05-27-2014 06:30 AM - edited 03-04-2019 11:02 PM
I have configured a DMVPN on my router ASR-1000, but the VPN does not stay active, performed the test on a router 3845 and it worked correctly, but the ASR VPN is not maintained, have any idea what may be happening .
Below I copy the configuration:
HUB
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 $IPROOT$ address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set $VPNNET$ esp-3des esp-md5-hmac
!
crypto ipsec profile GREVPN
set security-association lifetime seconds 86400
set transform-set $VPNNET$
!
!
interface Tunnel0
ip address 10.190.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip flow ingress
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp holdtime 600
ip nhrp registration timeout 30
no ip split-horizon eigrp 100
ip tcp adjust-mss 1360
qos pre-classify
tunnel source 10.141.10.1
tunnel mode gre multipoint
tunnel protection ipsec profile GREVPN
!
Spoke
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 $IPROOT$ address 10.141.10.1
!
!
crypto ipsec transform-set $VPNNET$ esp-3des esp-md5-hmac
!
crypto ipsec profile GREVPN
set security-association lifetime seconds 86400
set transform-set $VPNNET$
!
interface Tunnel0
bandwidth 1024
ip address 10.190.1.2 255.255.255.0
ip mtu 1480
ip nhrp map multicast 10.141.10.1
ip nhrp map 10.190.1.1 10.141.10.1
ip nhrp network-id 10
ip nhrp holdtime 600
ip nhrp nhs 10.190.1.1
ip nhrp registration timeout 30
ip route-cache flow
qos pre-classify
tunnel source 10.141.10.13
tunnel destination 10.141.10.1
tunnel protection ipsec profile GREVPN
!
May 26 11:14:54.748: ISAKMP:(0:31:SW:1): processing KE payload. message ID = 0
May 26 11:14:54.820: ISAKMP:(0:31:SW:1): processing NONCE payload. message ID = 0
May 26 11:14:54.820: ISAKMP:(0:31:SW:1):found peer pre-shared key matching 10.141.10.1
May 26 11:14:54.820: ISAKMP:(0:31:SW:1):SKEYID state generated
May 26 11:14:54.820: ISAKMP:(0:31:SW:1): processing vendor id payload
May 26 11:14:54.820: ISAKMP:(0:31:SW:1): vendor ID is Unity
May 26 11:14:54.820: ISAKMP:(0:31:SW:1): processing vendor id payload
May 26 11:14:54.820: ISAKMP:(0:31:SW:1): vendor ID is DPD
May 26 11:14:54.820: ISAKMP:(0:31:SW:1): processing vendor id payload
May 26 11:14:54.820: ISAKMP:(0:31:SW:1): speaking to another IOS box!
May 26 11:14:54.820: ISAKMP:(0:31:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 26 11:14:54.820: ISAKMP:(0:31:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4
May 26 11:14:54.824: ISAKMP:(0:31:SW:1):Send initial contact
May 26 11:14:54.824: ISAKMP:(0:31:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
May 26 11:14:54.824: ISAKMP (0:134217759): ID payload
next-payload : 8
type : 1
address : 10.141.10.13
protocol : 17
port : 500
length : 12
May 26 11:14:54.824: ISAKMP:(0:31:SW:1):Total payload length: 12
May 26 11:14:54.828: ISAKMP:(0:31:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
May 26 11:14:54.828: ISAKMP:(0:31:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 26 11:14:54.828: ISAKMP:(0:31:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
May 26 11:14:54.856: ISAKMP (0:134217759): received packet from 10.141.10.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
May 26 11:14:54.856: ISAKMP:(0:31:SW:1): processing ID payload. message ID = 0
May 26 11:14:54.856: ISAKMP (0:134217759): ID payload
next-payload : 8
type : 1
address : 10.141.10.1
protocol : 17
port : 500
length : 12
May 26 11:14:54.856: ISAKMP:(0:31:SW:1):: peer matches *none* of the profiles
May 26 11:14:54.856: ISAKMP:(0:31:SW:1): processing HASH payload. message ID = 0
May 26 11:14:54.856: ISAKMP:(0:31:SW:1):SA authentication status:
authenticated
May 26 11:14:54.860: ISAKMP:(0:31:SW:1):SA has been authenticated with 10.141.10.1
May 26 11:14:54.860: ISAKMP: Trying to insert a peer 10.141.10.13/10.141.10.1/500/, and inserted successfully 66271C54.
May 26 11:14:54.860: ISAKMP:(0:31:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 26 11:14:54.860: ISAKMP:(0:31:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6
May 26 11:14:54.860: ISAKMP:(0:31:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 26 11:14:54.860: ISAKMP:(0:31:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6
May 26 11:14:54.860: ISAKMP:(0:31:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 26 11:14:54.860: ISAKMP:(0:31:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
May 26 11:14:54.860: ISAKMP:(0:31:SW:1):beginning Quick Mode exchange, M-ID of -1087210433
May 26 11:14:54.864: ISAKMP:(0:31:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE
May 26 11:14:54.864: ISAKMP:(0:31:SW:1):Node -1087210433, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 26 11:14:54.864: ISAKMP:(0:31:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 26 11:14:54.864: ISAKMP:(0:31:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 26 11:14:54.864: ISAKMP:(0:31:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
May 26 11:14:54.896: ISAKMP (0:134217759): received packet from 10.141.10.1 dport 500 sport 500 Global (I) QM_IDLE
May 26 11:14:54.896: ISAKMP:(0:31:SW:1): processing HASH payload. message ID = -1087210433
May 26 11:14:54.900: ISAKMP:(0:31:SW:1): processing SA payload. message ID = -1087210433
May 26 11:14:54.900: ISAKMP:(0:31:SW:1):Checking IPSec proposal 1
May 26 11:14:54.900: ISAKMP: transform 1, ESP_3DES
May 26 11:14:54.900: ISAKMP: attributes in transform:
May 26 11:14:54.900: ISAKMP: encaps is 1 (Tunnel)
May 26 11:14:54.900: ISAKMP: SA life type in seconds
May 26 11:14:54.900: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80
May 26 11:14:54.900: ISAKMP: SA life type in kilobytes
May 26 11:14:54.900: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
May 26 11:14:54.900: ISAKMP: authenticator is HMAC-MD5
May 26 11:14:54.900: ISAKMP:(0:31:SW:1):atts are acceptable.
May 26 11:14:54.900: ISAKMP:(0:31:SW:1): processing NONCE payload. message ID = -1087210433
May 26 11:14:54.900: ISAKMP:(0:31:SW:1): processing ID payload. message ID = -1087210433
May 26 11:14:54.900: ISAKMP:(0:31:SW:1): processing ID payload. message ID = -1087210433
May 26 11:14:54.900: ISAKMP: Locking peer struct 0x66271C54, IPSEC refcount 1 for for stuff_ke
May 26 11:14:54.900: ISAKMP:(0:31:SW:1): Creating IPSec SAs
May 26 11:14:54.900: inbound SA from 10.141.10.1 to 10.141.10.13 (f/i) 0/ 0
(proxy 10.141.10.1 to 10.141.10.13)
May 26 11:14:54.900: has spi 0x565FB5B3 and conn_id 0 and flags 2
May 26 11:14:54.900: lifetime of 86400 seconds
May 26 11:14:54.900: lifetime of 4608000 kilobytes
May 26 11:14:54.904: has client flags 0x0
May 26 11:14:54.904: outbound SA from 10.141.10.13 to 10.141.10.1 (f/i) 0/0
(proxy 10.141.10.13 to 10.141.10.1)
May 26 11:14:54.904: has spi 1861909975 and conn_id 0 and flags A
May 26 11:14:54.904: lifetime of 86400 seconds
May 26 11:14:54.904: lifetime of 4608000 kilobytes
May 26 11:14:54.904: has client flags 0x0
May 26 11:14:54.904: ISAKMP:(0:31:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE
May 26 11:14:54.904: ISAKMP:(0:31:SW:1):deleting node -1087210433 error FALSE reason "No Error"
May 26 11:14:54.904: ISAKMP:(0:31:SW:1):Node -1087210433, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
May 26 11:14:54.904: ISAKMP:(0:31:SW:1):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
May 26 11:14:54.904: ISAKMP: Locking peer struct 0x66271C54, IPSEC refcount 2 for from create_transforms
May 26 11:14:54.904: ISAKMP: Unlocking IPSEC struct 0x66271C54 from create_transforms, count 1
May 26 11:15:40.911: ISAKMP:(0:30:SW:1):purging node -596953946
May 26 11:15:40.911: ISAKMP:(0:30:SW:1):purging node 68796087
May 26 11:15:44.899: ISAKMP:(0:31:SW:1):purging node -1087210433
May 26 11:15:50.919: ISAKMP:(0:30:SW:1):purging SA., sa=661832A8, delme=661832A8
May 26 11:18:37.820: ISAKMP (0:134217759): received packet from 10.141.10.1 dport 500 sport 500 Global (I) QM_IDLE
May 26 11:18:37.820: ISAKMP: set new node -467164272 to QM_IDLE
May 26 11:18:37.824: ISAKMP:(0:31:SW:1): processing HASH payload. message ID = -467164272
May 26 11:18:37.824: ISAKMP:(0:31:SW:1): processing DELETE payload. message ID = -467164272
May 26 11:18:37.824: ISAKMP:(0:31:SW:1):peer does not do paranoid keepalives.
May 26 11:18:37.824: ISAKMP:(0:31:SW:1):deleting node -467164272 error FALSE reason "Informational (in) state 1"
May 26 11:18:37.824: ISAKMP (0:134217759): received packet from 10.141.10.1 dport 500 sport 500 Global (I) QM_IDLE
May 26 11:18:37.824: ISAKMP: set new node -485344748 to QM_IDLE
May 26 11:18:37.824: ISAKMP:(0:31:SW:1): processing HASH payload. message ID = -485344748
May 26 11:18:37.824: ISAKMP:received payload type 18
May 26 11:18:37.824: ISAKMP:(0:31:SW:1): processing DELETE_WITH_REASON payload, message ID = -485344748, reason: Unknown delete reason!
May 26 11:18:37.824: ISAKMP:(0:31:SW:1):peer does not do paranoid keepalives.
May 26 11:18:37.824: ISAKMP:(0:31:SW:1):deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE (peer 10.141.10.1)
May 26 11:18:37.824: ISAKMP:(0:31:SW:1):deleting node -485344748 error FALSE reason "Informational (in) state 1"
May 26 11:18:37.828: ISAKMP: Unlocking IPSEC struct 0x66271C54 from delete_siblings, count 0
May 26 11:18:37.828: ISAKMP: set new node 1355382028 to QM_IDLE
May 26 11:18:37.828: ISAKMP:(0:31:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE
May 26 11:18:37.828: ISAKMP:(0:31:SW:1):purging node 1355382028
May 26 11:18:37.828: ISAKMP:(0:31:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 26 11:18:37.828: ISAKMP:(0:31:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
May 26 11:18:37.832: ISAKMP:(0:31:SW:1):deleting SA reason "No reason" state (I) QM_IDLE (peer 10.141.10.1)
May 26 11:18:37.832: ISAKMP:(0:0:N/A:0):Can't decrement IKE Call Admisstion Control stat outgoing_active since it's already 0.
May 26 11:18:37.832: ISAKMP: Unlocking IKE struct 0x66271C54 for isadb_mark_sa_deleted(), count 0
May 26 11:18:37.832: ISAKMP: Deleting peer node by peer_reap for 10.141.10.1: 66271C54
May 26 11:18:37.832: ISAKMP:(0:31:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 26 11:18:37.832: ISAKMP:(0:31:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
May 26 11:18:54.962: ISAKMP: received ke message (1/1)
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
May 26 11:18:54.962: ISAKMP: Created a peer struct for 10.141.10.1, peer port 500
May 26 11:18:54.962: ISAKMP: New peer created peer = 0x65BAAFEC peer_handle = 0x80000021
May 26 11:18:54.962: ISAKMP: Locking peer struct 0x65BAAFEC, IKE refcount 1 for isakmp_initiator
May 26 11:18:54.962: ISAKMP: local port 500, remote port 500
May 26 11:18:54.962: ISAKMP: set new node 0 to QM_IDLE
May 26 11:18:54.962: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 662B7E58
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.141.10.1
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
May 26 11:18:54.962: ISAKMP:(0:0:N/A:0): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
May 26 11:18:55.002: ISAKMP (0:0): received packet from 10.141.10.1 dport 500 sport 500 Global (I) MM_NO_STATE
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
May 26 11:18:55.002: ISAKMP (0:0): vendor ID is NAT-T v7
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.141.10.1
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0): local preshared key found
May 26 11:18:55.002: ISAKMP : Scanning profiles for xauth ...
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
May 26 11:18:55.002: ISAKMP: encryption 3DES-CBC
May 26 11:18:55.002: ISAKMP: hash MD5
May 26 11:18:55.002: ISAKMP: default group 2
May 26 11:18:55.002: ISAKMP: auth pre-share
May 26 11:18:55.002: ISAKMP: life type in seconds
May 26 11:18:55.002: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 26 11:18:55.002: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
May 26 11:18:55.058: ISAKMP:(0:32:SW:1): processing vendor id payload
May 26 11:18:55.058: ISAKMP:(0:32:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
May 26 11:18:55.058: ISAKMP (0:134217760): vendor ID is NAT-T v7
May 26 11:18:55.058: ISAKMP:(0:32:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 26 11:18:55.058: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2
May 26 11:18:55.062: ISAKMP:(0:32:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
May 26 11:18:55.062: ISAKMP:(0:32:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 26 11:18:55.062: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3
May 26 11:18:55.098: ISAKMP (0:134217760): received packet from 10.141.10.1 dport 500 sport 500 Global (I) MM_SA_SETUP
May 26 11:18:55.098: ISAKMP:(0:32:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 26 11:18:55.098: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4
May 26 11:18:55.098: ISAKMP:(0:32:SW:1): processing KE payload. message ID = 0
May 26 11:18:55.166: ISAKMP:(0:32:SW:1): processing NONCE payload. message ID = 0
May 26 11:18:55.166: ISAKMP:(0:32:SW:1):found peer pre-shared key matching 10.141.10.1
May 26 11:18:55.166: ISAKMP:(0:32:SW:1):SKEYID state generated
May 26 11:18:55.170: ISAKMP:(0:32:SW:1): processing vendor id payload
May 26 11:18:55.170: ISAKMP:(0:32:SW:1): vendor ID is Unity
May 26 11:18:55.170: ISAKMP:(0:32:SW:1): processing vendor id payload
May 26 11:18:55.170: ISAKMP:(0:32:SW:1): vendor ID is DPD
May 26 11:18:55.170: ISAKMP:(0:32:SW:1): processing vendor id payload
May 26 11:18:55.170: ISAKMP:(0:32:SW:1): speaking to another IOS box!
May 26 11:18:55.170: ISAKMP:(0:32:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 26 11:18:55.170: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4
May 26 11:18:55.170: ISAKMP:(0:32:SW:1):Send initial contact
May 26 11:18:55.170: ISAKMP:(0:32:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
May 26 11:18:55.174: ISAKMP (0:134217760): ID payload
next-payload : 8
type : 1
address : 10.141.10.13
protocol : 17
port : 500
length : 12
May 26 11:18:55.174: ISAKMP:(0:32:SW:1):Total payload length: 12
May 26 11:18:55.174: ISAKMP:(0:32:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
May 26 11:18:55.174: ISAKMP:(0:32:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 26 11:18:55.174: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
May 26 11:18:55.202: ISAKMP (0:134217760): received packet from 10.141.10.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
May 26 11:18:55.206: ISAKMP:(0:32:SW:1): processing ID payload. message ID = 0
May 26 11:18:55.206: ISAKMP (0:134217760): ID payload
next-payload : 8
type : 1
address : 10.141.10.1
protocol : 17
port : 500
length : 12
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):: peer matches *none* of the profiles
May 26 11:18:55.206: ISAKMP:(0:32:SW:1): processing HASH payload. message ID = 0
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):SA authentication status:
authenticated
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):SA has been authenticated with 10.141.10.1
May 26 11:18:55.206: ISAKMP: Trying to insert a peer 10.141.10.13/10.141.10.1/500/, and inserted successfully 65BAAFEC.
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 26 11:18:55.206: ISAKMP:(0:32:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
May 26 11:18:55.210: ISAKMP:(0:32:SW:1):beginning Quick Mode exchange, M-ID of 517495394
May 26 11:18:55.210: ISAKMP:(0:32:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE
May 26 11:18:55.210: ISAKMP:(0:32:SW:1):Node 517495394, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 26 11:18:55.210: ISAKMP:(0:32:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 26 11:18:55.210: ISAKMP:(0:32:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 26 11:18:55.210: ISAKMP:(0:32:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
May 26 11:18:55.246: ISAKMP (0:134217760): received packet from 10.141.10.1 dport 500 sport 500 Global (I) QM_IDLE
May 26 11:18:55.246: ISAKMP:(0:32:SW:1): processing HASH payload. message ID = 517495394
May 26 11:18:55.246: ISAKMP:(0:32:SW:1): processing SA payload. message ID = 517495394
May 26 11:18:55.246: ISAKMP:(0:32:SW:1):Checking IPSec proposal 1
May 26 11:18:55.246: ISAKMP: transform 1, ESP_3DES
May 26 11:18:55.246: ISAKMP: attributes in transform:
May 26 11:18:55.246: ISAKMP: encaps is 1 (Tunnel)
May 26 11:18:55.246: ISAKMP: SA life type in seconds
May 26 11:18:55.246: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80
May 26 11:18:55.246: ISAKMP: SA life type in kilobytes
May 26 11:18:55.246: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
May 26 11:18:55.246: ISAKMP: authenticator is HMAC-MD5
May 26 11:18:55.246: ISAKMP:(0:32:SW:1):atts are acceptable.
May 26 11:18:55.246: ISAKMP:(0:32:SW:1): processing NONCE payload. message ID = 517495394
May 26 11:18:55.246: ISAKMP:(0:32:SW:1): processing ID payload. message ID = 517495394
May 26 11:18:55.246: ISAKMP:(0:32:SW:1): processing ID payload. message ID = 517495394
May 26 11:18:55.250: ISAKMP: Locking peer struct 0x65BAAFEC, IPSEC refcount 1 for for stuff_ke
May 26 11:18:55.250: ISAKMP:(0:32:SW:1): Creating IPSec SAs
May 26 11:18:55.250: inbound SA from 10.141.10.1 to 10.141.10.13 (f/i) 0/ 0
(proxy 10.141.10.1 to 10.141.10.13)
May 26 11:18:55.250: has spi 0x677D14B2 and conn_id 0 and flags 2
May 26 11:18:55.250: lifetime of 86400 seconds
May 26 11:18:55.250: lifetime of 4608000 kilobytes
May 26 11:18:55.250: has client flags 0x0
May 26 11:18:55.250: outbound SA from 10.141.10.13 to 10.141.10.1 (f/i) 0/0
(proxy 10.141.10.13 to 10.141.10.1)
May 26 11:18:55.250: has spi 35145355 and conn_id 0 and flags A
May 26 11:18:55.250: lifetime of 86400 seconds
May 26 11:18:55.250: lifetime of 4608000 kilobytes
May 26 11:18:55.250: has client flags 0x0
May 26 11:18:55.250: ISAKMP:(0:32:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE
May 26 11:18:55.250: ISAKMP:(0:32:SW:1):deleting node 517495394 error FALSE reason "No Error"
May 26 11:18:55.250: ISAKMP:(0:32:SW:1):Node 517495394, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
May 26 11:18:55.250: ISAKMP:(0:32:SW:1):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
May 26 11:18:55.254: ISAKMP: Locking peer struct 0x65BAAFEC, IPSEC refcount 2 for from create_transforms
May 26 11:18:55.254: ISAKMP: Unlocking IPSEC struct 0x65BAAFEC from create_transforms, count 1
Thanks for the help you can lend
05-27-2014 02:51 PM
Duplicate post.
Go here: https://supportforums.cisco.com/discussion/12215736/problems-vpn-router-asr-1000
05-28-2014 09:09 AM
If you're not going to give solution, do not answer me.
06-04-2014 07:06 AM
Hello
I see a couple of possible misconfigurations between the hub and spoke(s)
Try and apply the following:
HUB
=====
ip tcp adjust-mss 1360
no ip next-hop-self eigrp 100
tunnel key 0
ip nhrp authentication PASSWORD
spoke
========
no crypto isakmp key 6 $IPROOT$ address 10.141.10.1
crypto isakmp key 6 $IPROOT$ address 0.0.0.0 0.0.0.0
ip mtu 1400
ip tcp adjust-mss 1360
no tunnel destination 10.141.10.1
tunnel mode gre multipoint
tunnel key 0
ip nhrp authentication PASSWORD
res
Paul
06-04-2014 07:43 AM
Hello Paul Driver
Thanks for answer me
I did as it told me, but still lift the VPN. Without the VPN as I said before, I do ping spoke.
Jun 4 14:31:43.071: ISAKMP: Unlocking IPSEC struct 0x65CC5CB0 from delete_siblings, count 1
Jun 4 14:31:43.071: ISAKMP: received ke message (3/1)
Jun 4 14:31:43.071: ISAKMP: set new node 515332146 to QM_IDLE
Jun 4 14:31:43.071: ISAKMP:(0:2:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE
Jun 4 14:31:43.071: ISAKMP:(0:2:SW:1):purging node 515332146
Jun 4 14:31:43.071: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
Jun 4 14:31:43.071: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 4 14:31:47.071: ISAKMP:(0:2:SW:1):purging node -746539650
Jun 4 14:31:50.402: ISAKMP (0:134217730): received packet from 10.141.10.1 dport 500 sport 500 Global (I) QM_IDLE
Jun 4 14:31:50.406: ISAKMP: set new node -1119127387 to QM_IDLE
Jun 4 14:31:50.406: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = -1119127387
Jun 4 14:31:50.406: ISAKMP:(0:2:SW:1): processing DELETE payload. message ID = -1119127387
Jun 4 14:31:50.406: ISAKMP:(0:2:SW:1):peer does not do paranoid keepalives.
Jun 4 14:31:50.406: ISAKMP:(0:2:SW:1):deleting node -1119127387 error FALSE reason "Informational (in) state 1"
Jun 4 14:31:50.406: ISAKMP (0:134217730): received packet from 10.141.10.1 dport 500 sport 500 Global (I) QM_IDLE
Jun 4 14:31:50.406: ISAKMP: set new node 455556831 to QM_IDLE
Jun 4 14:31:50.406: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 455556831
Jun 4 14:31:50.406: ISAKMP:received payload type 18
Jun 4 14:31:50.406: ISAKMP:(0:2:SW:1): processing DELETE_WITH_REASON payload, message ID = 455556831, reason: Unknown delete reason!
Jun 4 14:31:50.406: ISAKMP:(0:2:SW:1):peer does not do paranoid keepalives.
Jun 4 14:31:50.406: ISAKMP:(0:2:SW:1):deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE (peer 10.141.10.1)
Jun 4 14:31:50.406: ISAKMP:(0:2:SW:1):deleting node 455556831 error FALSE reason "Informational (in) state 1"
Jun 4 14:31:50.410: ISAKMP: Unlocking IPSEC struct 0x65CC5CB0 from delete_siblings, count 0
Jun 4 14:31:50.410: ISAKMP: set new node -1971206576 to QM_IDLE
Jun 4 14:31:50.410: ISAKMP:(0:2:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE
Jun 4 14:31:50.410: ISAKMP:(0:2:SW:1):purging node -1971206576
Jun 4 14:31:50.410: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 4 14:31:50.410: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Jun 4 14:31:50.414: ISAKMP:(0:2:SW:1):deleting SA reason "No reason" state (I) QM_IDLE (peer 10.141.10.1)
Jun 4 14:31:50.414: ISAKMP:(0:0:N/A:0):Can't decrement IKE Call Admisstion Control stat outgoing_active since it's already 0.
