cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8755
Views
185
Helpful
31
Replies

DMVPN and L2TP (IPSec)

MrBeginner
Spotlight
Spotlight

Dear all,

I am trying to integrate DMVPN and L2TP because i have different vendor devices.I have two DC.DC1 (Spoke4 ) is using non cisco. DC2 is using cisco.my spoke site are need to connect DC1 and DC2 .so i mix DMVPN and l2tp(IPSEC) .Please see the below diagram.

I am using delay value to choose the tunnel priority.But if i integrate l2tp with DMVPN is down. Please see error log.

How can i solve this problem.DC1 l2TP is already running IPSEC in production.now i need to do DMVPN only.but i worry it will be conflict each other. Please advice how to avoid ? 

 

 

31 Replies 31

Hi,

The error you are receiving is usually when the identity of the peer does not match what is expected. As you are matching on a certificate map for the remote identity, have you tried specifying the local identity as DN rather than FQDN.

 

HTH

HI RJI,

i changed local fqdn to local dn. but still got error.Before applying  l2tP/IPSec from HUB to spoke by using VTI ,my dual home dmvpn is working fine. After applying l2tP/IPSec to spoke4 from HUB,dmvpn is down .Even though i already deleted VTI tunnel in HUB dmvpn is still down and show below message.

  • Please advice how to trouble shoot or which method can i use to advice this error ? 
  • Do i need to put no auto summary command in eigrp ?
  • I saw below message in ISP router.does it mean routing loop ?

*Feb 21 09:15:36.455: %BGP-5-NBR_RESET: Neighbor 110.110.110.1 reset (Peer close d the session)
*Feb 21 09:15:36.459: %BGP-5-ADJCHANGE: neighbor 110.110.110.1 Down Peer closed the session
*Feb 21 09:15:36.463: %BGP_SESSION-5-ADJCHANGE: neighbor 110.110.110.1 IPv4 Unic ast topology base removed from session Peer closed the session
*Feb 21 09:15:36.475: %BGP-5-NBR_RESET: Neighbor 150.150.150.1 reset (Peer close d the session)
*Feb 21 09:15:36.479: %BGP-5-ADJCHANGE: neighbor 150.150.150.1 Down Peer closed the session
*Feb 21 09:15:36.483: %BGP_SESSION-5-ADJCHANGE: neighbor 150.150.150.1 IPv4 Unic ast topology base removed from session Peer closed the session
*Feb 21 09:15:36.971: %BGP-5-ADJCHANGE: neighbor 150.150.150.1 Up
*Feb 21 09:15:36.975: %BGP-5-ADJCHANGE: neighbor 110.110.110.1 Up


Cbtme-Hub#
*Feb 21 10:19:29.347: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=110.110.110.1, prot=50, spi=0x93165353(2467713875), srcaddr=120.120.120.1, input interface=FastEthernet0/0

SPOKE 4 Config

cbtme-spoke4#sh run
ip domain name crypto.local
crypto pki trustpoint my-ca
enrollment terminal
serial-number none
fqdn cbtme-spoke4.crypto.local
ip-address none
subject-name cn=cbtme-spoke4.crypto.local
revocation-check none

crypto pki certificate map CERT-MAP 10
subject-name co crypto.local
crypto ikev2 proposal DMVPN-proposal
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy DMVPN-POLICY
proposal DMVPN-proposal
!
crypto ikev2 profile DMVPN-PROF
match certificate CERT-MAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca
!
crypto ipsec transform-set DMVPN-TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile DMVPN-IPSEC
set transform-set DMVPN-TS
set ikev2-profile DMVPN-PROF
!
interface Tunnel1
ip address 2.2.2.20 255.255.255.0
tunnel source FastEthernet2/1
tunnel mode ipsec ipv4
tunnel destination 150.150.150.1
tunnel protection ipsec profile DMVPN-IPSEC
!
interface FastEthernet2/1
ip address 140.140.140.1 255.255.255.0
speed auto
duplex auto
!
router bgp 104
bgp log-neighbor-changes
network 140.140.140.1 mask 255.255.255.255
neighbor 140.140.140.2 remote-as 100
cbtme-spoke4#

 

 

Hi,
I've re-checked your configuration closer. On the Hub, your certificate maps in use on the IKEv2 profiles but they appear to be the same. Does that mean you are using the same CA for both tunnels? The problem appears to be the hub is unable to distinguish between the different tunnels.

You can either create another CA and create a key-pair on the Hub and Spoke, define a new certificate map and modify the IKEv2 profile accordingly. For testing to start with, use PSK for the VTI (use FQDN to identify both ends, make the identity different to the DMVPN identities) and get both the DMVPN and VTI working at the same time and then go from there.

HTH

Hi RJI,

Do you want me create two trust-point for HUB and Spoke ? 

i need to use VTI for one CA and DMVPN for one CA ,correct ?

I didn't know how use PSK for the VTI ? let me know ? PSK mean preshare key ? it is correct Preshare key is working. i got error in CA only.

can  i use same certificate authentication method for two CA ?

eg.

crypto pki certificate map DC1-MAP 10
subject-name co crypto.local

crypto pki certificate map DC2-MAP 11
subject-name co crypto.local

 

do i need to use different keypair for each CA ? i already created VTI links without keypair in production.

let me know can create two ca witout keypair  ? i need to create keypair in rsa key generate ? or i need to type command in trustpoint ? can i do without keypair ?

crypto key generate rsa modulus 2048 label test 

OR

crypto pki trustpoint my-ca

rsakeypair test

Hi, Yes PSK = Pre-shared key. When you say this worked, did you get the VTI and DMVPN working at the sametime? If yes, this it wanted to confirm, this would indicate the tunnel configuration is correct and the issue is related to the certificate matching.

 

In your example:-

 

crypto pki certificate map DC1-MAP 10

  subject-name co crypto.local

crypto pki certificate map DC2-MAP 11

 subject-name co crypto.local

 

....the subject is the same, so will never match the 2nd certificate match, so will therefore never match the other ikev2 profile.

 

If you need to use certificate authentication for the VTI, then use a seperate CA, with a unique subject-name (not crypto.local) so therefore the hub will be able to distiguish the correct certificate to use with the correct tunnel.

 

HTH

Hi ,

do i need to use different keypair for each CA ? i already created VTI links without keypair in production. so i am dificult to recreate trustpoint with keypair.

let me know can create two ca witout keypair  ? i need to create keypair in rsa key generate ? or i need to type command in trustpoint ? can i do without keypair ?

crypto key generate rsa modulus 2048 label test 

OR

crypto pki trustpoint my-ca

rsakeypair test

 

You advice to use unique subject name for VTI ? So i can still use  co =crypto.local for DMVPN ,Correct ?

i will double check for preshare and i will reply you.

Hi, Give me an hour and I'll lab it for you and give you the exact syntax.

Rob

Ok, configuration below. Bear in mind you can only run 1 CA on a Cisco router, therefore if the HUB is already the CA for the DMVPN you cannot create another CA on it. You would have to create the CA on the VTI spoke and enroll the HUB router.

 

Essentially all I have done it duplicate the same configuration but used DC2 instead of DC1, this is to make the configuration unique and therefore not match the wrong certificate map/ikev2 profile)

 

The configuration below is for the HUB

 

crypto key generate rsa usage-keys label DC1_CA modulus 2048 exportable

crypto key generate rsa usage-keys label DC2_CA modulus 2048 exportable

 

crypto pki trustpoint DC1_TP
rsakeypair DC1_CA

 

crypto pki certificate map DC1_MAP 10
issuer-name co dc1.local

 

crypto ipsec transform-set DC1_TSET esp-gcm
 mode tunnel

 

crypto ipsec profile DC1_IPSEC_PROFILE
 set transform-set DC1_TSET
 set ikev2-profile DC1_PROFILE

 

crypto ikev2 profile DC1_PROFILE
 match certificate DC1_MAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint DC1_TP

 

-----------------------------------------------------

 

crypto pki trustpoint DC2_TP
 rsakeypair DC2_CA

 

crypto pki certificate map DC2_MAP 10

 issuer-name co dc2.local

crypto ipsec transform-set DC2_TSET esp-gcm
 mode tunnel

crypto ipsec profile DC2_IPSEC_PROFILE
 set transform-set DC2_TSET
 set ikev2-profile DC2_PROFILE

crypto ikev2 profile DC2_PROFILE
 match certificate DC2_MAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint DC2_TP

 

The correct IPSec profile would then be configured under the appropriate Tunnel interface on the HUB router.

