09-03-2012 04:27 AM
Hi,
I am currently trying to setup DVTI VPN in GNS3. I am using loopback interfaces for the LAN interface. I can get the tunnel and virtual access interfaces to come up and can ping from the outside address but not from the LAN address on the spoke router. If I try and issue a ping from the hub router to the spoke's internal address, then I get U.U.U.U - as there is no route it can't reach the remote network.
I have done this following the guidance of Michael Shannon (CBT) and have found limited documentation on Cisco for the setup I am trying to accomplish.
Hub (R1) and Spoke (R2) config attached.
09-03-2012 11:29 AM
Hello Ashley,
The whole point of the dynamic VTI is for connections innitiated only on the spoke side side just like a dynamic to static crypto map VPN.
So the connection from the spoke to the hub should be up.
Can you share the:
On spoke:
show crypto isakmp sa
show crypto ipsec sa
sh interface tunnel #
Regards,
Julio
09-03-2012 11:33 AM
See below:
R4#sho cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.1.1.1 4.4.4.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R4#sho cry ips sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 4.4.4.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 4.4.4.1, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0xAFA1518A(2946584970)
inbound esp sas:
spi: 0xB59A027A(3046769274)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4556522/3239)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xAFA1518A(2946584970)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4556518/3239)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R4#
R4#sho int tun0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Interface is unnumbered. Using address of Serial0/0 (4.4.4.1)
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 4.4.4.1 (Serial0/0), destination 1.1.1.1
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "PRO1")
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
R4#
09-03-2012 11:47 AM
Hello Ashley,
And from the spoke you are not able to ping the host on the 192.168.1.1 right?
Can you attempt to ping 192.168.1.1 from the Loopback0 on the spoke and provide us the output you get?
Regards,
09-03-2012 11:55 AM
I can ping 192.168.1.1 from the spokes, but only if it is sourced from the outside. If I source a ping from the loopback interface then the ping does not go through. Response just times out
09-04-2012 10:59 PM
Hello Ashley,
I have the same configuration on a GNS lab and it works perfect here is my config example for you:
Spoke:
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 10.10.10.1
!
!
crypto ipsec transform-set cisco esp-aes esp-sha-hmac
!
crypto ipsec profile cisco
set transform-set cisco
interface Tunnel10
ip unnumbered FastEthernet0/0
tunnel source FastEthernet0/0
tunnel destination 10.10.10.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 10.10.10.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.10.0 255.255.255.0 Tunnel10
!
ip nat inside source list VPN interface FastEthernet0/0 overload
!
ip access-list extended VPN
permit ip 192.168.12.0 0.0.0.255 any
!
Now on the Hub:
crypto keyring cisco
pre-shared-key address 10.10.10.2 key cisco
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp profile teta
keyring cisco
match identity address 10.10.10.2 255.255.255.255
virtual-template 10
!
!
crypto ipsec transform-set cisco esp-aes esp-sha-hmac
!
crypto ipsec profile cisco
set transform-set cisco
!
!
!
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template10 type tunnel
ip unnumbered FastEthernet0/1
tunnel source FastEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile cisco
ip route 0.0.0.0 0.0.0.0 10.10.10.2
ip nat inside source list VPN interface FastEthernet0/1 overload
!
ip access-list extended VPN
permit ip 192.168.10.0 0.0.0.255 any
!
From the spoke router:
#ping 192.168.10.1 source fastEthernet 0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/80/112 ms
sh crypto isakmp sa
dst src state conn-id slot status
10.10.10.1 10.10.10.2 QM_IDLE 1 0 ACTIVE
interface: Tunnel10
Crypto map tag: Tunnel10-head-0, local addr 10.10.10.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.10.10.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
Our five packets and I can see the decrypted on the other side.
Regards,
Julio
09-05-2012 12:50 AM
Hi,
Thanks for that. I will try again and see if there is anything that I missed. Will update you once I have tried
Sent from Cisco Technical Support iPhone App
09-05-2012 09:25 AM
Sure,
Please do,
Regards,
Julio
09-06-2012 06:13 AM
Still no good. I have done the same config. I noticed the only difference was that your outside interfaces are on the same subnet so I changed the IP address of the tunnel and virtual-template to the 192.168.10.0/24 subnet and still no joy.
I know that the virtual-access1 interface remains in the down/down state, but I noticed that the virtual-template interface was in a down/down state also. Is this normal behaviour?
09-06-2012 09:15 AM
Hello Ashley,
As soon as phase 1 and phase 2 go up you will see the virtual access on the up/up state so it is definetly no expected...
Can you share the topology and configuration one more time. I will copy and paste it to see the behavior on my lab.
Julio
Remember to rate all the helpful posts
09-06-2012 11:00 AM
See attached zip file
Sent from Cisco Technical Support iPhone App
09-06-2012 11:39 AM
Hello Ashley,
That is the same than before,
Correct?
Regards
09-06-2012 11:42 AM
Yeah, that's right
Sent from Cisco Technical Support iPhone App
09-06-2012 11:54 AM
Hello Ashley,
What is in between those 2 routers?
09-06-2012 11:59 AM
It's another router terminating all the serial connections. It's basically acting as an ISP router
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: