utm_medium=referral&utm_source=cc-ribbon&utm_campaign=ST-RMA-4-21 " target="_blank">
Would you like to learn more about how to determine if you need an RMA? - REGISTER TODAY!
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
671
Views
0
Helpful
1
Replies
Lost & Found
Beginner

DMVPN PHASE 3 and IPSEC COMMUNICATION ISSUE?

Hi ALL, I studying DMVPN phase 3 and would like to ask if you can answer some of my question and issue that I'm working on right now.

 

S-t-s

 

Description: From the topology, I have 3 sites A, B and C and all routers are DMVPN configured. From the topology also you can see that Site B and C (spoke-to-spoke) communication is working but Site A & B is not working.

Questions:

  1. In which specific database HUB stores the route information from its spoke routers ? if is based on RIB, FIB or NHRP database ? with this, HUB know where to forward the traffic and also this being use to send a redirect whenever there a better path that spoke could use.
  2. From the topology, Site A has a preferred path from HUB perceptive which is to forward Site A lan network to another PE and not directly to HUB. With this, this affect the spoke-to-spoke communication. Could you give input about this, Does hub needs to have the best path towards to its Peer tunnel to send a redirect (related to #1)?
  3. Can we able to run a spoke-to-spoke test between Site A and Site B using their tunnel interface IP addresses since it is directly connected and not being manipulated?

 

example:

Site A - R2 (tunnel 0 - 192.168.1.10/24)

Site B - R (tunnel 0 - 192.168.1.20/24)

 

SiteA# ping 192.168.1.20 source 192.168.1.10

Result: Working

SiteA# trace 192.168.1.20 source 192.168.1.10

Result: 2hops away - HUB -> SITEB ROUTER

 

Same result with Siteb to Sitea ping and trace.

 

4. All spoke routers have IPSEC profile configured but Site A and Site B spoke-to-spoke communication unable to fully form phase2 IPSEC. All policies, attributes are the same since we cannot form an adjacency with hub if there something missing... So believe this is due to the fact we cannot form a spoke-to-spoke communication because of the preferred path? BTW im using the tunnel interfaces to test (see #3 sample).

 

Debug Output from SITEA router2:

46 CEST: ISAKMP-PAK: (15727):received packet from 222.1.1.1 dport 500 sport 500 INTERNET (R) QM_IDLE

46 CEST: ISAKMP: (15727):set new node 1832717634 to QM_IDLE

46 CEST: ISAKMP: (15727):processing HASH payload. message ID = 1832717634

46 CEST: ISAKMP: (15727):processing SA payload. message ID = 1832717634

46 CEST: ISAKMP: (15727):Checking IPSec proposal 1

46 CEST: ISAKMP: (15727):transform 1, ESP_AES

46 CEST: ISAKMP: (15727): attributes in transform:

46 CEST: ISAKMP: (15727): encaps is 2 (Transport)

46 CEST: ISAKMP: (15727): SA life type in seconds

46 CEST: ISAKMP: (15727): SA life duration (basic) of 3600

46 CEST: ISAKMP: (15727): SA life type in kilobytes

46 CEST: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

46 CEST: ISAKMP: (15727): authenticator is HMAC-SHA

46 CEST: ISAKMP: (15727): key length is 256

46 CEST: ISAKMP: (15727):atts are acceptable.

46 CEST: IPSEC(ipsec_process_proposal): peer address 222.1.1.1 not found

46 CEST: ISAKMP-ERROR: (15727):IPSec policy invalidated proposal with error 64

46 CEST: ISAKMP-ERROR: (15727):phase 2 SA policy not acceptable! (local 59.46.230.254 remote 222.1.1.1)

46 CEST: ISAKMP: (15727):set new node 3820497615 to QM_IDLE

46 CEST: ISAKMP: (15727):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 140005555332392, message ID = 3820497615

46 CEST: ISAKMP-PAK: (15727):sending packet to 222.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE

46 CEST: ISAKMP: (15727):Sending an IKE IPv4 Packet.

46 CEST: ISAKMP: (15727):purging node 3820497615

46 CEST: ISAKMP-ERROR: (15727):deleting node 1832717634 error TRUE reason "QM rejected"

 

Can we have technical inputs about this?

 

46 CEST: IPSEC(ipsec_process_proposal): peer address 222.1.1.1 not found

46 CEST: ISAKMP-ERROR: (15727):IPSec policy invalidated proposal with error 64

46 CEST: ISAKMP-ERROR: (15727):phase 2 SA policy not acceptable! (local 59.46.230.254 remote 222.1.1.1)

 

Thank you

1 REPLY 1
Mohammed al Baqari
VIP Advisor

Hi,

I am not sure I understood all the questions but I can tell for question 1
that routing info is stored in rib, forwarding info in fib and nbma
resolution in nhrp db. The redirect is sent using nhrp db.

The ping and trace from the spoke routers will always go through the hub.
Nhrp redirect isn't sent for traffic sourced from spoke. Its sent for
traffic routed through the spoke.

Your debugs clearly show mismatch in phase two policies. Just make sure
that you are using same parameters. Sometimes there are differences in aes
syntax for example, aes alone means aes-128 while in others it means
aes-256. Just recheck.


***** please remember to rate useful posts
Content for Community-Ad

This widget could not be displayed.