Jun 4 14:31:50.414: ISAKMP: Unlocking IKE struct 0x65CC5CB0 for isadb_mark_sa_deleted(), count 0
Jun 4 14:31:50.414: ISAKMP: Deleting peer node by peer_reap for 10.141.10.1: 65CC5CB0
Jun 4 14:31:50.414: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 4 14:31:50.414: ISAKMP:(0:2:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Jun 4 14:31:57.038: ISAKMP: received ke message (1/1)
Jun 4 14:31:57.038: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Jun 4 14:31:57.038: ISAKMP: Created a peer struct for 10.141.10.1, peer port 500
Jun 4 14:31:57.038: ISAKMP: New peer created peer = 0x65F72440 peer_handle = 0x80000004
Jun 4 14:31:57.038: ISAKMP: Locking peer struct 0x65F72440, IKE refcount 1 for isakmp_initiator
Jun 4 14:31:57.038: ISAKMP: local port 500, remote port 500
Jun 4 14:31:57.038: ISAKMP: set new node 0 to QM_IDLE
Jun 4 14:31:57.038: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 65E07C94
Jun 4 14:31:57.038: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Jun 4 14:31:57.038: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.141.10.1
Jun 4 14:31:57.038: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Jun 4 14:31:57.038: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Jun 4 14:31:57.038: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Jun 4 14:31:57.038: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jun 4 14:31:57.038: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
Jun 4 14:31:57.038: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Jun 4 14:31:57.042: ISAKMP:(0:0:N/A:0): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 4 14:31:57.202: ISAKMP (0:0): received packet from 10.141.10.1 dport 500 sport 500 Global (I) MM_NO_STATE
Jun 4 14:31:57.202: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 4 14:31:57.202: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Jun 4 14:31:57.202: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Jun 4 14:31:57.202: ISAKMP:(0:0:N/A:0): processing vendor id payload
Jun 4 14:31:57.202: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
Jun 4 14:31:57.202: ISAKMP (0:0): vendor ID is NAT-T v7
Jun 4 14:31:57.202: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.141.10.1
Jun 4 14:31:57.206: ISAKMP:(0:0:N/A:0): local preshared key found
Jun 4 14:31:57.206: ISAKMP : Scanning profiles for xauth ...
Jun 4 14:31:57.206: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
Jun 4 14:31:57.206: ISAKMP: encryption 3DES-CBC
Jun 4 14:31:57.206: ISAKMP: hash MD5
Jun 4 14:31:57.206: ISAKMP: default group 2
Jun 4 14:31:57.206: ISAKMP: auth pre-share
Jun 4 14:31:57.206: ISAKMP: life type in seconds
Jun 4 14:31:57.206: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jun 4 14:31:57.206: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
Jun 4 14:31:57.258: ISAKMP:(0:3:SW:1): processing vendor id payload
Jun 4 14:31:57.258: ISAKMP:(0:3:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
Jun 4 14:31:57.258: ISAKMP (0:134217731): vendor ID is NAT-T v7
Jun 4 14:31:57.262: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 4 14:31:57.262: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2
Jun 4 14:31:57.262: ISAKMP:(0:3:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jun 4 14:31:57.262: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 4 14:31:57.262: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3
Jun 4 14:31:57.350: ISAKMP (0:134217731): received packet from 10.141.10.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Jun 4 14:31:57.354: ISAKMP:(0:3:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 4 14:31:57.354: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4
Jun 4 14:31:57.354: ISAKMP:(0:3:SW:1): processing KE payload. message ID = 0
Jun 4 14:31:57.422: ISAKMP:(0:3:SW:1): processing NONCE payload. message ID = 0
Jun 4 14:31:57.422: ISAKMP:(0:3:SW:1):found peer pre-shared key matching 10.141.10.1
Jun 4 14:31:57.426: ISAKMP:(0:3:SW:1):SKEYID state generated
Jun 4 14:31:57.426: ISAKMP:(0:3:SW:1): processing vendor id payload
Jun 4 14:31:57.426: ISAKMP:(0:3:SW:1): vendor ID is Unity
Jun 4 14:31:57.426: ISAKMP:(0:3:SW:1): processing vendor id payload
Jun 4 14:31:57.426: ISAKMP:(0:3:SW:1): vendor ID is DPD
Jun 4 14:31:57.426: ISAKMP:(0:3:SW:1): processing vendor id payload
Jun 4 14:31:57.426: ISAKMP:(0:3:SW:1): speaking to another IOS box!
