04-12-2013 01:54 AM - edited 02-21-2020 06:49 PM
Hi,
I have a Dual Stacked DMVPN Hub site, VPN for ether IPv4 oder IPv6 is working properly, but not both at the same time.
If the IPv4 Peers connect first, then the IPv6 Peers are unable to form an IPsec security association and the other way around. Crypto ISAKMP Phase1 is build correctly.
A "show crypto ipsec sa" on the Hub shows only sa's for the kind of Peers that connected first. A "show crypto ipsec sa" on the Spoke that is unable to form an security association with the Hub shows an security association, but with no proposals and raising send error counters:
Spoke (IPv4) SA
interface: Tunnel1
Crypto map tag: My-Profile-v4-head-1, local addr 2.2.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 23255, #recv errors 0
local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
I'm running IOS Version 15.3(2)T, is there some kind of known bug and/or a workaround for this?
Interface Configuration
interface GigabitEthernet0
description ** Outside **
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
ipv6 address 2001:1:1:1::1/64
Crypto Configuration
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0 no-xauth
crypto isakmp key cisco address ipv6 ::/0 no-xauth
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac
mode tunnel
crypto ipsec profile My-Profile-v4
description ** IPsec Profile fuer IPv4 Peers **
set transform-set My-Set
set pfs group2
crypto ipsec profile My-Profile-v6
description ** IPsec Profile fuer IPv6 Peers **
set transform-set My-Set
set pfs group2
Tunnel Configuration
interface Tunnel1
description ** DMVPN Intranet IPv4 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.10.1 255.255.255.0
no ip redirects
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
shutdown
keepalive 10 3
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile My-Profile-v4 shared
!
interface Tunnel2
description ** DMVPN Intranet IPv6 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.12.1 255.255.255.0
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0
tunnel mode gre multipoint ipv6
tunnel key 2
tunnel protection ipsec profile My-Profile-v6 shared
Regards,
Thomas
Solved! Go to Solution.
04-12-2013 02:56 AM
Thomas,
Interesting design, I understand that you're testing this from dual stacked spoke?
I would like you to a few things:
1) Absolutely remove "keepalive 10 3" from mGRE interfaces (with tunnel protection!)
It's not supported.
2) You are saying "shared" on profiles but in fact you're NOT sharing the profile, i.e. you're using two different profiles.
Seems odd. So here are my suggestions:
a) Either use same profile for both IPv6 and IPv4 tunnels OR
b) Use two separate profile AND use different transform sets for both profiles (i.e. try using 3des instead of AES, since it's a lab test).
I can't find the reference at the moment, but I think option number 2 could be what you're looking for.
M.
04-12-2013 02:56 AM
Thomas,
Interesting design, I understand that you're testing this from dual stacked spoke?
I would like you to a few things:
1) Absolutely remove "keepalive 10 3" from mGRE interfaces (with tunnel protection!)
It's not supported.
2) You are saying "shared" on profiles but in fact you're NOT sharing the profile, i.e. you're using two different profiles.
Seems odd. So here are my suggestions:
a) Either use same profile for both IPv6 and IPv4 tunnels OR
b) Use two separate profile AND use different transform sets for both profiles (i.e. try using 3des instead of AES, since it's a lab test).
I can't find the reference at the moment, but I think option number 2 could be what you're looking for.
M.
04-12-2013 04:21 AM
Hello Marcin,
it is working now :-)
First I was running a dual stacked spoke as well, but now I am using one IPv4 and one IPv6 only spoke. The ipsec profiles are "shared", because besides the two shown tunnels I have one more IPv4 and IPv6 Tunnel for Extranetuse. The Spoke sites use "shared" as well, because they build a backup VPN Tunnel to a second Hub router.
I have removed the "keepalive 10 3" from my Tunnel interfaces and rebooted the routers and everything is working now.
Here are my final configurations:
Crypto
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0 no-xauth
crypto isakmp key cisco address ipv6 ::/0 no-xauth
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac
mode tunnel
crypto ipsec profile My-Profile-v4
description ** IPsec Profile fuer IPv4 Peers **
set transform-set My-Set
set pfs group2
crypto ipsec profile My-Profile-v6
description ** IPsec Profile fuer IPv6 Peers **
set transform-set My-Set
set pfs group2
Tunnel Hub Dual Stacked
interface Tunnel1
description ** DMVPN Intranet IPv4 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.10.1 255.255.255.0
no ip redirects
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile My-Profile-v4 shared
!
interface Tunnel2
description ** DMVPN Intranet IPv6 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.12.1 255.255.255.0
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
tunnel source GigabitEthernet0
tunnel mode gre multipoint ipv6
tunnel key 2
tunnel protection ipsec profile My-Profile-v6 shared
end
Tunnel Spoke IPv4
interface Tunnel1
description ** DMVPN Intranet IPv4 **
ip vrf forwarding VPN
ip address 10.0.10.2 255.255.255.0
no ip redirects
ip mtu 1416
ip pim sparse-mode
ip nhrp map 10.0.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp nhs 10.0.10.1
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile My-Profile-v4 shared
end
Tunnel Spoke IPv6
interface Tunnel1
description ** DMVPN Intranet IPv6 **
ip vrf forwarding VPN
ip address 10.0.12.2 255.255.255.0
no ip redirects
ip mtu 1416
ip pim sparse-mode
ip nhrp map 10.0.12.1 2001:1:1:1::1
ip nhrp map multicast 2001:1:1:1::1
ip nhrp network-id 2
ip nhrp holdtime 360
ip nhrp nhs 10.0.12.1
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0
tunnel mode gre multipoint ipv6
tunnel key 2
tunnel protection ipsec profile My-Profile-v6 shared
end
Thanks again
Thomas
04-12-2013 07:26 AM
Glad you got it to work.
You might want to think in the longer term about moving from DMVPN to FlexVPN for better IPv4 + IPv6 support.
04-12-2013 08:09 AM
As Marvin points out Flex is a great alretnative to DM, quite a powerful one.
It offers a lot of possibilities, however platform dependencies may exists.
Get in touch with your SE and explain what are the objectives,
Reason: Certain features are still in the pipeline - new major things around flexvpn and IPv6 are due to be present in 3.11 ASR release, which should be 15.4T for regular IOS - ETA end of 2013.
04-12-2013 08:43 AM
Thanks Marcin.
Is there any documentation on the partner community about the Flex roadmap? I've not seen anything through our normal channels recently. Feel free to PM me if so.
Regards,
-Marvin
04-12-2013 09:04 AM
Marvin,
I didn't see find recent materials from TMEs or the PM, quite puzzled about this one actually.
Best thing would be to check with SE.
What I'm waiting for:
- 3.10+ - IKEv1 and IKEv2 on same interface
- 3.11+ - IPv4-like support for IPv6 in Flexvpn networks
The exact features might or might not be commited for those release, but those are the milestones I'm waiting for (if that makes sense).
I'm going to revisit flex roadmap in Q4 2013.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide