cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2838
Views
6
Helpful
20
Replies

DMVPN /w IPSec Tunnel Down Issue -- LIne Protocol Down

jdorzweiler
Level 1
Level 1

I've spent the last 24 hours banging my head on getting an IPSec encapsulation to work on my DMVPN Phase 3 GRE tunnels. I have the basic config below for my two routers in play:
Hub router:

crypto ikev2 keyring DM-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key CISCO
!
!
!
crypto ikev2 profile DM-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DM-KEYRING
!
!
!
crypto ipsec transform-set DM-TRANSFORM esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile DM-IPSEC-PROFILE
set transform-set DM-TRANSFORM
set ikev2-profile DM-PROFILE
 


The spoke router has the same crypto configuration as the hub above, only the tunnel obviously being a little different for the NHRP configuration:
Spoke:

interface Tunnel0
ip address 172.16.1.2 255.255.255.0
no ip redirects
ip nhrp map 172.16.1.1 11.0.1.1
ip nhrp map multicast 11.0.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DM-IPSEC-PROFILE
 


I see the spoke try to for an IKEv2 SA. The status is stuck in IN-NEG. But there is absolutely nothing on the hub side in terms of SA negotiation. And the GRE does work just fine when I remove any IPSec configuration.
 
I noticed that when I add the tunnel protection to my hub, the tunnel interface goes into line protocol down. However, my spoke router does not act that way. The spoke line protocol stays up
 
Does anyone have any thoughts where I am messing up?

1 Accepted Solution

Accepted Solutions

I was able to get this figured out. Someone was able to re-create my basic topology with my original IKEv2/IPSec configuration, and they were able to get it working in their lab with no modification on the crypto portions of the configuration.

 

What was different is that they did not NHRP map the DMVPN hub to itself on the tunnel configuration. Only pointing the NHS server to itself. Which is weird considering the Cisco documentation that I was following has the hub mapping configured. Once I removed  

ip nhrp map 172.16.1.1 11.0.1.1

from the tunnel configuration on the hub, the tunnel line protocol came up INSTANTLY.

 

And that is so weird given that the DMVPN configuration I had before works just fine without IPSec. But that is evidently the solution to my problem. I updated that and tested my DMVPN topology with Ikev2/IPSec enabled on the tunnel, and it worked as expected.

 

Thank you for everybody's help on this!

View solution in original post

20 Replies 20

Hello,

 

hard to say what is missing, do you have the full configs of both the hun and the spoke ? Phase 3 requires

ip nhrp redirect

on the hub, and

ip nhrp shortcut

on the spoke(s).

I have included my configs for my hub and spoke router below. Note that the physical interface IPs are on separate subnets as I have an intermediate router acting as the "Internet" in between. And when I rip out the IPSec related stuff to the GRE, the configuration works splendidly. It's only the issue on the HQ router router that I am facing that the tunnel interface goes into line protocol down and stays down no matter what I do with the IPSec. I am not experiencing that issue on the spoke, ironically. Even though the config is identical, save for the fact that the HQ router is acting as the NHRP hub.

 

HQ (Hub Router) config:

HQ#sh run
Building configuration...

Current configuration : 3842 bytes
!
! Last configuration change at 03:06:58 UTC Wed Apr 6 2022
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HQ
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
crypto ikev2 keyring DM-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key CISCO
!
!
!
crypto ikev2 profile DM-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DM-KEYRING
!
!
!
crypto ipsec transform-set DM-TRANSFORM esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile DM-IPSEC-PROFILE
set transform-set DM-TRANSFORM
set ikev2-profile DM-PROFILE
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 172.16.1.1 11.0.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DM-IPSEC-PROFILE
!
interface GigabitEthernet0/0
ip address 11.0.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 11.0.1.2
!
ipv6 ioam timestamp
!
!
access-list 100 permit gre any any
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
login
transport input none
!
no scheduler allocate
!
end







Site_A (Spoke router) config:

Site_A#sh run
Building configuration...

Current configuration : 3812 bytes
!
! Last configuration change at 02:32:43 UTC Wed Apr 6 2022
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site_A
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
crypto ikev2 keyring DM-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key CISCO
!
!
!
crypto ikev2 profile DM-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DM-KEYRING
!
!
!
crypto ipsec transform-set DM-TRANSFORM esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile DM-IPSEC-PROFILE
set transform-set DM-TRANSFORM
set ikev2-profile DM-PROFILE
!
!
!
!
!
!
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 172.16.1.1 11.0.1.1
ip nhrp map multicast 11.0.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DM-IPSEC-PROFILE
!
interface GigabitEthernet0/0
ip address 11.0.2.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 11.0.2.2
!
ipv6 ioam timestamp
!
!
access-list 100 permit gre any any
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
login
transport input none
!
no scheduler allocate
!
end

Hello,

 

it looks like the ikev2 configuration is missing partly. Add the lines marked in bold.

 

HQ (Hub Router) config:

HQ#sh run
Building configuration...

Current configuration : 3842 bytes
!
! Last configuration change at 03:06:58 UTC Wed Apr 6 2022
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HQ
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
--> crypto ikev2 proposal IKE2_PROPOSAL
--> encryption aes-cbc-256
--> integrity sha256
--> group 5
--> crypto ikev2 policy IKE2_POLICY
--> proposal IKE2_PROPOSAL
!
crypto ikev2 keyring DM-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key CISCO
!
crypto ikev2 profile DM-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DM-KEYRING
!
--> crypto ipsec transform-set DM-TRANSFORM esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile DM-IPSEC-PROFILE
set transform-set DM-TRANSFORM
set ikev2-profile DM-PROFILE
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 172.16.1.1 11.0.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DM-IPSEC-PROFILE
!
interface GigabitEthernet0/0
ip address 11.0.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 11.0.1.2
!
ipv6 ioam timestamp
!
access-list 100 permit gre any any
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
login
transport input none
!
no scheduler allocate
!
end


 

Site_A (Spoke router) config:

Site_A#sh run
Building configuration...

Current configuration : 3812 bytes
!
! Last configuration change at 02:32:43 UTC Wed Apr 6 2022
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site_A
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
--> crypto ikev2 proposal IKE2_PROPOSAL
--> encryption aes-cbc-256
--> integrity sha256
--> group 5
--> crypto ikev2 policy IKE2_POLICY
--> proposal IKE2_PROPOSAL
!
crypto ikev2 keyring DM-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key CISCO
!
crypto ikev2 profile DM-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DM-KEYRING
!
--> crypto ipsec transform-set DM-TRANSFORM esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile DM-IPSEC-PROFILE
set transform-set DM-TRANSFORM
set ikev2-profile DM-PROFILE
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 172.16.1.1 11.0.1.1
ip nhrp map multicast 11.0.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DM-IPSEC-PROFILE
!
interface GigabitEthernet0/0
ip address 11.0.2.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 11.0.2.2
!
ipv6 ioam timestamp
!
access-list 100 permit gre any any
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
login
transport input none
!
no scheduler allocate
!
end

This is so weird. I added those commands to both the hub and the spoke, and the spoke line protocol remains up (just as before). However, the hub tunnel line protocol is down.

 

This is despite the fact that both tunnels have an identical configuration except for the NHRP multicast mapping given for obvious reasons. Granted one is acting as the NHRP hub.

 

And I even decided to go nuclear on my hub. I blasted the entire config, and reconfigured the physical interface, tunnel GRE, and crypto from scratch. And still the same issue.

Hello,

 

since you have no LAN traffic, I assume this is a test/lab environment ? Are you using real/physical devices, or simulated devices ?

 

Also, what are you trying to build exactly ? You are not building a phase 3 DMVPN, as that requires

ip nhrp redirect' and ip nhrp map multicast dynamic

on the hub, as well as

ip nhrp shortcut

on the spoke(s).

This is for a lab environment. I am currently working on passing ENARSI. I am using CML running on the vIOS platform. 

 

I've done so much troubleshooting on this thing that I apparently took out the redirect command for phase 3, so I've readded it. Either way, line protocol remains down with or without the

ip nhrp redirect 

command. But the map multicast dynamic command appears to be a system default as it doesn't show in the running config. Per below:

 

HQ(config)#int tu0
HQ(config-if)#ip nhrp red
HQ(config-if)#ip nhrp redirect
HQ(config-if)#ip nhrp map multicast dynamic
HQ(config-if)#end
HQ#show run int tu0
Building configuration...

Current configuration : 339 bytes
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 172.16.1.1 11.0.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DM-IPSEC-PROFILE
end

HQ#sh ver
Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.8(3)M2, RELEASE SOFTWARE (fc2)

access-list 100 permit gre any any 

<- where are you apply this ACL ?

That is a vestigial ACL from my config when I was working with a point-to-point GRE tunnel using crypto maps. THe ACL is still there but not part of any crypto or tunnel config.

first let troubleshooting to isolate the issue from IKEv2 or from the tunnel, 
remove the profile protect form tunnel and check the tunnel reachability.

I have removed the IPSec profile protection from the tunnel on both HQ (Hub) and Site_A (Spoke). Per the following:

 

Hub:

HQ#sh dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

T1 - Route Installed, T2 - Nexthop-override

C - CTS Capable, I2 - Temporary

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

UpDn Time --> Up or Down Time for a Tunnel

==========================================================================




Interface: Tunnel0, IPv4 NHRP Details

Type:Hub/Spoke, NHRP Peers:3,




 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 11.0.1.1             172.16.1.1  NHRP 00:03:32     S

     1 11.0.2.1             172.16.1.2    UP 00:02:53     D




HQ#sh ip nhrp
172.16.1.1/32 via 172.16.1.1
Tunnel0 created 00:04:28, never expire
Type: static, Flags: used
NBMA address: 11.0.1.1
172.16.1.2/32 via 172.16.1.2
Tunnel0 created 00:04:20, expire 00:06:50
Type: dynamic, Flags: registered used nhop
NBMA address: 11.0.2.1




HQ#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/16/19 ms







From Site_A (Spoke):

Site_A#sh dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

T1 - Route Installed, T2 - Nexthop-override

C - CTS Capable, I2 - Temporary

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

UpDn Time --> Up or Down Time for a Tunnel

==========================================================================
 
Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,




 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 11.0.1.1             172.16.1.1    UP 00:04:33     S

Site_A#sh ip nhrp
172.16.1.1/32 via 172.16.1.1
Tunnel0 created 01:44:27, never expire
Type: static, Flags: used
NBMA address: 11.0.1.1




Site_A#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/13/16 ms




 

Issue then with IKEv2
re add the profile protect and 

 

crypto ikev2 profile DM-PROFILE


match identity remote address 0.0.0.0<- remove this from both Hub and Spoke 

That really makes the tunnel unhappy, as it looks like that match statement is a required field. Tunnel state goes into reset and line protocol down. Also, doing a shut/no shut doesn't make a difference on the tunnel for what it's worth.

 

HQ#sh run | sec crypto ikev2 profile DM-PROFILE
crypto ikev2 profile DM-PROFILE
! Profile incomplete (no match identity or match certificate statement)
authentication remote pre-share
authentication local pre-share
keyring local DM-KEYRING
HQ#sh run int tu0
Building configuration...

Current configuration : 321 bytes
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 172.16.1.1 11.0.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DM-IPSEC-PROFILE
end

HQ#sh int tu0
Tunnel0 is reset, line protocol is down

That really makes the tunnel unhappy, as it looks like that match statement is a required field. Tunnel state goes into reset and line protocol down. Also, doing a shut/no shut doesn't make a difference on the tunnel for what it's worth.

 

HQ#sh run | sec crypto ikev2 profile DM-PROFILE
crypto ikev2 profile DM-PROFILE
! Profile incomplete (no match identity or match certificate statement)
authentication remote pre-share
authentication local pre-share
keyring local DM-KEYRING
HQ#sh run int tu0
Building configuration...

Current configuration : 321 bytes
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 172.16.1.1 11.0.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DM-IPSEC-PROFILE
end

HQ#sh int tu0
Tunnel0 is reset, line protocol is down

Hello,

 

when you added the proposal, did you also change the transform set as indicated ?

Review Cisco Networking for a $25 gift card