Jun 4 14:31:57.426: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 4 14:31:57.426: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4
Jun 4 14:31:57.426: ISAKMP:(0:3:SW:1):Send initial contact
Jun 4 14:31:57.426: ISAKMP:(0:3:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jun 4 14:31:57.430: ISAKMP (0:134217731): ID payload
next-payload : 8
type : 1
address : 10.141.10.13
protocol : 17
port : 500
length : 12
Jun 4 14:31:57.430: ISAKMP:(0:3:SW:1):Total payload length: 12
Jun 4 14:31:57.430: ISAKMP:(0:3:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jun 4 14:31:57.430: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 4 14:31:57.430: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
Jun 4 14:31:57.738: ISAKMP (0:134217731): received packet from 10.141.10.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jun 4 14:31:57.738: ISAKMP:(0:3:SW:1): processing ID payload. message ID = 0
Jun 4 14:31:57.738: ISAKMP (0:134217731): ID payload
next-payload : 8
type : 1
address : 10.141.10.1
protocol : 17
port : 500
length : 12
Jun 4 14:31:57.738: ISAKMP:(0:3:SW:1):: peer matches *none* of the profiles
Jun 4 14:31:57.738: ISAKMP:(0:3:SW:1): processing HASH payload. message ID = 0
Jun 4 14:31:57.738: ISAKMP:(0:3:SW:1):SA authentication status:
authenticated
Jun 4 14:31:57.738: ISAKMP:(0:3:SW:1):SA has been authenticated with 10.141.10.1
Jun 4 14:31:57.738: ISAKMP:(0:3:SW:1):IKE_DPD is enabled, initializing timers
Jun 4 14:31:57.738: ISAKMP: Trying to insert a peer 10.141.10.13/10.141.10.1/500/, and inserted successfully 65F72440.
Jun 4 14:31:57.738: ISAKMP:(0:3:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 4 14:31:57.738: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6
Jun 4 14:31:57.738: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 4 14:31:57.738: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6
Jun 4 14:31:57.742: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 4 14:31:57.742: ISAKMP:(0:3:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Jun 4 14:31:57.742: ISAKMP:(0:3:SW:1):beginning Quick Mode exchange, M-ID of -76061614
Jun 4 14:31:57.742: ISAKMP:(0:3:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE
Jun 4 14:31:57.742: ISAKMP:(0:3:SW:1):Node -76061614, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jun 4 14:31:57.742: ISAKMP:(0:3:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Jun 4 14:31:57.746: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 4 14:31:57.746: ISAKMP:(0:3:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 4 14:31:58.106: ISAKMP (0:134217731): received packet from 10.141.10.1 dport 500 sport 500 Global (I) QM_IDLE
Jun 4 14:31:58.110: ISAKMP:(0:3:SW:1): processing HASH payload. message ID = -76061614
Jun 4 14:31:58.110: ISAKMP:(0:3:SW:1): processing SA payload. message ID = -76061614
Jun 4 14:31:58.110: ISAKMP:(0:3:SW:1):Checking IPSec proposal 1
Jun 4 14:31:58.110: ISAKMP: transform 1, ESP_3DES
Jun 4 14:31:58.110: ISAKMP: attributes in transform:
Jun 4 14:31:58.110: ISAKMP: encaps is 1 (Tunnel)
Jun 4 14:31:58.110: ISAKMP: SA life type in seconds
Jun 4 14:31:58.110: ISAKMP: SA life duration (basic) of 120
Jun 4 14:31:58.110: ISAKMP: SA life type in kilobytes
Jun 4 14:31:58.110: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Jun 4 14:31:58.110: ISAKMP: authenticator is HMAC-SHA
Jun 4 14:31:58.110: ISAKMP:(0:3:SW:1):atts are acceptable.
Jun 4 14:31:58.110: ISAKMP:(0:3:SW:1): processing NONCE payload. message ID = -76061614
Jun 4 14:31:58.110: ISAKMP:(0:3:SW:1): processing ID payload. message ID = -76061614
Jun 4 14:31:58.110: ISAKMP:(0:3:SW:1): processing ID payload. message ID = -76061614
Jun 4 14:31:58.110: ISAKMP: Locking peer struct 0x65F72440, IPSEC refcount 1 for for stuff_ke
Jun 4 14:31:58.110: ISAKMP:(0:3:SW:1): Creating IPSec SAs
Jun 4 14:31:58.114: inbound SA from 10.141.10.1 to 10.141.10.13 (f/i) 0/ 0
(proxy 10.141.10.1 to 10.141.10.13)
Jun 4 14:31:58.114: has spi 0x6AE01706 and conn_id 0 and flags 2
Jun 4 14:31:58.114: lifetime of 120 seconds
Jun 4 14:31:58.114: lifetime of 4608000 kilobytes
Jun 4 14:31:58.114: has client flags 0x0
Jun 4 14:31:58.114: outbound SA from 10.141.10.13 to 10.141.10.1 (f/i) 0/0
(proxy 10.141.10.13 to 10.141.10.1)
Jun 4 14:31:58.114: has spi -1683084853 and conn_id 0 and flags A
Jun 4 14:31:58.114: lifetime of 120 seconds
Jun 4 14:31:58.114: lifetime of 4608000 kilobytes
Jun 4 14:31:58.114: has client flags 0x0
Jun 4 14:31:58.114: ISAKMP:(0:3:SW:1): sending packet to 10.141.10.1 my_port 500 peer_port 500 (I) QM_IDLE
Jun 4 14:31:58.114: ISAKMP:(0:3:SW:1):deleting node -76061614 error FALSE reason "No Error"
Jun 4 14:31:58.114: ISAKMP:(0:3:SW:1):Node -76061614, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 4 14:31:58.114: ISAKMP:(0:3:SW:1):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
Jun 4 14:31:58.114: ISAKMP: Locking peer struct 0x65F72440, IPSEC refcount 2 for from create_transforms
Jun 4 14:31:58.114: ISAKMP: Unlocking IPSEC struct 0x65F72440 from create_transforms, count 1
Jun 4 14:32:00.761: ISAKMP:(0:2:SW:1):purging node 379003309
HUB------------------------------
!
interface Tunnel0
ip address 10.190.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip flow ingress
ip nhrp authentication PASSWORD
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp holdtime 600
ip nhrp registration timeout 30
no ip split-horizon eigrp 100
ip tcp adjust-mss 1360
qos pre-classify
tunnel source FastEthernet0/1/3.775
tunnel mode gre multipoint
tunnel key 10
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 $IPROOT$ address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto ipsec security-association replay disable
!
crypto ipsec transform-set $VPNNET$ esp-3des esp-sha-hmac
!
crypto ipsec profile GREVPN
set security-association lifetime seconds 120
set transform-set $VPNNET$
!
Spoke-----------------------------------------
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key $IPROOT$ address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto ipsec security-association replay disable
!
crypto ipsec transform-set $VPNNET$ esp-3des esp-sha-hmac
!
crypto ipsec profile GREVPN
set security-association lifetime seconds 120
set transform-set $VPNNET$
!
interface Tunnel0
bandwidth 1024
ip address 10.190.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication PASSWORD
ip nhrp map multicast 10.141.10.1
ip nhrp map 10.190.1.1 10.141.10.1
ip nhrp network-id 10
ip nhrp holdtime 600
ip nhrp nhs 10.190.1.1
ip nhrp registration timeout 30
ip route-cache flow
ip tcp adjust-mss 1360
qos pre-classify
tunnel source FastEthernet0/1.775
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile GREVPN
!
If you have additional recomendation, I would appreciate.
regards,
06-04-2014 08:06 AM
Hello
What routing are you using to reach the reach the internal networks?
Also can you post the output of these show commands:
sh crypto ipsec sa
sh crypto isakmp sa
sh dmvpn detail
sh ip nhrp
res
Paul
06-04-2014 08:17 AM
Hello
I would like to talk to you about something, I have this same configuration in a backup link with a 3845 router and it is working without any problem.
sh crypto isakmp sa
dst src state conn-id slot status
10.141.10.1 10.141.10.13 QM_IDLE 13 0 ACTIVE
sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.141.10.13
protected vrf: (none)
local ident (addr/mask/prot/port): (10.141.10.13/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.141.10.1/255.255.255.255/47/0)
current_peer 10.141.10.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 174, #pkts encrypt: 174, #pkts digest: 174
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 12, #recv errors 0
local crypto endpt.: 10.141.10.13, remote crypto endpt.: 10.141.10.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1.775
current outbound spi: 0xDCE6326B(3706073707)
inbound esp sas:
spi: 0xECB44BAF(3971238831)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4403252/55)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDCE6326B(3706073707)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4403251/55)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
sh ip nhrp
10.190.1.1/32 via 10.190.1.1, Tunnel0 created 00:55:29, never expire
Type: static, Flags: authoritative used
NBMA address: 10.141.10.1
sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket, T1 - Route Installed
T2 - next-hop-override
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
06-04-2014 08:47 AM
Hello
All looks okay now from a configuration perspective but you don't say if you are dynamically routing, advertising the inside physical interface and tunnel ip addresses - I would suggest to use eigrp and disable split horizon and next hop on the hub
and aslo apply this:
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
res
Paul
06-04-2014 08:48 AM
Hello Pual
Add the following settings:
crypto ipsec transform-set $ VPNNET $ esp-3des esp-md5-hmac
transport mode
!
But still without looking up VPN :-(
I still think it may be the IOS
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide