A few weeks ago I managed to get the DMVPN tunnel to work with dialer interfaces over an ISND 30 link. But after messing around with an EIGRP distribution list and the router config I can't get the routers to form an EIGRP relationship over the tunnel interface and I have no idea why.
When I take the passive interface off the dialer interfaces the two routers can form a relationship via the dialer interface, but when I make both dialer interfaces passive on both routers the EIGRP connection drops and doesn't form over the tunnel. I need the EIGRP to go over the tunnel so data will be encrypted with the encryption profile.
I ran the debug EIGRP packets command on the spoke to see what happening and it keeps giving the same messages, I've attached the log. These debug messages are the same on the hub side except there is no (NULL) text in the line.
Any help will be greatly appreciated as I have no idea what to do.
Is the DMVPN tunnel even up? Provide the output of "show dmvpn" and "show crypto ipsec sa"
Why is the tunnel source as 10.1.1.1 on the hub and not dialer7?
Also don't advertise the underlayer network 126.96.36.199 in eigrp
I've managed to get the DMVPN to work, I don't really know how but I just wiped the config from the spoke router and applied it again. The spoke router is learning all its routes via the tunnel now. I've attached both configs.
The hub router still has the network 188.8.131.52 command and will have to since this DMVPN config will need to be put onto another router that will have spoke routers not using DMVPN and requires the network 184.108.40.206 command so it can send EIGRP messages out of the dialer interfaces. Will this cause any trouble for the DMVPN routers ? I've included the spoke's routing table in the text file and that shows there's no recursive routing error since its not learning about any of the 220.127.116.11 addresses via the tunnel.
Another question I have is about the encryption and authentication methods, currently it has 3DES and MD5 hash and from my understanding these are very weak. Would upgrading to AES 256 and SHA 256 be sufficient enough?
In your lab topology the 18.104.22.168. network is directly connected to the hub and spoke router right? So therefore the eigrp route for that network is irrelevant. In a real life topology you wouldn't advertise this network, you rely on the default route or a static route to communicate with the hub and spoke router's external/outside interface in order to establish the VPN tunnel.
Yes, 3DES/MD5 is weak. AES256/SHA256 is acceptable, however if you require the latest Next Gen algorithms you would need to use IKEv2.