.20 255.255.255.255
!
interface Tunnel1
ip address 50.50.50.2 255.255.255.248
no ip redirects
ip nhrp authentication prabin
ip nhrp map 50.50.50.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp map 50.50.50.3 1.1.1.3
ip nhrp map multicast 1.1.1.3
ip nhrp network-id 1
ip nhrp nhs 50.50.50.1
ip nhrp nhs 50.50.50.3
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile PRABIN
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.248
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
!
router eigrp 100
network 50.50.50.0 0.0.0.7
network 192.168.20.20 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

SPOKE-2:

SPOKE-2#sh run
Building configuration...

Current configuration : 1957 bytes
!
! Last configuration change at 17:10:49 UTC Wed Feb 2 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname SPOKE-2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 60
crypto isakmp key prabin address 1.1.1.1
crypto isakmp key prabin address 1.1.1.3
!
!
crypto ipsec transform-set dmvpn esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile PRABIN
set security-association lifetime kilobytes disable
set transform-set dmvpn
!
!
!
!
!
!
!
interface Loopback1
ip address 192.168.40.40 255.255.255.255
!
interface Tunnel1
ip address 50.50.50.4 255.255.255.0
no ip redirects
ip nhrp authentication prabin
ip nhrp map 50.50.50.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp map 50.50.50.3 1.1.1.3
ip nhrp map multicast 1.1.1.3
ip nhrp network-id 1
ip nhrp nhs 50.50.50.1
ip nhrp nhs 50.50.50.3
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile PRABIN
!
interface FastEthernet0/0
ip address 1.1.1.4 255.255.255.248
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
!
router eigrp 100
network 50.50.50.0 0.0.0.7
network 192.168.40.40 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

 

Preview file
31 KB
Preview file
91 KB
0 Helpful
8 Replies 8

MHM Cisco World
VIP
VIP

‎02-02-2022 03:51 AM

shared key not use the Hub source tunnel IP address But use the Hub Tunnel IP address. 
change it.

0 Helpful

prabinchand
Level 1
Level 1
In response to MHM Cisco World

‎02-02-2022 04:47 AM

Sir,

i did not get anything what you want to say?

 

Please be specific with words.

0 Helpful

MHM Cisco World
VIP
VIP
In response to prabinchand

‎02-02-2022 05:29 AM - edited ‎02-02-2022 01:13 PM

You use preshared key for ipsec with address 1.1.1.1, replace it with 50.50.50.1.
if that not work config the Spoke pre shared key with 0.0.0.0.

prabinchand
Level 1
Level 1
In response to MHM Cisco World

‎02-02-2022 10:30 PM

From SOKE perspective :

ipsec preshared key must be HUB wan ip, not an tunnel ip i guess

what's your point?

0 Helpful

MHM Cisco World
VIP
VIP
In response to prabinchand

‎02-03-2022 09:24 AM

the DMVPN is GRE protect by IPSec, 
there are two header one which is the Tunnel source and Tunnel destination, 
other is original IP header 

IPSec when send from Spoke to Hub, the outer which is Tunnel Source and Tunnel Destination config in Spoke tunnel 
other "inner" is the tunnel IP which use by both Spoke and Hub to build the IPSec SA.
here the IPSec is pass the IKE phase 1 but stop in Phase 2 because the Outer IP header is different than that use for IPSec Identity. so we must make it same. 
by config the pre shared key in IPSec with tunnel IP not the the tunnel source.

0 Helpful

vencislav.metev
Level 1
Level 1

‎02-02-2022 04:05 AM

Hi,

 

Can you try to remove "set security-association lifetime kilobytes disable" from all devices?

Restart the tunnels and check again

 

Regards,

Ventsi

0 Helpful

prabinchand
Level 1
Level 1
In response to vencislav.metev

‎02-02-2022 04:47 AM

Bro, not worked

0 Helpful

vencislav.metev
Level 1
Level 1

‎02-02-2022 05:07 AM

Hi,

 

Can you save and attach packet tracer lab?

 

Regards,

Ventsi

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card