06-15-2011 06:35 AM - edited 02-21-2020 05:24 PM
Hi,
I am looking for some help with the following:
I have a 2 spoke DMVPN scenario. My problems are:
All the routers are 1811’s with ezvpn server configured. Here are the configs. the spokes are same config all routers are brand new.
Hub:
crypto keyring ccp-dmvpn-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key XXXXX
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group magellanvpn
key magellan01x
pool SDM_POOL_1
acl 100
crypto isakmp profile ciscocp-ike-profile-1
match identity group magellanvpn
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode transport
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA1
set isakmp-profile ccp-dmvpn-isakmprofile
archive
log config
hidekeys
interface Tunnel0
bandwidth 1000
ip address 11.11.11.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon eigrp 100
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile
interface FastEthernet0
ip address X.X.X.X 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
router eigrp 100
network 11.11.11.0 0.0.0.255
network 11.0.0.0
network 192.168.3.0
no auto-summary
spoke:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key magellan01x address 173.12.141.85
!
crypto isakmp client configuration group magellanvpn
key magellan01x
pool SDM_POOL_1
acl 100
crypto isakmp profile ciscocp-ike-profile-1
match identity group magellanvpn
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA1
!
!
archive
log config
hidekeys
interface Tunnel0
bandwidth 1000
ip address 11.11.11.5 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 11.11.11.1 173.12.141.85
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 11.11.11.1
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0
tunnel destination X.X.X.X
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile2
!
interface FastEthernet0
ip address X.X.X.X 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
Thank you for any help in advance,
Marley
06-15-2011 09:22 AM
Marley,
I stronly suggest you remove any public IP information you have configured from forums (it also helps to use "quote" feature when posting configurations).
Regarding problem number 1. You're mising isakmp keepalives configured.
crypto isakmp keep 30 5
on both hub and spoke should be a decent way to start.
If you're not seeing routes from hub advertised to spokes, well you need to check/share your routing configuration.
It looks like you're using phase 2 design and EIGRP, in which case you might want to revistit configuraiton guide (or you're running software version which has some other defaults).
Marcin
06-16-2011 04:12 AM
Marcin,
Thank you for your suggestions, I have corrected (I think) the public IP and I will implement the keep alive. As far as the hub when I restart it I can’t even get in thru a vpn client, is like it does not create a route for the vpn tunnel. After a couple restarts I can get in.
Any other help would be greatly appreciated, let me know what more you want posted.
Thank you,
Marley
06-16-2011 05:43 AM
Marley,
The second part could be potentially a bug (I don't see any good explanation from my brief look at configuration).
That being said I would say best way to proceed would be to upgrade to latest revision of your current software (what is your version right now?).
If that does not work best open a TAC case, as it will most likely need a deeper look.
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide