cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5832
Views
5
Helpful
14
Replies

Failed to create DMVPN tunnel between two routers

Lotfi BOUCHERIT
Level 1
Level 1

Hello,

I am trying to configure DMVPN connection between two routers (and more programmed), following this diagram:

topo.jpg

or the routers, i'm using:

C7200 with IOS: c7200-advipservicesk9-mz.152-4.S5

The configurations used are attached.

My question now, when i use debug command, i get the errors in the attached file "spoke_error.txt", but when i use the same command in the hub, i get nothing. And the tunnel is not created.

Can anyone help me please?

Thank you in advance.

 

1 Accepted Solution

Accepted Solutions

Hi,

On both routers change the mode from tunnel to transport

 

crypto ipsec transform-set VPN_GRE_G3 esp-aes esp-sha-hmac
 mode transport

View solution in original post

14 Replies 14

Hi, looks like connectivity issues. Do you have a Firewall/ACLs anywhere in the path between the spoke and the hub? If so what have you permitted? The following is required:- esp, udp 500, udp 4500 (if natting)

HTH

Hello,

 Thank you for your prompt answer. There is no firewalls and no acls between the two routers. The only ACL configured is the one used for natting for clients. About the two modems, are in the same subnet. (special 3g wan provided by telecom provider).

Ok, so the modems are doing the natting?
Can you ping the hub's natted ip address x.x.x.199 from the spoke?

Hello Sir. And thank you for your reply.

For the second question about ping, i can ping from hub both hub and spoke public ip, from spoke i can do the same.

For the modems, i am using huawei e5331 3g modem in both sides, where i do not find the option to allow the required ports especially ip ports (esp..). In the option forward ports, only tcp/udp protocol types available.

I do not know if you ever faced this problem.

Thank you

Hi,
Fine ok, if those Huawei 3g modems are natting, then ESP will be encapsulated inside UDP 4500.

You will just need to port forward UDP 500 and UDP 4500, which it appears you have the ability to do, set this up and see if this resolves the issue.

HTH

Hello,

 

on a side note, looking at the configuration of your spoke, the NAT access list doesn't exist:

 

ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 111 permit ip 10.10.108.0 0.0.0.255 any

 

Also, post the output of 'show dmvpn' of both sides...

Lotfi BOUCHERIT
Level 1
Level 1

Hello,

I am back in thread to tell you about what i've done all this period.

First of all, i changed my tests from DMVPN to SITE TO SITE vpn, just temporary to check if my 3g modems have the necessary ports open or not.

What i did, is simulating the same topology with the same IP addresses, as the following screenshot, and tried to create a site to site vpn (back to the basics).

topo.JPG

In that case, the tunnel is created correctly, and everything can reach everything. I configured my routers, with the same configuration as the simulation, and worked properly. (Now time to come back to the first objective which is configuring DMVPN).

Please, attached, is my configuration (new DMVPN), of the hub and spoke, and the two modems (routers for simulation, nothing special about them, and no problem in their configurations just configuring NAT for test).

When i read debug traces, i find that the tunnel is not created and blocks in phase 2 (as the bellow screenshot). Can you please help me in this final step?

Thank you in advance.

Regards.

debugs.JPG

Hi,

On both routers change the mode from tunnel to transport

 

crypto ipsec transform-set VPN_GRE_G3 esp-aes esp-sha-hmac
 mode transport

Hello,

Thank you for your reply.

I changed the tunnel mode in the transform-set, to Transport. What i notice, the tunnel state is IKE, and the tunnel is up. I noticed that the command show dmvpn in the HUB, displays UNKNOWN.

And the ping from both hub and spoke to the other tunnel ip address does not succeed.

Thank you in advance.

debugs-after-tun-trans.jpg

I had labbed this scenario and replicated your initial issue, changing to transport mode got the VPN to work. Did you shut the tunnel on the spoke and clear the sessions?

Hello,

I would like to thank you so much for your help. It is now working correctly between HUB and SPOKE. I even added a new SPOKE to check if it does work, and it did.

 

Otherwize, I noticed a the bellow error, and would like to know what it really means and if it would create some problem later.

Thank you for your help.dmvpn-err.PNG

Good to hear this is now working

 

In regard to your error, please see this page it has more information and recommendations

Hello,

 

on a side note. I don't see any (or I might be failing to see them) routes on both modems, there is not even a default route....

 

Can you add:

 

Modem 1

 

ip route 0.0.0.0 0.0.0.0 10.105.40.199

 

Modem 2

 

ip route 0.0.0.0 0.0.0.0 10.105.40.197

 

Hello,

Thank you for your reply. For my simulation, in basis, those 3g wan modems (real ones) are connected to a public network and they transmit every received packet from wan to the router. So i do not need to configure any routes in them. NAT is sufficient. If you test, telnetting MODEM2 from HUB or even MODEM1, it's the spoke who answers (made this configuration, just to simulate real network).telnet-spoke-modem1.JPG