Solved: Re: DMVPN /w IPSec Tunnel Down Issue -- LIne Protocol Down - Page 2

jdorzweiler · ‎04-05-2022

I've spent the last 24 hours banging my head on getting an IPSec encapsulation to work on my DMVPN Phase 3 GRE tunnels. I have the basic config below for my two routers in play:
Hub router:

crypto ikev2 keyring DM-KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key CISCO
!
!
!
crypto ikev2 profile DM-PROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local DM-KEYRING
!
!
!
crypto ipsec transform-set DM-TRANSFORM esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile DM-IPSEC-PROFILE
set transform-set DM-TRANSFORM
set ikev2-profile DM-PROFILE

The spoke router has the same crypto configuration as the hub above, only the tunnel obviously being a little different for the NHRP configuration:
Spoke:

interface Tunnel0
ip address 172.16.1.2 255.255.255.0
no ip redirects
ip nhrp map 172.16.1.1 11.0.1.1
ip nhrp map multicast 11.0.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DM-IPSEC-PROFILE

I see the spoke try to for an IKEv2 SA. The status is stuck in IN-NEG. But there is absolutely nothing on the hub side in terms of SA negotiation. And the GRE does work just fine when I remove any IPSec configuration.

I noticed that when I add the tunnel protection to my hub, the tunnel interface goes into line protocol down. However, my spoke router does not act that way. The spoke line protocol stays up

Does anyone have any thoughts where I am messing up?

jdorzweiler · ‎04-06-2022

Yes I did.

MHM Cisco World · ‎04-06-2022


1-access-list 100 permit any any <- even if you not use it in case it drop traffic we add permit, both peer 
2-debug crypto ikev2 <-share the output only in one peer
3-Shut/no shut the tunnel

MHM Cisco World · ‎04-06-2022

Any update ?

jdorzweiler · ‎04-06-2022

I was able to get this figured out. Someone was able to re-create my basic topology with my original IKEv2/IPSec configuration, and they were able to get it working in their lab with no modification on the crypto portions of the configuration.

What was different is that they did not NHRP map the DMVPN hub to itself on the tunnel configuration. Only pointing the NHS server to itself. Which is weird considering the Cisco documentation that I was following has the hub mapping configured. Once I removed

ip nhrp map 172.16.1.1 11.0.1.1

from the tunnel configuration on the hub, the tunnel line protocol came up INSTANTLY.

And that is so weird given that the DMVPN configuration I had before works just fine without IPSec. But that is evidently the solution to my problem. I updated that and tested my DMVPN topology with Ikev2/IPSec enabled on the tunnel, and it worked as expected.

Thank you for everybody's help on this!

MHM Cisco World · ‎04-07-2022

I will do lab from My side and do more search why this failed,
we check without the profile and success but with profile failed.

HonestTech2024 · ‎11-12-2023

Thank you so much. I have the same issue and this solved it. You post is helping lots of people.