cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
853
Views
5
Helpful
8
Replies

DMVPN IKEv2 Problem

Hello,

 

I'm trying to built DMVPN using IKEv2 Between ISR4431 and ISR4321, but tunnel is not establishing. With other devices (c1900, ISR4331) tunnels are successfully established, but not with ISR4321(IOS Version is isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin). There are no errors except this one:

%IOSXE-3-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:000 TS:00004016500595087206 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= *, src_addr= *, prot= 47

For test purposes I have tested IKEv1 and everything's works fine, tunnel successfully establish between 4431 and 4321, but  I want to use IKEv2. 

Is this problem a software bug? Or how I can solve this problem?

8 REPLIES 8
balaji.bandi
VIP Master

Code of ISR4321 is: isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin

Code of ISR4431 is :isr4400-universalk9.16.06.04.SPA.bin

Hello,

 

post the full running configs of both sides...

MHM Cisco World
Collaborator

DMVPN IKEv2 meaning FlexVPN ?

Hello.

 

Please see the HUB configuration:

 

crypto ikev2 proposal Proporsal-1
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy Policy-1
proposal Proporsal-1
!
crypto ikev2 keyring Keyring-1
peer Spoke-0
address 149.*.*.*
pre-shared-key local *
pre-shared-key remote *
!
peer Spoke-1
address 77.*.*.*
pre-shared-key local *
pre-shared-key remote *
!
peer Spoke-2
address 92.*.*.*
pre-shared-key local *
pre-shared-key remote *
!
peer Spoke-3
address 185.*.*.*
pre-shared-key local *
pre-shared-key remote *
!
!
!
crypto ikev2 profile Profile-1
match identity remote address 149.*.*.* 255.255.255.255
match identity remote address 77.*.*.* 255.255.255.255
match identity remote address 92.*.*.* 255.255.255.255
match identity remote address 185.*.*.* 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local Keyring-1

 

 

crypto ipsec transform-set TS-1 esp-aes 256 esp-sha256-hmac
mode transport require

 

crypto ipsec profile IPSEC_Profile-1
set transform-set TS-1
set ikev2-profile Profile-1

 

interface Tunnel255
description Hub-1
ip address 172.31.100.254 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication *pass
ip nhrp network-id 255
ip tcp adjust-mss 1360
tunnel source 95.*.*.*
tunnel mode gre multipoint
tunnel key 255
tunnel protection ipsec profile IPSEC_Profile-1

 

router eigrp EIGRP-1
!
address-family ipv4 unicast autonomous-system 950
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel255
no passive-interface
exit-af-interface
!
af-interface Port-channel19.901
no passive-interface
exit-af-interface
!
topology base
exit-af-topology
network 172.31.100.0 0.0.0.255
eigrp router-id 253.253.253.253
exit-address-family

 

 

Spoke Configuration:

IKE\EIGRP Configuration is the same (was done by cntrl+c cntrl+v)

 

interface Tunnel255
description Spoke-1
ip address 172.31.100.252 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication *pass
ip nhrp map multicast 95.*.*.*
ip nhrp map 172.31.100.254 95.*.*.*
ip nhrp network-id 255
ip nhrp nhs 172.31.100.254
ip tcp adjust-mss 1360
tunnel source 185.*.*.*
tunnel destination 95.*.*.*
tunnel key 255
tunnel protection ipsec profile IPSEC_Profile-1

 

MHM Cisco World
Collaborator

I have only one note here in Hub and Spoke please only config the local identity and try again. 

sadist001
Beginner

.

Hello,

 

on the hub tunnel interface, you need to disable split horizon and next hop self. Add the lines marked in bold to your EIGRP config:

 

router eigrp EIGRP-1
!
address-family ipv4 unicast autonomous-system 950
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel255
no passive-interface
--> no split-horizon
--> no next-hop-self no-ecmp-mode
exit-af-interface