 

The HUB would have 2 certificates, one for use on the DMVPN the other for use with the VTI.

The VTI spoke would only have 1 certificate, for authentication with the HUB.


HTH

Hi ,

Thank you for your help.it is very useful and i got alot of knowledge.

In my scenario i am using MS CA. VTI to DC1 is already deployed in production. Customers want to integrate DC1 and DC2 with different scenario.Please below file is actual design in production. It may very complicate for me.Very painful to solved.Please let me know your advice.Every sites (DC1,DC2,Branches)have two tunnel DMVPN tunnel and VTI tunnel.DC two have 2xVTI and 1 DMVPN as HUB.

  • So as your advice above,do i need to install second CA in each sites ?
  • Do we have other way without using two CA ?
  • every sites is already running VTI tunnel.So can i create key pair for second DMVPN link only ?
  • if we are using MS CA server , this CA useful for your advice configuration ?

Hi ,

Thank you for your help.it is very useful and i got alot of knowledge.

In my scenario i am using MS CA. VTI to DC1 is already deployed in production. Customers want to integrate DC1 and DC2 with different scenario.Please below file is actual design in production. It may very complicate for me.Very painful to solved.Please let me know your advice.Every sites (DC1,DC2,Branches)have two tunnel DMVPN tunnel and VTI tunnel.DC two have 2xVTI and 1 DMVPN as HUB.

  • So as your advice above,do i need to install second CA in each sites ?
  • Do we have other way without using two CA ?
  • every sites is already running VTI tunnel.So can i create key pair for second DMVPN link only ?
  • if we are using MS CA server , this CA useful for your advice configuration ?

Hi,

Ok, I've figured out how to do it just using 1 CA on the HUB. If you configure the trustpoint on the DMVPN SPOKES with a unique value e.g. DMVPN, then on the HUB use the certificate map to match that to an IKEv2 Profile. For the VTI, just send the hostname of the device and match that against another certificate map.

 

HUB

crypto pki certificate map MAP_DMVPN 10
subject-name co dmvpn

crypto pki certificate map MAP_VTI 10
name co r5

 

crypto ikev2 profile DC1_PROFILE
match certificate MAP_DMVPN
pki trustpoint DC1_TP

crypto ikev2 profile DC2_PROFILE
match certificate MAP_VTI
pki trustpoint DC1_TP

DMVPN SPOKES

crypto pki trustpoint DC1_TP
 subject-name CN=R2.DMVPN
 rsakeypair DC1_CA

 

crypto pki certificate map MAP_DMVPN 10
 issuer-name co dc1.local

crypto ikev2 profile DC1_PROFILE
 match certificate MAP_DMVPN
 pki trustpoint DC1_TP

 

VTI

crypto pki trustpoint DC1_TP
 subject-name CN=R5.lab.local
 rsakeypair DC1_CA

 

HTH

hi ,

In your advice do i need to generate rsa key with label right ?

and can i do without keypair ? becaus i cannot generate two rsa key in on router .

when i import my ca in router i saw below message and i am using below trustpoint.

crypto pki trustpoint my-ca1
enrollment terminal
serial-number none
fqdn cbtme-hub.crypto.local
ip-address none
subject-name cn=dmvpn
revocation-check none
rsakeypair dmvpn

 

 


% The subject name in the certificate will include: cn=dmvpn
% The subject name in the certificate will include: cbtme-hub.crypto.local

 

Hi,

You can define 2 rsa key pairs on a router, you just need the label and then to reference the keypair in the trustpoint.

 

crypto key generate rsa usage-keys label DC1_CA modulus 2048 exportable
crypto key generate rsa usage-keys label DC2_CA modulus 2048 exportable


crypto pki trustpoint DC1_TP
subject-name CN=R2.DMVPN
rsakeypair DC1_CA

 

As it's creating an error don't add the FQDN, all we need for the matching is the subject name. The subject name needs to include something to uniquely identify itself - hence R2.dmvpn. For each of the dmvpn spokes the subject name would be different and includes it's router name e.g. r3.dmvpn or r4.dmvpn.

 

HTH

HI,

let me know can i do one trustpoint is without rsa key pair because my infra is already run with without keypair.

now i test with two CA ,two key pair and two trustpoint in lab. My dmvpn doen't up even thought without vti.

please see below attachment and let me know this what kind of error.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: