03-30-2012
06:22 AM
- last edited on
02-21-2020
11:52 PM
by
cc_security_adm
Hi All,
I am currently trying to configure DMVPN for the first time. I have been following the cisco config guide and googling a few other bits however I seem to have hit a brick wall.
The setup is in a lab environment so i can post up as much info as required but here are the important bits:
I have 3 Cisco 2821 routers running IOS 12.4(15) with a Layer 3 switch in the middle connecting the "wan" ports together. the routing is working fine, I can ping each router from each other router.
A few snippets from the hub router config:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN_PRJ
set transform-set DMVPN_SET
!
interface Tunnel0
bandwidth 10000
ip address 172.17.100.1 255.255.255.0
no ip redirects
ip mtu 1500
ip nhrp authentication secretid
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 450
ip tcp adjust-mss 1460
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 10101
tunnel protection ipsec profile DMVPN_PRJ
!
interface GigabitEthernet0/0
description HQ WAN
ip address 1.1.1.1 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
and heres the config on the first spoke router:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN_PRJ
set transform-set DMVPN_SET
!
interface Tunnel0
bandwidth 3000
ip address 172.17.100.10 255.255.255.0
no ip redirects
ip mtu 1500
ip nhrp authentication secretid
ip nhrp map 172.17.100.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 101
ip nhrp holdtime 450
ip nhrp nhs 172.17.100.1
ip tcp adjust-mss 1460
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 10101
tunnel protection ipsec profile DMVPN_PRJ
!
interface GigabitEthernet0/0
description Site 1 WAN
ip address 11.11.11.1 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
if I shut/no shut the tunnel0 interface on spoke 1, I get the following error on the hub router:
Mar 30 13:41:17.075: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /1.1.1.1, src_addr= 11.11.11.1, prot= 47
so I feel im missing some config on the spoke side to encrypt the traffic but im not sure what.
the following are outputs from the spoke router:
RTR_SITE1#sh dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
-------------- Interface Tunnel0 info: --------------
Intf. is up, Line Protocol is up, Addr. is 172.17.100.10
Source addr: 11.11.11.1, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PRJ",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details: NHS: 172.17.100.1 E
Type:Spoke, NBMA Peers:1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 1.1.1.1 172.17.100.1 IKE never S 172.17.100.1/32
Interface: Tunnel0
Session: [0x48E31B98]
Crypto Session Status: DOWN
fvrf: (none), IPSEC FLOW: permit 47 host 11.11.11.1 host 1.1.1.1
Active SAs: 0, origin: crypto map
Outbound SPI : 0x 0, transform :
Socket State: Closed
Pending DMVPN Sessions:
RTR_SITE1#sh ip nhrp detail
172.17.100.1/32 via 172.17.100.1, Tunnel0 created 00:33:44, never expire
Type: static, Flags: used
NBMA address: 1.1.1.1
RTR_SITE1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 11.11.11.1
protected vrf: (none)
local ident (addr/mask/prot/port): (11.11.11.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 46, #recv errors 0
local crypto endpt.: 11.11.11.1, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
All of these commands show up as blank when i run them on the hub router.
Any help appreciated.
Thanks
Solved! Go to Solution.
03-31-2012 04:56 AM
The no negotiate is because you don't have an Ike key set up. You need
Crypto isakmp policy 1
Encr (whatever)
Auth pre-share
Group (whatever)
Crypto isakmp key 0 some secret address 0.0.0.0 0.0.0.0
Hun and spoke have to match.
Also your IPSec transform-set should have "mode transport".
Sent from Cisco Technical Support iPad App
03-31-2012 04:41 AM
Why do you have nat outside on the wan interfaces? Are you trying to configure nat but have left that out of what you're showing? I'd start with the dmvpn config (which looks good) by itself and add nat later.
Sent from Cisco Technical Support iPad App
03-31-2012 04:43 AM
Also these mtus are too high. With gre and IPSec you need to set the mtu to 1420 and the mss to 1360.
Sent from Cisco Technical Support iPad App
03-31-2012 04:44 AM
Sorry, mss would be 1380.
Sent from Cisco Technical Support iPad App
03-31-2012 04:56 AM
The no negotiate is because you don't have an Ike key set up. You need
Crypto isakmp policy 1
Encr (whatever)
Auth pre-share
Group (whatever)
Crypto isakmp key 0 some secret address 0.0.0.0 0.0.0.0
Hun and spoke have to match.
Also your IPSec transform-set should have "mode transport".
Sent from Cisco Technical Support iPad App
03-31-2012 06:25 AM
Thanks for the help
I was following this guide: http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN.html#wp1118625
I am using NAT, g0/1 on the routers in the LAN interface with a difference 10.x.x.x/24 on each router.
isakmp policy solved my issue, fixed the MTU as well.
What do i need to add to allow the 10.x.x.x networks to use the tunnels to communicate? I can now ping each end of the tunnel from both routers but not the LAN interfaces.
Thanks
03-31-2012 06:43 AM
Look for doc Id 41940.
Sent from Cisco Technical Support iPad App
03-31-2012 06:46 AM
Why do you want to nat the traffic that is being tunneled? If there are distinct aubnets on each end of the tunnel there's no reason to nat.
Sent from Cisco Technical Support iPad App
03-31-2012 06:54 AM
To answer that last question, that doc id I sent advocates running eigrp to handle the routing. Get rid of the nat, run a common eigrp as that advertises 10.x and the 172.y/24 networks and you should be fine. And make sure you have no auto-summary in your eigrp config since you're subnetting a class a address.
Sent from Cisco Technical Support iPad App
03-31-2012 06:57 AM
The first part of the project was creating 4 "Sites" with internet access from the LAN, hence the NAT.
The second part is to add DMVPN into the mix so I just built on the original config. Will look over the document and try things that way
03-31-2012 07:05 AM
After you get the routing setup dmvpn should work fine. The main thing on the nat side is you're going to have to
Deny the traffic you don't want natted (e,g,,the traffic transiting the tunnel).
Sent from Cisco Technical Support iPad App
03-31-2012 07:26 AM
Thanks, I will give that a go over the weekend. Thinking about it, Dynamic routing will probably help me when it comes to my next scenario which uses ASAs alongside the routers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide