Hi all,
First of all, thanks in advance for the help. I have setup DMVPN and EAZYVPN on one router. Tunnel interface on Spoke one and Spoke two are up/up and show crypto ISakmp sa shows both tunnels are in idle. However, tunnel to Spoke one(10.10.1.1) keep bouncing on and off(see below). Every 30 sec or so, the tunnel gone back to IKE phase while tunnel for spoke two(5.5.5.1) still leave active. THe configuration on the HUB side is the same for both spoke!! show crypto ipsec sec shows both side has the same life time(IOS default). Could that be an IOS debug on the spoke one?
Hub :
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)
HUB#sh crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
Spoke one:
Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(8), RELEASE SOFTWARE (fc1)
SPOKE1#sh crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
HUB#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
5.5.5.1 5.5.5.2 QM_IDLE 1002 ACTIVE
10.10.1.1 10.10.1.2 MM_NO_STATE 1134 ACTIVE (deleted)
10.10.1.1 1.1.1.10 QM_IDLE 1126 ACTIVE
10.10.1.1 1.1.1.10 QM_IDLE 1076 ACTIVE
HUB#sh crypto se
HUB#sh crypto session
Crypto session current status
Interface: Serial0/1/1
Username: testuser
Profile: AccountingPro
Group: Accounting
Assigned address: 20.20.20.1
Session status: UP-ACTIVE
Peer: 1.1.1.10 port 60201
IKEv1 SA: local 10.10.1.1/500 remote 1.1.1.10/60201 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.20.20.1
Active SAs: 2, origin: dynamic crypto map
Interface: Serial0/1/1
Username: testuser
Profile: AccountingPro
Group: Accounting
Assigned address: 20.20.20.2
Session status: UP-ACTIVE
Peer: 1.1.1.10 port 49768
IKEv1 SA: local 10.10.1.1/500 remote 1.1.1.10/49768 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.20.20.2
Active SAs: 2, origin: dynamic crypto map
Interface: FastEthernet0/1
Profile: DMVPN
Session status: UP-IDLE
Peer: 5.5.5.2 port 500
IKEv1 SA: local 5.5.5.1/500 remote 5.5.5.2/500 Active
Interface: Serial0/1/1
Profile: DMVPN
Session status: DOWN-NEGOTIATING
Peer: 10.10.1.2 port 500
IKEv1 SA: local 10.10.1.1/500 remote 10.10.1.2/500 Inactive
HUB#
2. My second issue is, I use the same interface(s0/1/1=10.10.1.1) for eazyvpn access. The client from eazyvpn is connected fine,but does not receive traffric back(statics window show no decrypted=0 and reeiced=0). The eazy vpn can't even ping the IP address assigned to the vpn client(20.20.20.2), and the client can only pin 10.10.1.1 address. Reverse router is able but the 20.20.20.0/24 network didn't show up in the ip table of the HUB router!!!
DMVPN AND EAZYVPN SERVER config..
crypto keyring dmvpnkey
pre-shared-key address 0.0.0.0 0.0.0.0 key DMVPNLAB
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 30
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 40
authentication pre-share
crypto isakmp keepalive 30
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group Accounting
key eazypvn
dns 4.2.2.2
wins 4.2.2.2
domain bigBois.com
pool dmAccouting
crypto isakmp profile AccountingPro
match identity group Accounting
client authentication list access_in
isakmp authorization list my_vpn
client configuration address respond
crypto isakmp profile DMVPN
keyring dmvpnkey
match identity address 0.0.0.0
!
!
crypto ipsec transform-set DMVPN ah-sha-hmac esp-aes
mode transport
crypto ipsec transform-set EAZYVPN esp-3des esp-md5-hmac
!
crypto ipsec profile dmvpnlab
set transform-set DMVPN
set isakmp-profile AccountingPro
!
!
crypto dynamic-map Remote_Acc 20
set transform-set EAZYVPN
set isakmp-profile AccountingPro
reverse-route
!
!
crypto map RemoteAcc client authentication list access_in
!
crypto map Remote_Acc client authentication list my_vpn
crypto map Remote_Acc 20 ipsec-isakmp dynamic Remote_Acc
!
!
!
!
!
!
interface Loopback0
ip address 192.168.200.1 255.255.255.0
!
interface Loopback2
ip address 172.16.10.1 255.255.255.0
!
interface Loopback3
ip address 172.16.15.1 255.255.255.0
!
interface Tunnel1
bandwidth 10000
ip address 4.4.4.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 10
ip nhrp authentication DMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 7940
ip nhrp registration timeout 10
ip tcp adjust-mss 1360
tunnel source Serial0/1/1
tunnel mode gre multipoint
tunnel key 7940
tunnel protection ipsec profile dmvpnlab
!
interface FastEthernet0/0
description OUTSIDE
ip address 1.1.1.1 255.255.255.0
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
description INSIDE
ip address 5.5.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/1
description to SPOKE1
ip address 10.10.1.1 255.255.255.0
crypto map Remote_Acc
!
interface Serial0/3/0
no ip address
shutdown
!
router eigrp 10
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
network 10.0.0.0
network 10.10.10.0 0.0.0.3
network 172.16.0.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 172.16.10.0 0.0.0.255
network 172.16.15.0 0.0.0.255
network 192.168.200.0
!
ip local pool dmAccouting 20.20.20.1 20.20.20.10
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
THanks a bunch for the help,
Ernest
