EAZYVPN and DMVPN on the same router,same interface

Jean Paul Enerst · ‎01-21-2012

Hi all,

First of all, thanks in advance for the help. I have setup DMVPN and EAZYVPN on one router. Tunnel interface on Spoke one and Spoke two are up/up and show crypto ISakmp sa shows both tunnels are in idle. However, tunnel to Spoke one(10.10.1.1) keep bouncing on and off(see below). Every 30 sec or so, the tunnel gone back to IKE phase while tunnel for spoke two(5.5.5.1) still leave active. THe configuration on the HUB side is the same for both spoke!! show crypto ipsec sec shows both side has the same life time(IOS default). Could that be an IOS debug on the spoke one?

Hub :

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)

HUB#sh crypto ipsec security-association

Security association lifetime: 4608000 kilobytes/3600 seconds

Spoke one:

Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(8), RELEASE SOFTWARE (fc1)

SPOKE1#sh crypto ipsec security-association

Security association lifetime: 4608000 kilobytes/3600 seconds

HUB#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

5.5.5.1 5.5.5.2 QM_IDLE 1002 ACTIVE

10.10.1.1 10.10.1.2 MM_NO_STATE 1134 ACTIVE (deleted)

10.10.1.1 1.1.1.10 QM_IDLE 1126 ACTIVE

10.10.1.1 1.1.1.10 QM_IDLE 1076 ACTIVE

HUB#sh crypto se

HUB#sh crypto session

Crypto session current status

Interface: Serial0/1/1

Username: testuser

Profile: AccountingPro

Group: Accounting

Assigned address: 20.20.20.1

Session status: UP-ACTIVE

Peer: 1.1.1.10 port 60201

IKEv1 SA: local 10.10.1.1/500 remote 1.1.1.10/60201 Active

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.20.20.1

Active SAs: 2, origin: dynamic crypto map

Interface: Serial0/1/1

Username: testuser

Profile: AccountingPro

Group: Accounting

Assigned address: 20.20.20.2

Session status: UP-ACTIVE

Peer: 1.1.1.10 port 49768

IKEv1 SA: local 10.10.1.1/500 remote 1.1.1.10/49768 Active

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.20.20.2

Active SAs: 2, origin: dynamic crypto map

Interface: FastEthernet0/1

Profile: DMVPN

Session status: UP-IDLE

Peer: 5.5.5.2 port 500

IKEv1 SA: local 5.5.5.1/500 remote 5.5.5.2/500 Active

Interface: Serial0/1/1

Profile: DMVPN

Session status: DOWN-NEGOTIATING

Peer: 10.10.1.2 port 500

IKEv1 SA: local 10.10.1.1/500 remote 10.10.1.2/500 Inactive

HUB#

2. My second issue is, I use the same interface(s0/1/1=10.10.1.1) for eazyvpn access. The client from eazyvpn is connected fine,but does not receive traffric back(statics window show no decrypted=0 and reeiced=0). The eazy vpn can't even ping the IP address assigned to the vpn client(20.20.20.2), and the client can only pin 10.10.1.1 address. Reverse router is able but the 20.20.20.0/24 network didn't show up in the ip table of the HUB router!!!

DMVPN AND EAZYVPN SERVER config..

crypto keyring dmvpnkey

pre-shared-key address 0.0.0.0 0.0.0.0 key DMVPNLAB

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 20

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 30

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 40

authentication pre-share

crypto isakmp keepalive 30

crypto isakmp xauth timeout 90

!

crypto isakmp client configuration group Accounting

key eazypvn

dns 4.2.2.2

wins 4.2.2.2

domain bigBois.com

pool dmAccouting

crypto isakmp profile AccountingPro

match identity group Accounting

client authentication list access_in

isakmp authorization list my_vpn

client configuration address respond

crypto isakmp profile DMVPN

keyring dmvpnkey

match identity address 0.0.0.0

!

crypto ipsec transform-set DMVPN ah-sha-hmac esp-aes

mode transport

crypto ipsec transform-set EAZYVPN esp-3des esp-md5-hmac

!

crypto ipsec profile dmvpnlab

set transform-set DMVPN

set isakmp-profile AccountingPro

!

crypto dynamic-map Remote_Acc 20

set transform-set EAZYVPN

set isakmp-profile AccountingPro

reverse-route

!

crypto map RemoteAcc client authentication list access_in

!

crypto map Remote_Acc client authentication list my_vpn

crypto map Remote_Acc 20 ipsec-isakmp dynamic Remote_Acc

!

interface Loopback0

ip address 192.168.200.1 255.255.255.0

!

interface Loopback2

ip address 172.16.10.1 255.255.255.0

!

interface Loopback3

ip address 172.16.15.1 255.255.255.0

!

interface Tunnel1

bandwidth 10000

ip address 4.4.4.1 255.255.255.0

no ip redirects

ip mtu 1400

no ip next-hop-self eigrp 10

ip nhrp authentication DMVPN

ip nhrp map multicast dynamic

ip nhrp network-id 7940

ip nhrp registration timeout 10

ip tcp adjust-mss 1360

tunnel source Serial0/1/1

tunnel mode gre multipoint

tunnel key 7940

tunnel protection ipsec profile dmvpnlab

!

interface FastEthernet0/0

description OUTSIDE

ip address 1.1.1.1 255.255.255.0

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1

description INSIDE

ip address 5.5.5.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Serial0/1/0

no ip address

shutdown

clock rate 2000000

!

interface Serial0/1/1

description to SPOKE1

ip address 10.10.1.1 255.255.255.0

crypto map Remote_Acc

!

interface Serial0/3/0

no ip address

shutdown

!

router eigrp 10

network 4.4.4.0 0.0.0.255

network 5.5.5.0 0.0.0.255

network 10.0.0.0

network 10.10.10.0 0.0.0.3

network 172.16.0.0 0.0.0.255

network 172.16.1.0 0.0.0.255

network 172.16.10.0 0.0.0.255

network 172.16.15.0 0.0.0.255

network 192.168.200.0

!

ip local pool dmAccouting 20.20.20.1 20.20.20.10

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

THanks a bunch for the help,

Ernest

Jean Paul Enerst · ‎01-23-2012

Any ideas why devices keep renewing phase 1?

Thanks,