DMVPN w/ EZVPN issue

countjugular · ‎04-20-2012

Hi all, I'm attempting to set up a router with DMVPN for site-to-site connections, and EZVPN for mobile users.

I used this article as a basis ... http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801eafcb.shtml, the DMVPN is working fine, communication between both locations is working fine.

The issue I am having is, the VPN Client connects fine, but can only ping the router (192.168.254.254), it cannot ping any other machines on the 192.168.254.x, as well cannot ping the DMVPN spokes (192.168.250.x, 192.168.11.x)

I can ping the Client from the router, if I specify Vlan1 as the ping source.

Any assitance would be greatly appreciated, I'm growing more and more bald as time passes... Here's a scrubbed config that I'm using on the DMVPN Hub / EZVPN server

Building configuration...

Current configuration : 4491 bytes
!
! Last configuration change at 20:11:33 UTC Fri Apr 20 2012

!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
enable
enable password
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network auth local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
!
!
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
!

!
!
username user2 privilege 15 secret 5 xxxxxxx
username user1 privilege 15 secret 5 xxxxxxx
!
!
!
crypto keyring DMVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key (password)
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp policy 20
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key (password)
dns (dns1) (dns2)
domain myplace.local
pool VPNPOOL
acl 102
save-password
split-dns myplace.local
netmask 255.255.255.0
crypto isakmp profile VPNclient
   match identity group VPN
   client authentication list userauthen
   isakmp authorization list auth
   client configuration address respond
crypto isakmp profile DMVPN
   keyring DMVPN
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
set isakmp-profile DMVPN
!
!
crypto dynamic-map dynmap 10
set transform-set strong
set isakmp-profile VPNclient
reverse-route
!
!
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Tunnel0
bandwidth 10000
ip address 10.0.10.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 100
ip nat inside
ip nhrp authentication VPNAUTH
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip virtual-reassembly
ip tcp adjust-mss 1360
no ip split-horizon eigrp 100
delay 1000
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile cisco
!
!
interface FastEthernet0
!
!
interface FastEthernet1
shutdown
!
!
interface FastEthernet2
shutdown
!
!
interface FastEthernet3
shutdown
!
!
interface FastEthernet4
description Internet
ip address (public ip) 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map dynmap
!
!
interface Cellular0
no ip address
encapsulation ppp
shutdown
!
!
interface Vlan1
description LAN
ip address 192.168.254.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
!
!
router eigrp 100
network 10.0.10.0 0.0.0.255
network 172.16.0.0
network 192.168.254.0
redistribute static
!
ip local pool VPNPOOL 172.16.100.1 172.16.100.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 (public gateway)
!
access-list 100 deny   ip 192.168.254.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 100 deny   ip 192.168.254.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 deny   ip 192.168.254.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 100 permit ip 192.168.254.0 0.0.0.255 any
access-list 102 permit ip 192.168.254.0 0.0.0.255 any
access-list 102 permit ip 192.168.250.0 0.0.0.255 any
access-list 102 permit ip 10.0.10.0 0.0.0.255 any
access-list 102 permit ip 172.16.100.0 0.0.0.255 any

Marvin Rhoads · ‎04-21-2012

My suspicion is a routing issue. Your VPN configuration looks fine.

Do your inside destinations that you cannot reach use the router above as their gateway?

What does "show ip route" return when executed on the router (while a client is VPN'd in)? I would expect it to know about any clients' /32s as "S" (static) addresses and thus route properly to them on that basis.

olpeleri · ‎04-22-2012

Hello,

From your config,

crypto ipsec transform-set strong esp-3des esp-md5-hmac

mode transport

is very good for DMVPN [ since MGRE is locally generated and we dont need the mode tunnel overhead to make it work.

However with EZVPN, we need to use tunnel mode.

I would recommend the following changes.

1- Add the right transform-set

crypto ipsec transform-set ezvpn esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set ezvpn

That should fixes your problem

2- Modify the lifetime of the strong transform-set

120 seconds is definitely not a good idea since:

1- It will stress the control plane

2- It will create tunnel flaps in certain conditon

3- It does not provide any extra security

===> Keep the value to 3600 seconds is recommended.

Cheers,

Olivier

CCIE Security #20306

countjugular · ‎04-22-2012

Thank you for the corrections Oliver, I have made the changes, but unfortunately the probelm is still haunting me.

Marvin, its possible there's a route issue somewhere, but I cant seem to put my finger on it, I have 2 workstations that are using this router as their default gateway, And am unable to ping either way. Here is the sh ip route you requested.

Gateway of last resort is (public gateway) to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via (public gateway)

10.0.0.0/0 is variably subnetted, 2 subnets, 2 masks

C 10.0.10.0/24 is directly connected, Tunnel0

L 10.0.10.1/32 is directly connected, Tunnel0

70.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 70.xx.xx.xxx/30 is directly connected, FastEthernet4

L 70.xx.xx.xx/32 is directly connected, FastEthernet4

172.16.0.0/32 is subnetted, 1 subnets

S 172.16.100.8 [1/0] via (source ip), FastEthernet4

D 192.168.250.0/24 [90/514560] via 10.0.10.2, id15h, Tunnel0

192.168.254.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.254.0/24 is directly connected, Vlan1

L 192.168.254.254/32 is directly connected, Vlan1

Thanks again for any input / ideas how to fix this

Marvin Rhoads · ‎04-22-2012

Hmm, routing looks OK.

I'm wondering about your NAT. You have:

ip nat inside source list 100 interface FastEthernet4 overload

with access-list 100 defined thus:

access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.250.0 0.0.0.255

access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 100 deny ip 192.168.254.0 0.0.0.255 172.16.100.0 0.0.0.255

access-list 100 permit ip 192.168.254.0 0.0.0.255 any

How about trying to add your VPNPOOL addresses (172.16.100.0/24) to the NAT deny (exempt) and permit listing and include an exemption for 192.168.254.0/24 also. That would be:

access-list 100 deny ip 172.16.100.0 0.0.0.255 192.168.250.0 0.0.0.255

access-list 100 deny ip 172.16.100.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 100 deny ip 172.16.100.0 0.0.0.255 172.16.100.0 0.0.0.255

access-list 100 deny ip 172.16.100.0 0.0.0.255 192.168.254.0 0.0.0.255

access-list 100 permit ip 172.16.100.0 0.0.0.255 any

...in addition to what you have now

countjugular · ‎04-22-2012

Mklemovitch, I added those exemptions, but unfortunately its still not working, I think your on the right track, the issue really seems like either a routing or ACL issue, but I just cant put my finger on it

countjugular · ‎04-22-2012

Found the issue..... it was running 15.0(1)M4 ... updated to 15.2(3)T working like a champ now.... even to the dmvpn spokes, thank you both for your help, sorry I didnt do this first as I should have.

Marvin Rhoads · ‎04-22-2012

You're welcome.

That's a strange coincidence - I just myself fixed some strangeness of an 881W router not being accesible via ssh over its public IP. It was running 15.0(1). Upgrading to 15.2(3)T fixed it as well!

I guess the lesson learned is let that first major release cook a bit and hop on the new train after .1 or .2 is out.