Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2205
Views
2
Helpful
28
Replies

DMVPN spoke tunnel up/down after changing hub isp ip

Go to solution
adavisvpn
Level 1
Level 1

‎07-13-2023 10:18 AM

crypto isakmp policy 1
encr aes 192
authentication pre-share
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
lifetime 10800
crypto isakmp key DesMv90 address (change to new ip)
crypto isakmp key DY3S-h3xp0l1 address xxxxxxx
crypto isakmp key DY3S-h3xp0l1 address xxxxxxxx
crypto isakmp key DY3S-h3xp0l1 address xxxxxxxx
crypto isakmp keepalive 10 10
!
!
crypto ipsec transform-set AES-256 esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
!
!
!
!
!
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.106.2 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 192.168.106.1 (changed to new ip)
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 192.168.106.1
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf mtu-ignore
delay 1000
tunnel source Cellular0
tunnel destination (changed to new ip)
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Cellular0
ip address negotiated

this was the only changes, should be no issues, but the tunnel protocol is down.  Help?

Labels:
0 Helpful
28 Replies 28

Go to solution
adavisvpn
Level 1
Level 1
In response to MHM Cisco World

‎07-14-2023 11:53 AM - edited ‎07-20-2023 09:47 AM

Sorry that acl is for a p-2-p vpn that is working.  Below is the MDVPN Config for the hub and spoke without the other vpn's config components: 

HUB:

 

crypto isakmp policy 2
encr aes 192
authentication pre-share

crypto isakmp key ?????? address 0.0.0.0

!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
!
!
interface Tunnel2
bandwidth 1000
ip address 192.168.xxxx 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 192.168.xxxxxx
ip nhrp registration no-unique
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf mtu-ignore
delay 1000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description wan$ETH-WAN$
ip address xxxxxxxxxxx 255.255.255.248
duplex auto
speed auto
!
interface GigabitEthernet0/1
description lan$ETH-LAN$
ip address 192.168.xxxxx 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
router ospf 11
network 192.168.xxxxx 0.0.0.255 area 3
network 192.168.xxxxx 0.0.0.255 area 3
!
router iso-igrp area_1
net 49.0001.7c0e.ce5b.d720.00
!
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 104.184.14.118
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 8.8.8.8 255.255.255.255 GigabitEthernet0/0 104.184.14.118
ip route xxxxxxxxxx 255.255.255.0 192.168.xxxx
ip route xxxxxxxxxx 255.255.255.0 192.168.xxxx
!
logging dmvpn rate-limit 20
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.xxxx 0.0.0.255
access-list 1 permit 192.168.xxxx 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.xxxxx 0.0.0.255
access-list 23 permit 192.168.xxxxx 0.0.0.255
dialer-list 1 protocol ip permit

------

spoke:

hostname router2 this is the spoke
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
lease 0 2
!
!
!
ip domain name yourdomain.com
ip name-server xxxxxxxxxx
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!!
!
object-group network local_cws_net
!
object-group network local_lan_subnets
any
!
object-group network vpn_remote_subnets
any
!
!
redundancy
!
!
controller Cellular 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
no cdp run
!
!
!
crypto isakmp policy 1
encr aes 192
authentication pre-share
!
crypto isakmp key ?????? address xxxxxxx
crypto isakmp keepalive 10 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
!
!
!
!
!
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.xxxx 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 192.168.xxxxx xxxxxxxxxxx
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 192.168.xxxxx
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf mtu-ignore
delay 1000
tunnel source Cellular0
tunnel destination xxxxxxxxxxxxx
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
no peer default ip address
async mode interactive
crypto map CMAP_1
routing dynamic
!
!
interface GigabitEthernet0
description $ETH-LAN$
ip address xxxxxxxxxxx 255.255.255.240
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1400
ip policy route-map clear-df
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
description $ETH_LAN$
ip address 10.10.10.1 255.255.255.128
ip tcp adjust-mss 1452
!
router ospf 11
network xxxxxxxxxxx 0.0.0.15 area 3
network 192.168.xxxxx 0.0.0.255 area 3
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map SDM_RMAP_1 interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
dialer-list 1 protocol ip list 1
ipv6 ioam timestamp
!
route-map SDM_RMAP_1 permit 1
match ip address NAT
!
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 10.10.10.0 0.0.0.127
access-list 23 permit xxxxxxxxxxxx 0.0.0.255
access-list 23 permit 192.168.xxxxxx 0.0.0.15
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to adavisvpn

‎07-14-2023 12:05 PM - edited ‎07-14-2023 12:06 PM

These are not identical 

crypto isakmp key ?????? address 104.184.14.113

!

ip nhrp map 192.168.106.1 65.15.162.127

0 Helpful

Go to solution
adavisvpn
Level 1
Level 1
In response to MHM Cisco World

‎07-14-2023 12:34 PM - edited ‎07-20-2023 09:49 AM

sorry.  I used the config before i changed the ISP to send and changed ips, missed that one.  The nhrp map is 192.168.xxxxx xxxxxxxxxxx.  I made these changes because of the hub isp ip changing:

crypto isakmp key DesMv90 address xxxxxxxxxx

ip nhrp map 192.168.106.1 xxxxxxxxxx

tunnel destination xxxxxxxxxx

That's it.  

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-14-2023 01:04 PM

Please share last correct config of both hub and spoke.

Thanks 

MHM

0 Helpful

Go to solution
adavisvpn
Level 1
Level 1
In response to MHM Cisco World

‎07-17-2023 10:19 AM - edited ‎07-20-2023 09:49 AM

 

 

 

Go to solution
adavisvpn
Level 1
Level 1

‎07-18-2023 06:58 AM

It is looking like the only option is to delete the DMVNP hub and spoke tunnels, crypto, and isa's and start all over if no one has any other ideas.  This should not be this difficult. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to adavisvpn

‎07-18-2023 07:16 AM

I received it before two-three hrs

Just give me some time.

Thanks 

MHM

Go to solution
MHM Cisco World
VIP
VIP

‎07-18-2023 10:34 AM - edited ‎07-19-2023 02:48 PM

...

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-19-2023 07:16 AM - edited ‎07-19-2023 02:49 PM

...

0 Helpful

Go to solution
adavisvpn
Level 1
Level 1
In response to MHM Cisco World

‎07-19-2023 11:32 AM

for 1:  is this right? 

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

Tunnel0

tunnel protection ipsec profile CiscoCP_Profile1

2.  Is this right?

crypto isakmp key DesMv90 address 0.0.0.0

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to adavisvpn

‎07-19-2023 11:36 AM

sorry this answer for my two point or other thing ?

0 Helpful

Go to solution
adavisvpn
Level 1
Level 1
In response to MHM Cisco World

‎07-19-2023 12:19 PM

If I have two types of tunnels with two cypto isakmp polices, how to I specifiy which poliyc each crypto isakmp key's use?

Ex.  

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes 192

authentication pre-share

crypto isakmp key other_tunnel key address xxxxxxxxxxxx

crypto isakmp key dmvmp_tunnel address 0.0.0.0

crypto isakmp keepalive 10 10

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to adavisvpn

‎07-19-2023 12:30 PM

First tunnel down issue solved?

The routers send both policy and peer will select one match it own' so there is no problem with this.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-19-2023 02:50 PM

So all work not help you to solve issue.

Goodluck when you talk with ISP.

MHM

0 Helpful
Customers Also Viewed These Support Documents