Hello guys
I would really appreciate if someone could take a look at these configs and see if i made any errors. The HUB router was configured by someone else and it is working, i know this because there are other sites connected to it already that works. It seems to me isakmp has established but ipsec has not, im totally a newbie when configuring dmvpn's.
I have changed the public addresses in these configs just to be "anonymous", so HUB router has 10.10.10.10 as public ip and Spoke router has 20.20.20.20. The already working spoke i have changed to 30.30.30.30.
Here is some output of commands that i ran to check connectivity and tunnel status.
###SPOKE ROUTER COMMANDS###
Spoke#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.10.10.10 192.168.253.1 IPSEC 01:07:52 S
##Show crypto isakmp sa##
Spoke#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.10.10 20.20.20.20 QM_IDLE 2004 ACTIVE
IPv6 Crypto ISAKMP SA
##Show crypto ipsec sa##
Spoke#Show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 20.20.20.20
protected vrf: (none)
local ident (addr/mask/prot/port): (20.20.20.20/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/47/0)
current_peer 10.10.10.10 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1029, #recv errors 0
local crypto endpt.: 20.20.20.20, remote crypto endpt.: 10.10.10.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
###HUB ROUTER COMMANDS###
##This shows a working tunnel to another site###
HUB#Show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel10, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 172.16.4.10 192.168.253.3 UP 5w5d D
##Show crypto isakmp sa##
HUB#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.10.10 30.30.30.30 QM_IDLE 4223 ACTIVE
10.10.10.10 20.20.20.20 QM_IDLE 4224 ACTIVE
IPv6 Crypto ISAKMP SA
##Show crypto ipsec sa##
HUB#Show crypto ipsec sa
interface: Tunnel10
Crypto map tag: Tunnel10-head-0, local addr 10.10.10.10
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.4.10/255.255.255.255/47/0)
current_peer 30.30.30.30 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 783219, #pkts encrypt: 783219, #pkts digest: 783219
#pkts decaps: 783023, #pkts decrypt: 783023, #pkts verify: 783023
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.10.10.10, remote crypto endpt.: 30.30.30.30
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xA383C251(2743321169)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound esp sas:
spi: 0x4D743FC8(1299464136)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2053, flow_id: Onboard VPN:53, sibling_flags 80000046, crypto m ap: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4604026/633)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA383C251(2743321169)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2054, flow_id: Onboard VPN:54, sibling_flags 80000046, crypto m ap: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4604125/633)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
###HUB ROUTER CONF###
Current configuration : 2714 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HUB
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name company.com
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license boot module c1900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
!
crypto keyring TRNSS-KEYRING
pre-shared-key address 0.0.0.0 0.0.0.0 key Cisco123
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile TRNSS-DMVPN-ISAKMP
keyring TRNSS-KEYRING
match identity address 0.0.0.0
keepalive 15 retry 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile TRNSS-DMVPN-IPSEC
set transform-set ESP-3DES-SHA
set isakmp-profile TRNSS-DMVPN-ISAKMP
!
!
!
!
!
!
interface Tunnel0
no ip address
!
interface Tunnel10
description SIMSERVICE mGRE
bandwidth 1000
ip address 192.168.253.1 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 10 35
ip nhrp authentication Cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 360
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 101
tunnel protection ipsec profile TRNSS-DMVPN-IPSEC
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.10.10.10 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.65.5 255.255.255.240
duplex auto
speed auto
!
!
router eigrp 10
network 192.168.65.0 0.0.0.15
network 192.168.253.0
redistribute ospf 10 metric 10000 10 40 10 1400
!
router ospf 10
redistribute eigrp 10 subnets
network 192.168.65.0 0.0.0.15 area 5
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.10.10.10
!
access-list 20 permit 10.100.0.45
!
!
!
!
!
snmp-server community publickO314plyA RO 20
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
transport input ssh
line vty 5 15
login
transport input ssh
!
scheduler allocate 20000 1000
end
###SPOKE ROUTER CONF###
Current configuration : 2555 bytes
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Spoke1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ip domain lookup
ip domain name company.com
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
ip ssh version 2
!
crypto keyring SIMSERVICE
pre-shared-key address 10.10.10.10 key Cisco123
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile SIMSERVICE-DMVPN-ISAKMP
keyring SIMSERVICE
match identity address 0.0.0.0
keepalive 15 retry 10
!
!
crypto ipsec transform-set SIMSERVICE-TRANSFORM-SET esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile SIMSERVICE-DMVPN-IPSEC
set transform-set SIMSERVICE-TRANSFORM-SET
set isakmp-profile SIMSERVICE-DMVPN-ISAKMP
!
!
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.253.6 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 10 35
no ip next-hop-self eigrp 10
ip nhrp authentication Cisco123
ip nhrp map 192.168.253.1 10.10.10.10
ip nhrp map multicast 10.10.10.10
ip nhrp network-id 101
ip nhrp holdtime 360
ip nhrp nhs 192.168.253.1
ip tcp adjust-mss 1360
no ip split-horizon eigrp 10
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 101
tunnel protection ipsec profile SIMSERVICE-DMVPN-IPSEC
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description internet
ip address 20.20.20.20 255.255.255.252
duplex auto
speed auto
!
interface Vlan1
ip address 172.30.9.1 255.255.0.0
!
!
router eigrp 10
network 172.30.0.0
network 192.168.253.0
eigrp stub connected
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 20.20.20.20
ip route 192.168.253.0 255.255.255.0 Tunnel0
!
!
!
!
!
!
control-plane
!
!
line con 0
login local
line aux 0
login local
line vty 0 4
exec-timeout 0 0
login local
transport input ssh
!
end
