01-02-2015 05:38 AM - edited 02-21-2020 08:00 PM
Hi
I set the IPSec on the DMVPN on HUb and Spokes as follow bellow, But I get the Error on All DMVPN end points.
I am using CSR1000v on a rack rentals site.
R18(config-if)#
*Jan 2 02:18:24.458: %ACE-3-TRANSERR: IOSXE-ESP(11): IKEA trans 0x63; opcode 0x60; param 0x2F; error 0x5; retry cnt 0
*Jan 2 02:18:24.459: %ACE-3-TRANSERR: IOSXE-ESP(11): IKEA trans 0x65; opcode 0x60; param 0x30; error 0x5; retry cnt 0
R18(config-if)#
EIGRP does not come up. But removing The IPsec profile from the Tunn1l 100 interfaces brings the EIGRP up and DMVPN works fine.
Any suggestions ?
The configs are:
R18
---
crypto isakmp policy 18
encr aes 192
hash sha256
authentication pre-share
group 5
crypto isakmp key DmvPn!23 address 89.211.116.16
crypto isakmp key DmvPn!23 address 89.211.117.17
crypto ipsec transform-set TRANS_SET esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile CRY_PROFILE
set transform-set TRANS_SET
int tu 100
tunnel protection ipsec profile CRY_PROFILE
!
R16
---
crypto isakmp policy 16
encr aes 192
hash sha256
authentication pre-share
group 5
!
crypto isakmp key DmvPn!23 address 202.4.180.0
!
crypto ipsec transform-set TRANS_SET esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile CRY_PROFILE
set transform-set TRANS_SET
int tu 100
tunnel protection ipsec profile CRY_PROFILE
!
R17
--
crypto isakmp policy 17
encr aes 192
hash sha256
authentication pre-share
group 5
!
crypto isakmp key DmvPn!23 address 202.4.180.0
!
crypto ipsec transform-set TRANS_SET esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile CRY_PROFIL
!
crypto ipsec profile CRY_PROFILE
set transform-set TRANS_SET
int tu 100
tunnel protection ipsec profile CRY_PROFILE
!
R18
---
interface Tunnel100
ip address 172.100.123.18 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication NHRPKEY
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip nhrp holdtime 300
ip tcp adjust-mss 1360
tunnel source 202.4.180.0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile CRY_PROFILE
R16
--
interface Tunnel100
ip address 172.100.123.16 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication NHRPKEY
ip nhrp map 172.100.123.18 202.4.180.0
ip nhrp map multicast 202.4.180.0
ip nhrp nhs 172.100.123.18
ip nhrp network-id 123
ip nhrp holdtime 300
ip tcp adjust-mss 1360
tunnel source 89.211.116.16
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile CRY_PROFIL
!
R17
--
interface Tunnel100
ip address 172.100.123.17 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication NHRPKEY
ip nhrp map 172.100.123.18 202.4.180.0
ip nhrp map multicast 202.4.180.0
ip nhrp nhs 172.100.123.18
ip nhrp network-id 123
ip nhrp holdtime 300
ip tcp adjust-mss 1360
tunnel source 89.211.117.17
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile CRY_PROFIL
01-06-2015 12:03 PM
You'll have to configure EIGRP to use unicast to its neighbors.
01-24-2015 08:46 AM
Hi,
Try to use MTU 1420 on your tunnel interface.
HTH
02-05-2015 07:05 AM
Thanks guys for your inputs. I had it solved. The issue is with CSR 1000v platform is that it somehow does not like AH-SHA-HMAC so I changed to using ESP-SHA-HMAC instead.
Thanks & Regards,
Saleh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide