Solved: Re: DMVPN Issues - IPsec packets

Ashley Pilbeam · ‎03-30-2012

Hi All,

I am currently trying to configure DMVPN for the first time. I have been following the cisco config guide and googling a few other bits however I seem to have hit a brick wall.

The setup is in a lab environment so i can post up as much info as required but here are the important bits:

I have 3 Cisco 2821 routers running IOS 12.4(15) with a Layer 3 switch in the middle connecting the "wan" ports together. the routing is working fine, I can ping each router from each other router.

A few snippets from the hub router config:

crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac

!

crypto ipsec profile DMVPN_PRJ

set transform-set DMVPN_SET

!

interface Tunnel0

bandwidth 10000

ip address 172.17.100.1 255.255.255.0

no ip redirects

ip mtu 1500

ip nhrp authentication secretid

ip nhrp map multicast dynamic

ip nhrp network-id 101

ip nhrp holdtime 450

ip tcp adjust-mss 1460

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 10101

tunnel protection ipsec profile DMVPN_PRJ

!

interface GigabitEthernet0/0

description HQ WAN

ip address 1.1.1.1 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

and heres the config on the first spoke router:

crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac

!

crypto ipsec profile DMVPN_PRJ

set transform-set DMVPN_SET

!

interface Tunnel0

bandwidth 3000

ip address 172.17.100.10 255.255.255.0

no ip redirects

ip mtu 1500

ip nhrp authentication secretid

ip nhrp map 172.17.100.1 1.1.1.1

ip nhrp map multicast 1.1.1.1

ip nhrp network-id 101

ip nhrp holdtime 450

ip nhrp nhs 172.17.100.1

ip tcp adjust-mss 1460

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 10101

tunnel protection ipsec profile DMVPN_PRJ

!

interface GigabitEthernet0/0

description Site 1 WAN

ip address 11.11.11.1 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

if I shut/no shut the tunnel0 interface on spoke 1, I get the following error on the hub router:

Mar 30 13:41:17.075: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) vrf/dest_addr= /1.1.1.1, src_addr= 11.11.11.1, prot= 47

so I feel im missing some config on the spoke side to encrypt the traffic but im not sure what.

the following are outputs from the spoke router:

RTR_SITE1#sh dmvpn detail

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

-------------- Interface Tunnel0 info: --------------

Intf. is up, Line Protocol is up, Addr. is 172.17.100.10

Source addr: 11.11.11.1, Dest addr: MGRE

Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PRJ",

Tunnel VRF "", ip vrf forwarding ""

NHRP Details: NHS: 172.17.100.1 E

Type:Spoke, NBMA Peers:1

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network

----- --------------- --------------- ----- -------- ----- -----------------

1 1.1.1.1 172.17.100.1 IKE never S 172.17.100.1/32

Interface: Tunnel0

Session: [0x48E31B98]

Crypto Session Status: DOWN

fvrf: (none), IPSEC FLOW: permit 47 host 11.11.11.1 host 1.1.1.1

Active SAs: 0, origin: crypto map

Outbound SPI : 0x 0, transform :

Socket State: Closed

Pending DMVPN Sessions:

RTR_SITE1#sh ip nhrp detail

172.17.100.1/32 via 172.17.100.1, Tunnel0 created 00:33:44, never expire

Type: static, Flags: used

NBMA address: 1.1.1.1

RTR_SITE1#sh crypto ipsec sa

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 11.11.11.1

protected vrf: (none)

local ident (addr/mask/prot/port): (11.11.11.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)

current_peer 1.1.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 46, #recv errors 0

local crypto endpt.: 11.11.11.1, remote crypto endpt.: 1.1.1.1

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

All of these commands show up as blank when i run them on the hub router.

Any help appreciated.

Thanks

Jeff Van Houten · ‎03-31-2012

The no negotiate is because you don't have an Ike key set up. You need

Crypto isakmp policy 1

Encr (whatever)

Auth pre-share

Group (whatever)

Crypto isakmp key 0 some secret address 0.0.0.0 0.0.0.0

Hun and spoke have to match.

Also your IPSec transform-set should have "mode transport".

Sent from Cisco Technical Support iPad App

View solution in original post

Jeff Van Houten · ‎03-31-2012

Why do you have nat outside on the wan interfaces? Are you trying to configure nat but have left that out of what you're showing? I'd start with the dmvpn config (which looks good) by itself and add nat later.

Sent from Cisco Technical Support iPad App

Jeff Van Houten · ‎03-31-2012

Also these mtus are too high. With gre and IPSec you need to set the mtu to 1420 and the mss to 1360.

Sent from Cisco Technical Support iPad App

Jeff Van Houten · ‎03-31-2012

Sorry, mss would be 1380.

Sent from Cisco Technical Support iPad App

Jeff Van Houten · ‎03-31-2012

The no negotiate is because you don't have an Ike key set up. You need

Crypto isakmp policy 1

Encr (whatever)

Auth pre-share

Group (whatever)

Crypto isakmp key 0 some secret address 0.0.0.0 0.0.0.0

Hun and spoke have to match.

Also your IPSec transform-set should have "mode transport".

Sent from Cisco Technical Support iPad App

Ashley Pilbeam · ‎03-31-2012

Thanks for the help

I was following this guide: http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN.html#wp1118625

I am using NAT, g0/1 on the routers in the LAN interface with a difference 10.x.x.x/24 on each router.

isakmp policy solved my issue, fixed the MTU as well.

What do i need to add to allow the 10.x.x.x networks to use the tunnels to communicate? I can now ping each end of the tunnel from both routers but not the LAN interfaces.

Thanks

Jeff Van Houten · ‎03-31-2012

Look for doc Id 41940.

Sent from Cisco Technical Support iPad App

Jeff Van Houten · ‎03-31-2012

Why do you want to nat the traffic that is being tunneled? If there are distinct aubnets on each end of the tunnel there's no reason to nat.

Sent from Cisco Technical Support iPad App

Jeff Van Houten · ‎03-31-2012

To answer that last question, that doc id I sent advocates running eigrp to handle the routing. Get rid of the nat, run a common eigrp as that advertises 10.x and the 172.y/24 networks and you should be fine. And make sure you have no auto-summary in your eigrp config since you're subnetting a class a address.

Sent from Cisco Technical Support iPad App

Ashley Pilbeam · ‎03-31-2012

The first part of the project was creating 4 "Sites" with internet access from the LAN, hence the NAT.

The second part is to add DMVPN into the mix so I just built on the original config. Will look over the document and try things that way

Jeff Van Houten · ‎03-31-2012

After you get the routing setup dmvpn should work fine. The main thing on the nat side is you're going to have to

Deny the traffic you don't want natted (e,g,,the traffic transiting the tunnel).

Sent from Cisco Technical Support iPad App

Ashley Pilbeam · ‎03-31-2012

Thanks, I will give that a go over the weekend. Thinking about it, Dynamic routing will probably help me when it comes to my next scenario which uses ASAs alongside the routers.