DMVPN and IPSec VPN on Hub Router

thomas.busse · ‎08-15-2012

Hello,

I'm trying to configure DMVPN with one Site-to-Site IPSec VPN to an external customer. DMVPN works fine and the Tunnel between the Hub and the external customer is also up.

I can ping from the Hub to the Spokes and to the external customer, but I can not ping from the Spokes to the external customer and the other way around.

Here is my Configuration of the Hub and of one Spoke.

I suppose some routing issues, but can not figure out what it is.

I will be thankfull for any help.

Greetings

Thomas

######################################## Hub ######################################################

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

!

crypto isakmp key <<Secret Key IPSec>> address <<IPSec Peer>>

crypto isakmp key <<Secret Key DMVPN>> address 0.0.0.0

!

crypto ipsec transform-set esp-aes esp-aes 256 esp-sha-hmac

!

crypto ipsec profile IPSEC_PROFILE

set transform-set esp-aes

!

crypto map ICP-VPN-MAP 1 ipsec-isakmp

set peer <<IPSec Peer>>

set transform-set esp-aes

match address ICP-TRAFFIC

!

interface Loopback0

description *** IPSec Test Interface ***

ip address 10.101.0.1 255.255.255.255

!

interface Tunnel1

description *** VPN Cloud ***

ip address 172.16.0.1 255.255.255.0

no ip redirects

ip mtu 1400

no ip next-hop-self eigrp 10

no ip split-horizon eigrp 10

ip nhrp authentication INTE1001

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 600

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 1001

tunnel protection ipsec profile IPSEC_PROFILE

!

interface GigabitEthernet0/0

description *** Internet ***

ip address <<WAN IP>> 255.255.255.248

duplex auto

speed auto

crypto map ICP-VPN-MAP

!

interface GigabitEthernet0/1

description *** Transfernetz zu Fortigate ***

ip address 172.20.X.X 255.255.255.248

duplex auto

speed auto

!

router eigrp 10

distribute-list RouteList out

network 10.101.0.0 0.0.255.255

network 172.16.0.0

network 172.20.1.0 0.0.0.7

redistribute static

passive-interface GigabitEthernet0/1

!

ip route 0.0.0.0 0.0.0.0 92.67.80.238

ip route 10.22.34.16 255.255.255.255 GigabitEthernet0/0

!

ip access-list standard RouteList

permit 10.101.0.0 0.0.255.255

permit 10.22.34.16 0.0.0.0

permit 172.20.1.0 0.0.0.7

ip access-list extended ICP-TRAFFIC

permit ip 10.101.0.0 0.0.255.255 host 10.22.34.16

!

########################################### Spoke ######################################################

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key <<Secret Key DMVPN>> address <<DMVPN Peer>>

!

crypto ipsec transform-set esp-aes esp-aes 256 esp-sha-hmac

!

crypto ipsec profile IPSEC_PROFILE

set transform-set esp-aes

!

interface Tunnel1

description *** DMVPN zu Hub ***

ip address 172.16.0.2 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication INTE1001

ip nhrp map 172.16.0.1 <<DMVPN Peer>>

ip nhrp map multicast <<DMVPN Peer>>

ip nhrp network-id 1

ip nhrp holdtime 600

ip nhrp nhs 172.16.0.1

ip tcp adjust-mss 1360

tunnel source FastEthernet4

tunnel mode gre multipoint

tunnel key 1001

tunnel protection ipsec profile IPSEC_PROFILE

!

interface FastEthernet4

description *** Internet ***

ip address <<WAN IP>> 255.255.255.248

ip access-group Internet in

duplex auto

speed auto

no cdp enable

!

interface Vlan1

description *** LAN ***

ip address 10.101.139.1 255.255.255.192

!

router eigrp 10

network 10.101.0.0 0.0.255.255

network 172.16.0.0

passive-interface Vlan1

!

ip route 0.0.0.0 0.0.0.0 <<WAN Gateway>>

!

Marvin Rhoads · ‎08-15-2012

Your hub's EIGRP "distribute-list RouteList out" refers to:

ip access-list standard RouteList permit 172.20.1.0 0.0.0.7

I believe you need to add the remote network entry (10.101.0.0 0.0.255.255) to that ACL so that EIGRP doesn't suppress distribution of that route (or just remove the distribute-list altogether).

Also, even if routing was setup properly, the cryptomap for the site-site VPN only allows access from a single host:

ip access-list extended ICP-TRAFFIC
 permit ip 10.101.0.0 0.0.255.255 host 10.22.34.16

thomas.busse · ‎08-15-2012

Hello,

thanks for your reply. I have tried to remove the distribute-list altogether, but this had no impact on the issue.

The crypto acl is correct, the DMVPN networks only need to be able to access that single host.

Regards

Thomas

Karsten Iwen · ‎08-15-2012

Your IPSec has to be adjusted for that:

The crypto-definition needs to know that the traffic from the spokes to the IPSec-peer also has to be encrypted. On the IPSec-peer the same. That has to be added to the crypto-ACL.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

thomas.busse · ‎08-15-2012

Hello,

the networks from the Spokes are in the range 10.101.128.0 - 10.101.138.0 and should be covered by the ACL, the IPSec peer has the same ACL mirrored.

ip access-list extended ICP-TRAFFIC
 permit ip 10.101.0.0 0.0.255.255 host 10.22.34.16

Grettings

Marvin Rhoads · ‎08-15-2012

Ok, sorry I mis-read the ACL.

Have you verified on one of the spokes that they are getting the route to 10.22.34.16 via EIGRP from the hub?

thomas.busse · ‎08-15-2012

I have configured a static route on the hub router and added the redistribute static command to the EIGRP process, then the route to 10.22.34.16 appeared in the routing table of the spokes learned from Tunnel 1.

I also did a traceroute from the spoke to 10.22.34.16 and got until the Tunnel Interface of the Hub, further hops were marked *.

Sent from Cisco Technical Support iPhone App

thomas.busse · ‎08-16-2012

Hello,

I have tried to migrate from DMVPN to an static VTI VPN, but I am still unable to get a Connection between the "Spokes" and the static Site-2-Site VPN.

Also tried a different IOS Image on all Routers, just in case ...

Here are my full configurations, I hope anyone can help me.

Hub Configuration

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

no service dhcp

!

hostname Zentrale

!

boot-start-marker

boot system flash c2900-universalk9-mz.SPA.151-3.T4.bin

boot-end-marker

!

enable secret 5 $1$uYQR$n9fPQOv849aV4Gn8q1Rmu1

!

no aaa new-model

!

memory-size iomem 10

clock timezone MEZ 1 0

clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00

!

no ipv6 cef

no ip source-route

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

ip cef

!

no ip bootp server

no ip domain lookup

ip domain name zentrale.germany.vpn

login block-for 180 attempts 4 within 120

login delay 2

login on-failure log

login on-success log

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

redundancy

!

ip ssh version 2

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key ICP address <>

crypto isakmp key test123 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set esp-aes esp-aes 256 esp-sha-hmac

!

crypto ipsec profile IPSEC_PROFILE

set transform-set esp-aes

!

crypto map ICP-VPN-MAP 1 ipsec-isakmp

set peer <>

set transform-set esp-aes

match address ICP-TRAFFIC

!

interface Loopback0

description *** Simulierter LAN Host ***

ip address 10.101.0.1 255.255.255.255

!

interface Tunnel1

description GRE IPSec VPN zu Standort_Essen_01

ip address 172.16.0.1 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0

tunnel destination <>

tunnel protection ipsec profile IPSEC_PROFILE

!

interface GigabitEthernet0/0

description *** Internet ***

ip address <> 255.255.255.248

duplex auto

speed auto

crypto map ICP-VPN-MAP

!

interface GigabitEthernet0/1

description *** Transfernetz zu Fortigate FW ***

ip address 172.20.0.1 255.255.255.248

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

router eigrp 10

distribute-list RouteList out

network 172.16.0.0

network 172.20.0.0 0.0.0.7

redistribute static

passive-interface GigabitEthernet0/1

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 92.67.80.238

ip route 10.22.34.16 255.255.255.255 GigabitEthernet0/0

!

ip access-list standard RouteList

permit 10.22.34.16

permit 172.20.0.0 0.0.0.7

!

ip access-list extended ICP-TRAFFIC

permit ip 10.101.0.0 0.0.255.255 host 10.22.34.16

ip access-list extended Internet

permit gre any host <>

permit udp any host <> eq isakmp

permit esp any host <>

permit icmp any any echo-reply

permit tcp host <> any eq 22 telnet

permit udp host 194.25.134.196 any eq ntp

permit udp host 195.145.119.188 any eq ntp

!

control-plane

!

banner login ^CCC

******************************************

* Access for authorized personal only *

******************************************

^C

!

line con 0

logging synchronous

transport preferred none

escape-character 3

line aux 0

line vty 0 4

logging synchronous

login local

transport preferred none

transport input telnet ssh

escape-character 3

!

scheduler allocate 20000 1000

ntp server 195.145.119.188 prefer

ntp server 194.25.134.196

end

###############

### Routing ###

###############

sh ip route eigrp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is <> to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

D 10.101.139.0/26 [90/26882560] via 172.16.0.2, 00:29:40, Tunnel1

############

### Ping ###

############

ping 10.22.34.16 so lo 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.22.34.16, timeout is 2 seconds:

Packet sent with a source address of 10.101.0.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

########################

### Crypto ISAKMP SA ###

########################

sh cry is sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

87.139.96.84 92.67.80.237 QM_IDLE 1006 ACTIVE

217.150.152.45 92.67.80.237 QM_IDLE 1007 ACTIVE

IPv6 Crypto ISAKMP SA

#######################

### Crypto IPSec SA ###

#######################

interface: GigabitEthernet0/0

Crypto map tag: ICP-VPN-MAP, local addr <>

protected vrf: (none)

local ident (addr/mask/prot/port): (10.101.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.22.34.16/255.255.255.255/0/0)

current_peer <> port 500

PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

#pkts encaps: 50, #pkts encrypt: 50, #pkts digest: 50

#pkts decaps: 50, #pkts decrypt: 50, #pkts verify: 50

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 5, #recv errors 0

local crypto endpt.: <>, remote crypto endpt.: <>

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0xDEEE5E64(3740163684)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x4B049376(1258591094)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2017, flow_id: Onboard VPN:17, sibling_flags 80000046, crypto map: ICP-VPN-MAP

sa timing: remaining key lifetime (k/sec): (4489089/3591)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xDEEE5E64(3740163684)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2018, flow_id: Onboard VPN:18, sibling_flags 80000046, crypto map: ICP-VPN-MAP

sa timing: remaining key lifetime (k/sec): (4489089/3591)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

IPSec Configuration

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ICP

!

boot-start-marker

boot system flash c880data-universalk9-mz.151-3.T4.bin

boot-end-marker

!

no aaa new-model

!

memory-size iomem 10

crypto pki token default removal timeout 0

!

ip source-route

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key ICP address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set esp-aes esp-aes 256 esp-sha-hmac

!

crypto map ICP-VPN-MAP 1 ipsec-isakmp

set peer <>

set transform-set esp-aes

match address ICP-TRAFFIC

!

interface Loopback0

description *** Simulierter LAN Host ***

ip address 10.22.34.16 255.255.255.255

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description *** Internet ***

ip address <> 255.255.255.0

duplex auto

speed auto

no cdp enable

crypto map ICP-VPN-MAP

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 <>

!

ip access-list extended ICP-TRAFFIC

permit ip host 10.22.34.16 10.101.0.0 0.0.255.255

!

logging esm config

!

control-plane

!

line con 0

logging synchronous

no modem enable

transport preferred none

escape-character 3

line aux 0

line vty 0 4

logging synchronous

login local

transport preferred none

transport input telnet ssh

escape-character 3

!

end

Spoke Configuration

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

service password-encryption

no service dhcp

!

hostname Standort_Essen_01

!

boot-start-marker

boot system flash c880data-universalk9-mz.151-3.T4.bin

boot-end-marker

!

no aaa new-model

!

memory-size iomem 10

clock timezone MEZ 1 0

clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00

crypto pki token default removal timeout 0

!

no ip source-route

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name zentrale.germany.vpn

login block-for 180 attempts 4 within 120

login delay 2

login on-failure log

login on-success log

no ipv6 cef

!

multilink bundle-name authenticated

!

ip ssh version 2

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key test123 address <>

!

crypto ipsec transform-set esp-aes esp-aes 256 esp-sha-hmac

!

crypto ipsec profile IPSEC_PROFILE

set transform-set esp-aes

!

interface Tunnel1

description GRE IPSec VPN zu Zentrale

ip address 172.16.0.2 255.255.255.252

ip mtu 1344

tunnel source FastEthernet4

tunnel destination <>

tunnel protection ipsec profile IPSEC_PROFILE

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description *** Internet ***

ip address <> 255.255.255.0

duplex auto

speed auto

no cdp enable

!

interface Vlan1

description *** LAN ***

ip address 10.101.139.1 255.255.255.192

!

router eigrp 10

network 10.0.0.0

network 172.16.0.0

passive-interface Vlan1

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 <>

!

ip access-list extended Internet

permit gre host <> any

permit udp host <> any eq isakmp

permit esp host <> any

permit icmp any any echo-reply

permit tcp host <> any eq 22 telnet

permit udp host 194.25.134.196 any eq ntp

permit udp host 195.145.119.188 any eq ntp

permit tcp any any eq 22 telnet

!

logging esm config

!

control-plane

!

banner login ^CC

******************************************

* Access for authorized personal only *

******************************************

^C

!

line con 0

logging synchronous

no modem enable

transport preferred none

escape-character 3

line aux 0

line vty 0 4

logging synchronous

login local

transport preferred none

transport input telnet ssh

escape-character 3

!

ntp server 195.145.119.188 prefer

ntp server 194.25.134.196

end

###############

### Routing ###

###############

sh ip route eigrp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is <> to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

D EX 10.22.34.16/32 [170/26882560] via 172.16.0.1, 00:27:29, Tunnel1

172.20.0.0/29 is subnetted, 1 subnets

D 172.20.0.0 [90/26882560] via 172.16.0.1, 00:27:29, Tunnel1

#################

### Tracert ###

#################

traceroute 10.22.34.16 source vlan 1

Type escape sequence to abort.

Tracing the route to 10.22.34.16

1 172.16.0.1 4 msec 0 msec 4 msec

2 * * *

I don't see where the problem is, for me everything looks good

thomas.busse · ‎08-16-2012

Okay, I have found the error.

The redistributet route from the hub to the spoke refered to interface Tunnel1 the spoke.

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

D EX 10.22.34.16/32 [170/26882560] via 172.16.0.1, 00:27:29, Tunnel1

After deleting the static route on the hub and adding a static route on the spoke "ip route 10.22.34.16 255.255.255.255 172.16.0.1" everything worked fine ... even with DMVPN.

Thanks again for your help.

Greetings

Thomas