cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2074
Views
0
Helpful
1
Replies
dwaynepeeters
Beginner

DMVPN tunnel sourced via loopback error

Hi all,

I am having a hard time trying to configure DMVPN with the tunnel being sourced via a loopback interface. (Hoping someone could help me out)

I have the following network topology:

R1 <----------> R3 <---------> R2

(Hub)      (ISP router)     (Spoke)

All routers are Cisco 886 routers which don't have L3 ports.

That is why I used SVI interfaces, and have configured the L2 ports (Fa0, Fa1, etc.) with the command switchport access vlan *

I have used this website as an example http://www.securityie.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=10;t=002092

The problem is that I am receiving Invalid SPI error's only on the Hub router and I have no clue what could be the problem, because they use exactly the same parameters for IPsec.

Please find my configurations below.

Naamloos.png

I hope someone could help me out with this, any help will be very much appreciated.

Kind regards,

Dwayne

R1: Hub router:

R1#show run

Building configuration...

Current configuration : 2109 bytes

!

! Last configuration change at 10:08:31 UTC Fri Nov 23 2012

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Hub1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

memory-size iomem 10

crypto pki token default removal timeout 0

!

!

ip source-route

!

!

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO886VA-SEC-K9 sn FCZ1636C0RU

!

!

controller VDSL 0

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 periodic

!

!

crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile dmvpn

set transform-set MYSET

set pfs group5

!

interface Tunnel0

description DMVPN HUB INTERFACE

bandwidth 1000

ip address 192.168.1.2 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip tcp adjust-mss 1352

no ip split-horizon eigrp 10

tunnel source 50.50.2.2

tunnel mode gre multipoint

tunnel key 1

tunnel protection ipsec profile dmvpn

!

!

interface FastEthernet0

switchport access vlan 2

no ip address

!

interface FastEthernet1

switchport access vlan 3

no ip address

!

!

interface Vlan2

description HUB'S PUBLIC LAN

ip address 50.50.2.2 255.255.255.0

!

interface Vlan3

description HUB'S PRIVATE LAN

ip address 10.1.1.1 255.255.255.0

!

!

router eigrp 10

network 10.1.1.0 0.0.0.255

network 192.168.1.0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 50.50.1.2 255.255.255.255 50.50.2.1

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

login

transport input all

!

end

----------------------------------------------------------------------

----------------------------------------------------------------------

R2: Spoke router:

R2#show run

Building configuration...

Current configuration : 2594 bytes

!

! Last configuration change at 10:10:06 UTC Fri Nov 23 2012

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Spoke

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

memory-size iomem 10

crypto pki token default removal timeout 0

!

!

ip source-route

!

!

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO887VA-SEC-K9 sn FCZ1637913G

!

!

controller VDSL 0

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 periodic

!

!

crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile dmvpn

set transform-set MYSET

set pfs group5

!

!

interface Loopback0

description DMVPN TUNNEL SOURCE

ip address 2.2.2.2 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Tunnel0

description DMVPN SPOKE INTERFACE

bandwidth 1000

ip address 192.168.1.1 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp authentication cisco

ip nhrp map multicast 50.50.2.2

ip nhrp map 192.168.1.2 50.50.2.2

ip nhrp network-id 1

ip nhrp nhs 192.168.1.2

ip tcp adjust-mss 1352

tunnel source 2.2.2.2

tunnel mode gre multipoint

tunnel key 1

tunnel protection ipsec profile dmvpn

!

!

interface FastEthernet0

switchport access vlan 4

no ip address

!

interface FastEthernet1

switchport access vlan 3

no ip address

!

!

interface Vlan1

no ip address

!

interface Vlan3

description SPOKE'S PRIVATE LAN

ip address 172.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Vlan4

description SPOKE'S PUBLIC LAN

ip address 50.50.1.2 255.255.255.0

ip nat outside

ip virtual-reassembly in

no ip route-cache

!

!

router eigrp 10

network 172.168.1.0 0.0.0.255

network 192.168.0.0 0.0.255.255

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source list pat interface Vlan4 overload

ip route 50.50.2.2 255.255.255.255 50.50.1.1

!

ip access-list extended pat

permit ip host 2.2.2.2 any

permit gre host 2.2.2.2 any

deny   ip any 50.50.0.0 0.0.255.255

deny   ip any 192.168.0.0 0.0.255.255

permit ip 172.168.1.0 0.0.0.255 any

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

login

transport input all

!

end


1 REPLY 1
dwaynepeeters
Beginner

Also when I issue the command show crypto isakmp sa detail, it shows the following output.

Strange thing is when I issue the command a few times, the SA state changes (see below).

This is the same on both the hub and the spoke router.

Create
Recognize Your Peers
Content for Community-Ad