Thanks guys for your inputs.

Salongo · ‎01-02-2015

Hi

I set the IPSec on the DMVPN on HUb and Spokes as follow bellow, But I get the Error on All DMVPN end points.

I am using CSR1000v on a rack rentals site.

R18(config-if)#

*Jan 2 02:18:24.458: %ACE-3-TRANSERR: IOSXE-ESP(11): IKEA trans 0x63; opcode 0x60; param 0x2F; error 0x5; retry cnt 0

*Jan 2 02:18:24.459: %ACE-3-TRANSERR: IOSXE-ESP(11): IKEA trans 0x65; opcode 0x60; param 0x30; error 0x5; retry cnt 0

R18(config-if)#

EIGRP does not come up. But removing The IPsec profile from the Tunn1l 100 interfaces brings the EIGRP up and DMVPN works fine.

Any suggestions ?

The configs are:

R18

---

crypto isakmp policy 18

encr aes 192

hash sha256

authentication pre-share

group 5

crypto isakmp key DmvPn!23 address 89.211.116.16

crypto isakmp key DmvPn!23 address 89.211.117.17

crypto ipsec transform-set TRANS_SET esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile CRY_PROFILE

set transform-set TRANS_SET

int tu 100

tunnel protection ipsec profile CRY_PROFILE

!

R16

---

crypto isakmp policy 16

encr aes 192

hash sha256

authentication pre-share

group 5

!

crypto isakmp key DmvPn!23 address 202.4.180.0

!

crypto ipsec transform-set TRANS_SET esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile CRY_PROFILE

set transform-set TRANS_SET

int tu 100

tunnel protection ipsec profile CRY_PROFILE

!

R17

--

crypto isakmp policy 17

encr aes 192

hash sha256

authentication pre-share

group 5

!

crypto isakmp key DmvPn!23 address 202.4.180.0

!

crypto ipsec transform-set TRANS_SET esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile CRY_PROFIL

!

crypto ipsec profile CRY_PROFILE

set transform-set TRANS_SET

int tu 100

tunnel protection ipsec profile CRY_PROFILE

!

R18

---

interface Tunnel100

ip address 172.100.123.18 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication NHRPKEY

ip nhrp map multicast dynamic

ip nhrp network-id 123

ip nhrp holdtime 300

ip tcp adjust-mss 1360

tunnel source 202.4.180.0

tunnel mode gre multipoint

tunnel key 123

tunnel protection ipsec profile CRY_PROFILE

R16

--

interface Tunnel100

ip address 172.100.123.16 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication NHRPKEY

ip nhrp map 172.100.123.18 202.4.180.0

ip nhrp map multicast 202.4.180.0

ip nhrp nhs 172.100.123.18

ip nhrp network-id 123

ip nhrp holdtime 300

ip tcp adjust-mss 1360

tunnel source 89.211.116.16

tunnel mode gre multipoint

tunnel key 123

tunnel protection ipsec profile CRY_PROFIL

!

R17

--

interface Tunnel100

ip address 172.100.123.17 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication NHRPKEY

ip nhrp map 172.100.123.18 202.4.180.0

ip nhrp map multicast 202.4.180.0

ip nhrp nhs 172.100.123.18

ip nhrp network-id 123

ip nhrp holdtime 300

ip tcp adjust-mss 1360

tunnel source 89.211.117.17

tunnel mode gre multipoint

tunnel key 123

tunnel protection ipsec profile CRY_PROFIL

Collin Clark · ‎01-06-2015

You'll have to configure EIGRP to use unicast to its neighbors.

Poonam Garg · ‎01-24-2015

Hi,

Try to use MTU 1420 on your tunnel interface.

HTH

Salongo · ‎02-05-2015

Thanks guys for your inputs. I had it solved. The issue is with CSR 1000v platform is that it somehow does not like AH-SHA-HMAC so I changed to using ESP-SHA-HMAC instead.

Thanks & Regards,

Saleh

DMVPN with IPSec