cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1878
Views
5
Helpful
3
Replies

DMVPN Crypto Map Priority

rayburgoyne
Level 1
Level 1

New to the forum and not much Cisco IOS experience let alone on the security side of things. I know how to navigate the IOS and can do basic switching and routing just fine. My company currently has a DMVPN setup w/ about 10 tunnels going back to the hub. We have 4 more sites they want me to setup and I keep getting stuck at the crypto maps. I have been reading about VPN's, DMVPN's , etc. for days now but can't find any examples of how we are configured. The priority of our crypto maps start at 65536 and go up. Default max is 65335 from what I have read, and I cannot assign a priority that high statically. An example is below, any nudge in the right direction would be appreciated. Thanks!

Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
        ISAKMP Profile: DMVPN
        Profile name: xtgvpn
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                isaset:  { esp-3des esp-sha-hmac  } ,
        }

Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer = 204.10.243.240
        ISAKMP Profile: DMVPN
        Extended IP access list
            access-list  permit gre host 64.16.141.157 host 204.10.243.240
        Current peer: 204.10.243.240
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                isaset:  { esp-3des esp-sha-hmac  } ,
        }

Crypto Map "Tunnel0-head-0" 65538 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer = 140.239.92.194
        ISAKMP Profile: DMVPN
        Extended IP access list
            access-list  permit gre host 64.16.141.157 host 140.239.92.194
        Current peer: 140.239.92.194
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                isaset:  { esp-3des esp-sha-hmac  } ,
        }
        Interfaces using crypto map Tunnel0-head-0:
                Tunnel0


Crypto Map: "tunnel0-head-0" ISAKMP profile: DMVPN
        Interfaces using crypto map tunnel0-head-0:

3 Replies 3

olpeleri
Cisco Employee
Cisco Employee

Hello,

Can you share the config [ remove secrets ] and explain what exact issue you are experiencing?

Cheers.

Hi Olpelri,

I am just trying to figure out how to create a new DMVPN spoke like the existing ones I have today. I have found several online guides but none of them use Crypto Map priorities as high as what my existing hubs use. I have setup the interface, DMVPN profile & policy, etc, but can't get the Crypto Map priority to match what we have existing. Below is a config of one of our existing DMVPN spokes. Thank you for taking the time to respond!


ITX-NC-VG1#sho run
Building configuration...


Current configuration : 18691 bytes
!
! Last configuration change at 13:02:21 EST Mon Feb 25 2013 by
! NVRAM config last updated at 11:05:14 EST Fri Feb 8 2013 by
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ITX-NC-VG1
!
boot-start-marker
boot system flash:c2800nm-advipservicesk9-mz.124-24.T5.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 10000000
no logging console
enable secret
!
no aaa new-model
clock timezone EST -5
clock summer-time extended_DST recurring
network-clock-participate wic 0
network-clock-select 2 T1 0/0/0
!
dot11 syslog
ip source-route
!
!
ip cef
ip vrf outside
rd 1:1
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.2.120.1 10.2.120.50
!
ip dhcp pool IPPhone
   network 10.2.120.0 255.255.255.0
   default-router 10.2.120.4
   option 150 ip 10.2.15.11
   domain-name itxchnage.com
!
!
no ip domain lookup
ip domain name itxchange.com
ip multicast-routing
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
isdn switch-type primary-ni
!
!
!
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
fax protocol cisco
h323
  call preserve limit-media-detection
!
!
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729r8
!
!
!
!
voice class h323 1
  h225 timeout tcp establish 3
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
dspfarm
dsp services dspfarm
!
!
application
service CCM http://10.2.15.11:8080/ccmivr/pages/IVRMainpage.vxml
!
global
  service alternate DEFAULT
!
!
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed
certificate self-signed 01
  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373434 37363535 3934301E 170D3130 30363235 31373336
  34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37343437
  36353539 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D588 F0C2BF4E 948F768E 7D5AF5AA BD3D4246 45743082 5C668593 36D68F49
  539C63D2 67579703 F3D38617 1F50F89E A6533E4E C104B719 37CCB41D BDDDF30E
  E9351D33 0A21BDE0 25106F84 ADB451C2 D8E4E311 99D2C981 AAC1D7F7 E2EAD3BB
  5F695D52 4F87AE66 8E430D7D 5D28B8C0 3B24A5C1 67B803CD 42515D6D 9C506E42
  C1E10203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
  551D1104 1C301A82 18495458 2D4E432D 5647312E 69747863 68616E67 652E636F
  6D301F06 03551D23 04183016 80143C83 780DBB27 22A279D9 9A98A238 62814C41
  DA43301D 0603551D 0E041604 143C8378 0DBB2722 A279D99A 98A23862 814C41DA
  43300D06 092A8648 86F70D01 01040500 03818100 10C2C7C8 302F43A6 D588A22B
  47A70A4C DBBFB395 2CD5B505 B1C263E6 3A96022C CFFEBFF9 780E204A 553567CC
  865485D9 9932740E C241034F 684DD3B2 2FF21231 864ADE7F 37E9E178 25B0EC86
  D5F2DD9C F867B54F 27744921 8EACD3BF D84D5F10 B63DF8DD 53AB1D1B B74A1EE7
  E57EA86B 8FE130D7 7823DB3B 7792FDFD C7B4630D
   quit
!
!
username
archive
log config
  hidekeys
!
crypto keyring DMVPN vrf outside
  pre-shared-key address 0.0.0.0 0.0.0.0 key
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp profile DMVPN
   keyring DMVPN
   match identity address 0.0.0.0 outside
!
!
crypto ipsec transform-set isaset esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile xtgvpn
set transform-set isaset
set isakmp-profile DMVPN
!
!
crypto map tunnel0-head-0 isakmp-profile DMVPN
!
!
!
controller T1 0/0/0
pri-group timeslots 1-14,24
description Voice PRI from Nuvox
!
ip ftp username
ip ftp password
!
class-map match-all jtapi
match access-group 110
class-map match-all voice
match access-group 100
!
!
policy-map jtapi
class jtapi
  set dscp cs3
    bandwidth 20
class voice
  set dscp af31
    priority 320
class class-default
    fair-queue
!
!
!
!
!
interface Loopback0
description ** Used for Music on Hold for PSTN **
ip address 10.2.2.2 255.255.255.255
ip ospf priority 0
!
interface Tunnel0
description Tunnel to OKV Collocation
bandwidth 3000
ip address 192.168.8.20 255.255.255.240
no ip redirects
ip mtu 1400
ip nhrp authentication ITX2nc
ip nhrp map multicast 204.10.243.240
ip nhrp map 192.168.8.17 204.10.243.240
ip nhrp network-id 192168
ip nhrp holdtime 300
ip nhrp nhs 192.168.8.17
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 0
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key
tunnel vrf outside
tunnel protection ipsec profile xtgvpn
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.2.120.18 255.255.255.0
ip ospf authentication-key
ip ospf priority 2
duplex auto
speed auto
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.2.120.18
!
interface GigabitEthernet0/1
description VPN internet circuit
ip vrf forwarding outside
ip address 64.16.141.157 255.255.255.248
ip access-group outside in
duplex auto
speed auto
!
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn timer T310 120000
isdn incoming-voice voice
isdn map address 0* plan unknown type unknown
isdn T309-enable
isdn send-alerting
isdn bchan-number-order ascending
isdn sending-complete
no cdp enable
!
interface Integrated-Service-Engine1/0
ip unnumbered GigabitEthernet0/0
service-module ip address 10.2.120.19 255.255.255.0
!Application: CUE Running on NME
service-module ip default-gateway 10.2.120.18
no keepalive
!
interface Integrated-Service-Engine2/0
ip address 192.168.94.254 255.255.255.0
ip policy route-map WLC-traffic
ip ospf authentication-key
no keepalive
!
router ospf 10
router-id 10.2.120.18
log-adjacency-changes
redistribute ospf 11 subnets
network 10.2.120.18 0.0.0.0 area 0
network 192.168.94.0 0.0.0.255 area 0
distance ospf external 200
!
router ospf 11
log-adjacency-changes
redistribute ospf 10 subnets route-map nc-ospf-route
network 192.168.8.20 0.0.0.0 area 0
distance ospf external 200
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.2.120.4
ip route 10.2.120.19 255.255.255.255 Integrated-Service-Engine1/0
ip route 192.168.94.250 255.255.255.255 Integrated-Service-Engine2/0
ip route 204.10.243.240 255.255.255.255 64.16.141.157
ip route vrf outside 0.0.0.0 0.0.0.0 64.16.141.158
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:
!
!
!
ip access-list extended WLC-traffic
permit ip 192.168.94.0 0.0.0.255 any
ip access-list extended nc-route
permit ip 192.168.120.0 0.0.0.255 any
permit ip 192.168.121.0 0.0.0.255 any
permit ip 10.2.120.0 0.0.0.255 any
permit ip 192.168.95.0 0.0.0.255 any
permit ip 192.168.92.16 0.0.0.15 any
permit ip 172.16.130.0 0.0.0.255 any
permit ip 172.16.131.0 0.0.0.255 any
permit ip 172.16.132.0 0.0.0.255 any
permit ip 172.16.133.0 0.0.0.255 any
ip access-list extended outside
permit udp any host 64.16.141.157 eq isakmp
permit udp any host 64.16.141.157 eq non500-isakmp
permit esp any host 64.16.141.157
permit gre any host 64.16.141.157
permit tcp any host 64.16.141.157 eq 22
permit icmp any any
ip access-list extended test
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit udp host 10.2.120.19 any range 16383 32727
access-list 110 permit tcp host 10.2.120.19 any eq 2748
!
!
!
!
route-map WLC-traffic permit 10
match ip address WLC-traffic
set ip default next-hop 192.168.120.3
!
route-map nc-ospf-route permit 10
match ip address nc-route
!
!
snmp-server community ITXchange# RW 1
snmp-server enable traps tty
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps config
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps cpu threshold
snmp-server host 10.1.50.112 ITXchange#
snmp-server host 10.1.50.112 ver2
!
control-plane
!
!
!
voice-port 0/0/0:23
!
voice-port 0/1/0
cptone CA
description NC Fax
station-id name Hr Fax
station-id number 296
caller-id enable
!
voice-port 0/1/1
!
voice-port 0/1/2
description NC 699
station-id name NC 699
station-id number 699
caller-id enable
!
voice-port 0/1/3
description NC 690
station-id name NC 690
station-id number 690
caller-id enable
!
voice-port 0/3/0
echo-cancel mode 1
timing hookflash-out 50
!
voice-port 0/3/1
!
no ccm-manager fax protocol cisco
!
no mgcp package-capability res-package
no mgcp package-capability fxr-package
no mgcp timer receive-rtcp
!
sccp local GigabitEthernet0/0
sccp ccm 10.2.15.12 identifier 1 version 7.0
sccp ccm 10.2.15.11 identifier 2 version 7.0
sccp
!
sccp ccm group 1
bind interface GigabitEthernet0/0
associate ccm 1 priority 1
associate ccm 2 priority 2
associate profile 10 register MTP0021d8d33ca0
associate profile 20 register CFB0021d8d33ca0
!
dspfarm profile 10 transcode 
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729r8
maximum sessions 8
associate application SCCP
!
dspfarm profile 20 conference 
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729r8
codec g729br8
maximum sessions 7
associate application SCCP
!
!
dial-peer voice 600 voip
destination-pattern 6..
session protocol sipv2
session target ipv4:10.2.120.19
dtmf-relay sip-notify
codec g711ulaw
no vad
!
dial-peer voice 1 pots
incoming called-number .
direct-inward-dial
!
dial-peer voice 999030 pots
destination-pattern 777
port 0/3/0
!
dial-peer voice 999031 pots
port 0/3/1
!
dial-peer voice 2 voip
voice-class codec 1
incoming called-number .
dtmf-relay h245-alphanumeric
no vad
!
dial-peer voice 900 pots
destination-pattern 9T
progress_ind setup enable 3
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
direct-inward-dial
port 0/0/0:23
!
dial-peer voice 200 voip
description Incoming to CCM Subscriber
destination-pattern 919281....
progress_ind setup enable 3
voice-class codec 1
session target ipv4:10.2.15.12
incoming called-number .
dtmf-relay h245-signal h245-alphanumeric
no vad
!
dial-peer voice 201 voip
description Incoming to CCM Publisher
preference 2
destination-pattern 919281....
progress_ind setup enable 3
voice-class codec 1
session target ipv4:10.2.15.11
dtmf-relay h245-signal h245-alphanumeric
no vad
!
dial-peer voice 104 pots
description NC 690 incoming
destination-pattern 690
progress_ind setup enable 3
progress_ind alert enable 8
progress_ind progress enable 8
port 0/1/3
!
dial-peer voice 103 pots
description NC fax incoming
destination-pattern 296
progress_ind setup enable 3
progress_ind alert enable 8
progress_ind progress enable 8
port 0/1/0
!
dial-peer voice 203 voip
description Incoming to CCM Publisher
destination-pattern 2..
progress_ind setup enable 3
voice-class codec 1
session target ipv4:10.2.15.12
dtmf-relay h245-signal h245-alphanumeric
no vad
!
dial-peer voice 204 voip
description Incoming to CCM Publisher
preference 2
destination-pattern 2..
progress_ind setup enable 3
voice-class codec 1
session target ipv4:10.2.15.11
dtmf-relay h245-signal h245-alphanumeric
no vad
!
dial-peer voice 901 pots
destination-pattern 91905T
progress_ind setup enable 3
progress_ind alert enable 8
progress_ind progress enable 8
progress_ind connect enable 8
port 0/0/0:23
forward-digits 11
!
dial-peer voice 205 voip
description Incoming to CCM Subscriber
destination-pattern 919354....
progress_ind setup enable 3
voice-class codec 1
session target ipv4:10.2.15.12
incoming called-number .
dtmf-relay h245-signal h245-alphanumeric
no vad
!
dial-peer voice 206 voip
description Incoming to CCM Publisher
preference 10
destination-pattern 919354....
progress_ind setup enable 3
voice-class codec 1
session target ipv4:10.2.15.11
dtmf-relay h245-signal h245-alphanumeric
!
dial-peer voice 207 voip
description Incoming to CCM Subscriber
destination-pattern 919433....
progress_ind setup enable 3
voice-class codec 1
session target ipv4:10.2.15.12
incoming called-number .
dtmf-relay h245-signal h245-alphanumeric
no vad
!
dial-peer voice 208 voip
description Incoming to CCM Publisher
preference 2
destination-pattern 919433....
progress_ind setup enable 3
voice-class codec 1
session target ipv4:10.2.15.11
dtmf-relay h245-signal h245-alphanumeric
!
dial-peer voice 209 voip
description Incoming to CCM Subscriber
destination-pattern 919544....
progress_ind setup enable 3
voice-class codec 1
session target ipv4:10.2.15.12
incoming called-number .
dtmf-relay h245-signal h245-alphanumeric
no vad
!
dial-peer voice 210 voip
description Incoming to CCM Publisher
preference 2
destination-pattern 919544....
progress_ind setup enable 3
voice-class codec 1
session target ipv4:10.2.15.11
dtmf-relay h245-signal h245-alphanumeric
!
dial-peer voice 390 pots
service ccm
incoming called-number 919
no digit-strip
!
dial-peer voice 391 voip
preference 1
destination-pattern 390
voice-class codec 1
session target ipv4:10.2.15.11
dtmf-relay h245-alphanumeric
no vad
!
dial-peer voice 211 voip
description Incoming to CCM Subscriber
destination-pattern 8.....
progress_ind setup enable 3
voice-class codec 1
session target ipv4:10.2.15.12
incoming called-number .
dtmf-relay h245-signal h245-alphanumeric
no vad
!
dial-peer voice 212 voip
description Incoming to CCM Publisher
preference 2
destination-pattern 8.....
progress_ind setup enable 3
voice-class codec 1
session target ipv4:10.2.15.11
dtmf-relay h245-signal h245-alphanumeric
no vad
!
dial-peer voice 213 voip
description Incoming to CCM Publisher
preference 2
destination-pattern 9193541577
progress_ind setup enable 3
voice-class codec 1
session target ipv4:10.2.15.11
dtmf-relay h245-signal h245-alphanumeric
!
dial-peer voice 214 voip
description Incoming to CCM Publisher
destination-pattern 9193541577
progress_ind setup enable 3
session target ipv4:10.2.15.12
dtmf-relay h245-signal h245-alphanumeric
codec g711ulaw
!
!
!
!
call-manager-fallback
secondary-dialtone 9
max-conferences 8 gain -6
transfer-system full-blind
ip source-address 10.2.120.18 port 2000
max-ephones 96
max-dn 288 dual-line
sdspfarm units 2
sdspfarm transcode sessions 40
system message primary *** NC Local Operation ***
transfer-pattern .T
voicemail 600

call-forward busy 600
call-forward noan 600 timeout 20
moh NCMOH.au
multicast moh 239.1.1.1 port 16384 route 10.2.2.2 10.2.120.18
!
alias exec sb show ip int brief
!
line con 0
logging synchronous
login local
line aux 0
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line 130
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 192.168.120.3
end

Hello Ray,

I was asking for a config without any secrets, you are exposing your pre-shared-key to the world.

If it's not done yet, you MUST change your pre-shared-key right now on all sites.

About your specific question,

tunnel protection ipsec profile xtgvpn

will create a crypto map with an ID > 6553. that's again expected since tunnel protection instantiate a crypto map in the post-encapsulation path with a standard crypto map [ maps with a seq < 65535] are in the output path.

U do not need to add a tunnel-0 map nor try to find a seq > 65535

Cheers,

Olivier