Solved: DMVPN on Dual Stack Hub Site

thomas.busse · ‎04-12-2013

Hi,

I have a Dual Stacked DMVPN Hub site, VPN for ether IPv4 oder IPv6 is working properly, but not both at the same time.

If the IPv4 Peers connect first, then the IPv6 Peers are unable to form an IPsec security association and the other way around. Crypto ISAKMP Phase1 is build correctly.

A "show crypto ipsec sa" on the Hub shows only sa's for the kind of Peers that connected first. A "show crypto ipsec sa" on the Spoke that is unable to form an security association with the Hub shows an security association, but with no proposals and raising send error counters:

Spoke (IPv4) SA

interface: Tunnel1

Crypto map tag: My-Profile-v4-head-1, local addr 2.2.2.1

protected vrf: (none)

local ident (addr/mask/prot/port): (2.2.2.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)

current_peer 1.1.1.1 port 500

PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 23255, #recv errors 0

local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1

plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb (none)

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

I'm running IOS Version 15.3(2)T, is there some kind of known bug and/or a workaround for this?

Interface Configuration

interface GigabitEthernet0

description ** Outside **

ip address 1.1.1.1 255.255.255.0

duplex auto

speed auto

ipv6 address 2001:1:1:1::1/64

Crypto Configuration

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 14

crypto isakmp key cisco address 0.0.0.0 no-xauth

crypto isakmp key cisco address ipv6 ::/0 no-xauth

crypto isakmp keepalive 10 periodic

crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac

mode tunnel

crypto ipsec profile My-Profile-v4

description ** IPsec Profile fuer IPv4 Peers **

set transform-set My-Set

set pfs group2

crypto ipsec profile My-Profile-v6

description ** IPsec Profile fuer IPv6 Peers **

set transform-set My-Set

set pfs group2

Tunnel Configuration

interface Tunnel1

description ** DMVPN Intranet IPv4 **

bandwidth 1000

ip vrf forwarding VPN

ip address 10.0.10.1 255.255.255.0

no ip redirects

ip mtu 1416

no ip next-hop-self eigrp 65351

no ip split-horizon eigrp 65351

ip pim sparse-mode

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 360

ip nhrp shortcut

ip nhrp redirect

ip tcp adjust-mss 1360

load-interval 30

shutdown

keepalive 10 3

tunnel source GigabitEthernet0

tunnel mode gre multipoint

tunnel key 1

tunnel protection ipsec profile My-Profile-v4 shared

!

interface Tunnel2

description ** DMVPN Intranet IPv6 **

bandwidth 1000

ip vrf forwarding VPN

ip address 10.0.12.1 255.255.255.0

ip mtu 1416

no ip next-hop-self eigrp 65351

no ip split-horizon eigrp 65351

ip pim sparse-mode

ip nhrp map multicast dynamic

ip nhrp network-id 2

ip nhrp holdtime 360

ip nhrp shortcut

ip nhrp redirect

ip tcp adjust-mss 1360

load-interval 30

keepalive 10 3

tunnel source GigabitEthernet0

tunnel mode gre multipoint ipv6

tunnel key 2

tunnel protection ipsec profile My-Profile-v6 shared

Regards,

Thomas

Marcin Latosiewicz · ‎04-12-2013

Thomas,

Interesting design, I understand that you're testing this from dual stacked spoke?

I would like you to a few things:

1) Absolutely remove "keepalive 10 3" from mGRE interfaces (with tunnel protection!)

It's not supported.

2) You are saying "shared" on profiles but in fact you're NOT sharing the profile, i.e. you're using two different profiles.

Seems odd. So here are my suggestions:

a) Either use same profile for both IPv6 and IPv4 tunnels OR

b) Use two separate profile AND use different transform sets for both profiles (i.e. try using 3des instead of AES, since it's a lab test).

I can't find the reference at the moment, but I think option number 2 could be what you're looking for.

M.

View solution in original post

Marcin Latosiewicz · ‎04-12-2013

Thomas,

Interesting design, I understand that you're testing this from dual stacked spoke?

I would like you to a few things:

1) Absolutely remove "keepalive 10 3" from mGRE interfaces (with tunnel protection!)

It's not supported.

2) You are saying "shared" on profiles but in fact you're NOT sharing the profile, i.e. you're using two different profiles.

Seems odd. So here are my suggestions:

a) Either use same profile for both IPv6 and IPv4 tunnels OR

b) Use two separate profile AND use different transform sets for both profiles (i.e. try using 3des instead of AES, since it's a lab test).

I can't find the reference at the moment, but I think option number 2 could be what you're looking for.

M.

thomas.busse · ‎04-12-2013

Hello Marcin,

it is working now :-)

First I was running a dual stacked spoke as well, but now I am using one IPv4 and one IPv6 only spoke. The ipsec profiles are "shared", because besides the two shown tunnels I have one more IPv4 and IPv6 Tunnel for Extranetuse. The Spoke sites use "shared" as well, because they build a backup VPN Tunnel to a second Hub router.

I have removed the "keepalive 10 3" from my Tunnel interfaces and rebooted the routers and everything is working now.

Here are my final configurations:

Crypto

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 14

crypto isakmp key cisco address 0.0.0.0 no-xauth

crypto isakmp key cisco address ipv6 ::/0 no-xauth

crypto isakmp keepalive 10 periodic

crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac

mode tunnel

crypto ipsec profile My-Profile-v4

description ** IPsec Profile fuer IPv4 Peers **

set transform-set My-Set

set pfs group2

crypto ipsec profile My-Profile-v6

description ** IPsec Profile fuer IPv6 Peers **

set transform-set My-Set

set pfs group2

Tunnel Hub Dual Stacked

interface Tunnel1

description ** DMVPN Intranet IPv4 **

bandwidth 1000

ip vrf forwarding VPN

ip address 10.0.10.1 255.255.255.0

no ip redirects

ip mtu 1416

no ip next-hop-self eigrp 65351

no ip split-horizon eigrp 65351

ip pim sparse-mode

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 360

ip nhrp shortcut

ip nhrp redirect

ip tcp adjust-mss 1360

load-interval 30

tunnel source GigabitEthernet0

tunnel mode gre multipoint

tunnel key 1

tunnel protection ipsec profile My-Profile-v4 shared

!

interface Tunnel2

description ** DMVPN Intranet IPv6 **

bandwidth 1000

ip vrf forwarding VPN

ip address 10.0.12.1 255.255.255.0

ip mtu 1416

no ip next-hop-self eigrp 65351

no ip split-horizon eigrp 65351

ip pim sparse-mode

ip nhrp map multicast dynamic

ip nhrp network-id 2

ip nhrp holdtime 360

ip nhrp shortcut

ip nhrp redirect

ip tcp adjust-mss 1360

load-interval 30

tunnel source GigabitEthernet0

tunnel mode gre multipoint ipv6

tunnel key 2

tunnel protection ipsec profile My-Profile-v6 shared

end

Tunnel Spoke IPv4

interface Tunnel1

description ** DMVPN Intranet IPv4 **

ip vrf forwarding VPN

ip address 10.0.10.2 255.255.255.0

no ip redirects

ip mtu 1416

ip pim sparse-mode

ip nhrp map 10.0.10.1 1.1.1.1

ip nhrp map multicast 1.1.1.1

ip nhrp network-id 1

ip nhrp holdtime 360

ip nhrp nhs 10.0.10.1

ip nhrp shortcut

ip tcp adjust-mss 1360

delay 1000

tunnel source GigabitEthernet0

tunnel mode gre multipoint

tunnel key 1

tunnel protection ipsec profile My-Profile-v4 shared

end

Tunnel Spoke IPv6

interface Tunnel1

description ** DMVPN Intranet IPv6 **

ip vrf forwarding VPN

ip address 10.0.12.2 255.255.255.0

no ip redirects

ip mtu 1416

ip pim sparse-mode

ip nhrp map 10.0.12.1 2001:1:1:1::1

ip nhrp map multicast 2001:1:1:1::1

ip nhrp network-id 2

ip nhrp holdtime 360

ip nhrp nhs 10.0.12.1

ip nhrp shortcut

ip tcp adjust-mss 1360

delay 1000

tunnel source GigabitEthernet0

tunnel mode gre multipoint ipv6

tunnel key 2

tunnel protection ipsec profile My-Profile-v6 shared

end

Thanks again

Thomas

Marvin Rhoads · ‎04-12-2013

Glad you got it to work.

You might want to think in the longer term about moving from DMVPN to FlexVPN for better IPv4 + IPv6 support.

Marcin Latosiewicz · ‎04-12-2013

As Marvin points out Flex is a great alretnative to DM, quite a powerful one.

It offers a lot of possibilities, however platform dependencies may exists.

Get in touch with your SE and explain what are the objectives,

Reason: Certain features are still in the pipeline - new major things around flexvpn and IPv6 are due to be present in 3.11 ASR release, which should be 15.4T for regular IOS - ETA end of 2013.

Marvin Rhoads · ‎04-12-2013

Thanks Marcin.

Is there any documentation on the partner community about the Flex roadmap? I've not seen anything through our normal channels recently. Feel free to PM me if so.

Regards,

-Marvin

Marcin Latosiewicz · ‎04-12-2013

Marvin,

I didn't see find recent materials from TMEs or the PM, quite puzzled about this one actually.

Best thing would be to check with SE.

What I'm waiting for:

- 3.10+ - IKEv1 and IKEv2 on same interface

- 3.11+ - IPv4-like support for IPv6 in Flexvpn networks

The exact features might or might not be commited for those release, but those are the milestones I'm waiting for (if that makes sense).

I'm going to revisit flex roadmap in Q4 2013.

M.