Solved: Re: Cisco 1941 DMVPN and Ipsec

Chris Coho · ‎08-27-2012

Hello,

We are starting to replace all of our ISA servers with cisco routers with DMVPN. So far we are happy with everything but I ran into an issue. I just set up one of our branches, and the DMVPN works fine, but this location also needs a VPN tunnel to another branch that we haven't replaced with Cisco hardware yet. The problem I have is as soon as I associate an ipsec site to site VPN on this router, the DMVPN drops.

I create the Ipsec VPN:

crypto map VPN_Crypto 1 ipsec-isakmp

set transform-set ESP-3DES-SHA

set peer aa.aa.aa.aa

match address 103 (where address is allow local IP subnet to remote IP subnet)

and all works fine. As soon as I do the following:

interface GigabitEthernet0/1

crypto map VPN_Crypto

The DMVPN drops. If I then connect in and run:

interface GigabitEthernet0/1

no crypto map

The DMVPN comes right back up.

What could I be doing wrong? Below is the config for the Tunnel0 DMVPN tunnel:

interface Tunnel0

bandwidth 1000

ip address 192.168.10.31 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication DMVPN_NW

ip nhrp map multicast xx.xx.xx.xx

ip nhrp map 192.168.10.10 xx.xx.xx.xx

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 192.168.10.10

zone-member security dmvpn-zone

ip tcp adjust-mss 1360

delay 1000

tunnel source GigabitEthernet0/1

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile CiscoCP_Profile1

If you need anything else from the config to assist let me know. Our Main site router I have had no problem with it being the DMVPN hub and also having a handful of Ipsec VPNs set up on it as well. I really appreciate any help, I really need to get both of these tunnels running simultaneously ASAP.

Karsten Iwen · ‎08-29-2012

yes, but I didn't see anything that was looking strange (well, configs generated by CCP always look strange ... ).

Perhaps you are running into a bug. Have you tried a different IOS? Personally I wouldn't use 15.2 if I don't have to. You could try 15.0(1)M8 and see if that works.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Chris Coho · ‎08-27-2012

I should also mention, if I monitor the tunnels in CCP, when I enable the crypto map, the DMVPN tunnel dissappears from "DMVPN Tunnels" in CCP Monitoring, but it remains in "Ipsec Tunnels" as up (but I can't route over it). And while this is going on, the site to site ipsec tunnel works fine, I can route traffic over it with no problem.

Karsten Iwen · ‎08-27-2012

Please share your complete config (as an attachment).

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Chris Coho · ‎08-27-2012

Ok, it is attached. I replaced anything private like preshared keys, certificate, etc. And I changed Public IP addresses as follows:

DMVPN Hub IP to 100.100.100.100

Router WAN IP to 200.200.200.200

Router WAN Gateway to 200.200.200.201

Public IP of Other Branch I need to create an Ipsec VPN to 250.250.250.250

If changing those is a problem let me know.

As the configuration is included here, if you run:

interface GigabitEthernet0/1

crypto map VPN_Crypto

the DMVPN will drop and the ipsec VPN comes up (but not both)... then doing a "no crypto" will bring the DMVPN back up (but bring down the ipsec vpn)

Karsten Iwen · ‎08-27-2012

Which is your Hub-network (IP) that you learn by EIGRP through DMVPN?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Chris Coho · ‎08-27-2012

100.100.100.100 is the public wan IP address of the Hub of the DMVPN.

Also, the internal subnet of the hub location is 10.10.0.0 /16

Chris Coho · ‎08-27-2012

Also, in testing, i've found it doesn't even matter if the ipsec vpn connects, I tried setting up the ipsec VPN with one of my unused IP addresses at the branch site, so I would know the tunnel never formed, and still as soon as I added the crypto map to gigabitethernet0/1 the DMVPN dropped.

Chris Coho · ‎08-29-2012

Did you get a chance to look at my config? Did that give you any ideas on why its not working?

Karsten Iwen · ‎08-29-2012

yes, but I didn't see anything that was looking strange (well, configs generated by CCP always look strange ... ).

Perhaps you are running into a bug. Have you tried a different IOS? Personally I wouldn't use 15.2 if I don't have to. You could try 15.0(1)M8 and see if that works.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Chris Coho · ‎08-29-2012

Thank you for the recommendation. I will try loading up the suggested IOS version (is there any issue with configs and rolling back to an older version I should be aware of?).

If that doesn't work, since I just purchased, I will add smartnet and call Cisco support to assist.

Chris Coho · ‎08-29-2012

That was it! I rolled back to the 15.0(1)M8 version you suggested and the issue is solved.

Thank you for your help!