Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3252
Views
6
Helpful
4
Replies

DMVPN tunnels not working

Go to solution
Brian Tulloch
Level 1
Level 1

‎05-30-2016 04:28 PM - last edited on ‎05-01-2023 11:21 PM by Community Manager

Hi,
I am installing a point to multipoint network using DMVPN. All the DSL links come up and I can ping the public IP of the other router, but not through to the 192.168 (LAN) side. Presumably a simple mistake, but I am a little stuck. I have a 2901 as the hub, and 800 series for the spokes.

Using CiscoConfigProfessional, IPsec tunnels are up, but DMVPN tunnels do not exist.

I get the following messages "rec'd ipsec packet has invalid spi for destaddr"
All suggestions appreciated.

Each router has 5 connected subnets, all of which need to route across the WAN.i.e.

the hub has 192.168.0.x, 192.168.1.x, 192.168.2.x,192.168.3.x, 192.168.4.x,
spoke 1 has 192.168.8.x, 192.168.9.x, 192.168.10.x, 192.168.11.x, 192.168.12.x
spoke 2 has 192.168.16.x, etc

The hub router has the following configuration:

hostname hub
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
no aaa new-model
clock timezone PCTime 10 0
!
ip name-server 203.50.2.71
ip name-server 139.130.4.4
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
license udi pid CISCO2901/K9 sn FGL195320YQ
!
username xxxxx privilege 15 secret 5 xxxxx
!
redundancy
!
controller VDSL 0/0/0
!
crypto keyring ccp-dmvpn-keyring 
pre-shared-key address 0.0.0.0 0.0.0.0 key 074842abcd
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0 
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA 
set isakmp-profile ccp-dmvpn-isakmprofile
!
interface Tunnel0
bandwidth 1000
ip address 192.168.254.1 255.255.255.0
ip mtu 1400
no ip split-horizon eigrp 99
no ip next-hop-self eigrp 99
no ip redirects
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip address 192.168.1.254 255.255.255.0 secondary
ip address 192.168.2.254 255.255.255.0 secondary
ip address 192.168.3.254 255.255.255.0 secondary
ip address 192.168.4.254 255.255.255.0 secondary
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 8/35 
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Ethernet0/0/0
no ip address
ip virtual-reassembly in
!
interface Dialer0
ip address 144.139.198.112 255.255.255.0
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxx@direct.telstra.net
ppp chap password 0 xxxxx
ppp pap sent-username xxxxx@direct.telstra.net password 0 xxxxx
!
router eigrp 99
network 192.168.0.0 0.0.7.255
network 192.168.0.0
no auto-summary
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 144.139.198.1
!
dialer-list 1 protocol ip permit
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
banner login ^CThis is the hub
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input telnet
!
scheduler allocate 20000 1000


hub 72 configuration is

version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hub72
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging buffered
enable secret 5 $1$bAhU$/QlanXdT2nZxxxxxxxx
enable password xxxxxxx
!
no aaa new-model
clock timezone ESTime 10 0
!
ip name-server 203.50.2.71
ip name-server 139.130.4.4
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C887VA-K9 sn FGL2006224M
!
username xxxxx privilege 15 password 0 xxxxx
!
controller VDSL 0
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxx address 144.139.198.112
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
mode transport
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
mode transport
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
mode transport
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac 
mode transport
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac 
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA4 
!
interface Tunnel0
bandwidth 1000
ip address 192.168.254.72 255.255.255.0
no ip split-horizon eigrp 99
no ip next-hop-self eigrp 99
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 192.168.254.1 144.139.198.112
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 192.168.254.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel destination 144.139.198.112
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35 
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Ethernet0
no ip address
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description Wired LAN interface
ip address 192.168.72.254 255.255.255.0
ip address 192.168.73.254 255.255.255.0 secondary
ip address 192.168.74.254 255.255.255.0 secondary
ip address 192.168.75.254 255.255.255.0 secondary
ip address 192.168.76.254 255.255.255.0 secondary
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description WAN Interface
ip address 149.135.115.72 255.255.255.0
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname xxxxx@direct.telstra.net
ppp chap password 0 xxxxx
ppp pap sent-username xxxxx@direct.telstra.net password 0 xxxxx
!
router eigrp 99
network 192.168.72.0 0.0.7.255
network 192.168.254.0
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 144.139.198.1
!
dialer-list 1 protocol ip permit
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.72.0 0.0.7.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 22xxxxxx
login
transport input all
!
scheduler allocate 20000 1000
1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tim Y
Level 1
Level 1

‎05-30-2016 07:20 PM - last edited on ‎05-01-2023 11:23 PM by Community Manager

Hi,

 

It looks like there's a lot of things amiss with the configuration. At first glance, I'd look into the following:

 

  • Change the 
    access-lists
    you're using for NAT to extended 
    access-lists
    and deny the networks that you want to talk to each other over the DMVPN from being included in the NAT
  • The crypto keyring is missing from the DMVPN hub. The hub and spoke should both have this command with the key matching
  • Remove the tunnel destination command from the spoke - it doesn't need it. It can find the hub via the mapping and the nhs setting
  • Set the tunnel mode of the spoke to be: tunnel mode gre multipoint

 

I would start with that. If you're still having issues, look over this guide and compare the configurations: http://www.internetworkingcareer.com/vpn/configure-dmvpn-phase-2-eigrp/

 

 

Hope this helps!

 

Regards,

 

Tim

View solution in original post

4 Replies 4

Go to solution
Tim Y
Level 1
Level 1

‎05-30-2016 07:20 PM - last edited on ‎05-01-2023 11:23 PM by Community Manager

Hi,

 

It looks like there's a lot of things amiss with the configuration. At first glance, I'd look into the following:

 

  • Change the 
    access-lists
    you're using for NAT to extended 
    access-lists
    and deny the networks that you want to talk to each other over the DMVPN from being included in the NAT
  • The crypto keyring is missing from the DMVPN hub. The hub and spoke should both have this command with the key matching
  • Remove the tunnel destination command from the spoke - it doesn't need it. It can find the hub via the mapping and the nhs setting
  • Set the tunnel mode of the spoke to be: tunnel mode gre multipoint

 

I would start with that. If you're still having issues, look over this guide and compare the configurations: http://www.internetworkingcareer.com/vpn/configure-dmvpn-phase-2-eigrp/

 

 

Hope this helps!

 

Regards,

 

Tim

Go to solution
Brian Tulloch
Level 1
Level 1
In response to Tim Y

‎05-31-2016 01:40 PM

Thanks Tim,

I used the link you supplied, and re-wrote the config using that as a guide. It works! Thanks for your help.

Brian

0 Helpful

Go to solution
Tim Y
Level 1
Level 1
In response to Brian Tulloch

‎05-31-2016 01:59 PM

Great! Have a good one!

Regards,

Tim

0 Helpful

Go to solution
Brian Tulloch
Level 1
Level 1
In response to Tim Y

‎06-13-2016 09:50 PM - last edited on ‎05-01-2023 11:24 PM by Community Manager

Hi Tim,

hoping you can help again. I had the network up using a DSL at the hub, but the

bandwidth was woeful. We then upgraded to a dedicated radio link, and changed the configs to suit. On the spoke, I changed the mapping to the new ip address, but on the hub the DSL was replaced with a FastEthernet card. All the links have come up and I can browse the internet and ping the public IP of the other router, but not through to the 192.168 (LAN) side.
Revised configs below.


Each router has 5 connected subnets, all of which need to route across the WAN.i.e.

the hub has 192.168.0.x, 192.168.1.x, 192.168.2.x,192.168.3.x, 192.168.4.x,
spoke 1 has 192.168.8.x, 192.168.9.x, 192.168.10.x, 192.168.11.x, 192.168.12.x
spoke 2 has 192.168.16.x, etc

The hub router has the following configuration:

hostname hub
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
no aaa new-model
clock timezone PCTime 10 0
!
ip name-server 203.50.2.71
ip name-server 139.130.4.4
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
license udi pid CISCO2901/K9 sn FGL195320YQ
!
username xxxxx privilege 15 secret 5 xxxxx
!
redundancy
!
crypto keyring DMVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key 0748423900
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
!
crypto ipsec security-association replay disable
!
crypto ipsec transform-set cws-dmvpn-trans esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-EX
set transform-set cws-dmvpn-trans
!
interface Tunnel100
bandwidth 1000
ip address 192.168.254.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 99
no ip split-horizon eigrp 99
ip pim sparse-dense-mode
ip nhrp authentication VPN100
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 450
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0/0/0
tunnel mode gre multipoint
tunnel key 99100
tunnel protection ipsec profile DMVPN-EX shared
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
ip address 192.168.2.254 255.255.255.0 secondary
ip address 192.168.3.254 255.255.255.0 secondary
ip address 192.168.4.254 255.255.255.0 secondary
ip address 192.168.5.254 255.255.255.0 secondary
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/0
ip address 202.144.180.51 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/0/1
no ip address
shutdown
duplex auto
speed auto
!
!
router eigrp 99
network 192.168.0.0 0.0.7.255
network 192.168.254.0
passive-interface default
no passive-interface Tunnel100
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 202.144.180.254
!
!
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_line con 0
access-list 1 permit 192.168.0.0 0.0.7.255
access-list 1 permit any
!
control-plane
!
!
banner login ^C This is the Mackay Base Hospital services routerfor support, call Group

CCTV

on 07 048423900 ^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input telnet
!
scheduler allocate 20000 1000







hub 72 configuration is

version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hub72
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging buffered
enable secret 5 $1$bAhU$/QlanXdT2nZxxxxxxxx
enable password xxxxxxx
!
no aaa new-model
clock timezone ESTime 10 0
!
ip name-server 203.50.2.71
ip name-server 139.130.4.4
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C887VA-K9 sn FGL2006
!
username xxxxx privilege 15 password 0 xxxxx
!
controller VDSL 0
!
crypto keyring DMVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key 0748423900
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
!
crypto isakmp invalid-spi-recovery
crypto ipsec security-association replay disable
!
!
!
crypto ipsec transform-set cws-dmvpn-trans esp-aes 256 esp-sha-hmac 
mode transport
!
crypto ipsec profile DMVPN-EX
set transform-set cws-dmvpn-trans
!
!
!
! This sets the tunnel parameters. Network 192.168.254.x is used for the tunnel
interface Tunnel100
bandwidth 1000
ip address 192.168.254.72 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
! this maps the hub tunnel address to the public address and vpn number
ip nhrp authentication VPN100
ip nhrp map 192.168.254.1 202.144.180.51
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 360
ip nhrp nhs 192.168.254.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 99100
tunnel protection ipsec profile DMVPN-EX shared
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35 
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description Wired LAN 
ip address 192.168.72.254 255.255.255.0
ip address 192.168.73.254 255.255.255.0 secondary
ip address 192.168.74.254 255.255.255.0 secondary
ip address 192.168.75.254 255.255.255.0 secondary
ip address 192.168.76.254 255.255.255.0 secondary
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description WAN Interface
ip address 149.135.115.72 255.255.255.0
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxx@direct.telstra.net
ppp chap password 0 1xxxxx
ppp pap sent-username xxxxxxxxx@direct.telstra.net password 0 xxxxx
!
!
router eigrp 99
network 192.168.72.0 0.0.7.255
network 192.168.254.0
passive-interface default
no passive-interface Tunnel100
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 149.135.115.1
!
dialer-list 1 protocol ip permit
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.72.0 0.0.7.255

access-list 1 permit any
!
control-plane
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 22882288
login
transport input all
!
scheduler allocate 20000 1000
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card