12-03-2015 08:15 PM
Hello,
I am configuring DMVPN with GRE over IPsec. IPSec is coming up but at remote end my tunnel is not coming up.
Please Suggest
Hub_End#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
138.16.176.17 100.40.105.22 QM_IDLE 1072 ACTIVE
Spoke#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
138.16.176.17 100.40.105.22 QM_IDLE 27540 ACTIVE cust1-ik
Spoke End Config of Tunnel
interface Tunnel20
ip vrf forwarding cisadmin
ip address 10.1.24.14 255.255.255.252
ip mtu 1400
ip nhrp authentication NHRP1
ip nhrp map multicast 138.16.176.17
ip nhrp map 10.1.24.13 138.16.176.17
ip nhrp network-id 20
ip nhrp holdtime 450
ip nhrp nhs 10.1.24.13
ip tcp adjust-mss 1360
ip ospf message-digest-key 1 md5 7 144604271E312C1D37
ip ospf network broadcast
ip ospf cost 10
tunnel source GigabitEthernet0/0/1
tunnel destination 138.16.176.17
tunnel key 20
tunnel vrf internet-vrf
tunnel protection ipsec profile cust1-ipsec-prof shared
Hub End Config
interface Tunnel20
ip vrf forwarding cisadmin
ip address 10.1.24.13 255.255.255.252
no ip redirects
ip mtu 1400
ip nhrp authentication NHRP1
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 30
ip tcp adjust-mss 1360
ip ospf message-digest-key 1 md5 7 144604271E312C1D37
ip ospf network broadcast
ip ospf cost 10
tunnel source GigabitEthernet0/0/2
tunnel mode gre multipoint
tunnel key 20
tunnel vrf internet-vrf
tunnel protection ipsec profile cust1-ipsec-prof shared
12-04-2015 12:15 PM
Tunnel interface config looks ok on a quick check. When you say tunnel is not coming up, do you mean that you the line protocol is down or that you are not able to ping between the tunnel interface. A few thinks you can check:
1) Check nhrp mapping on hub (show ip nhrp 10.1.24.14), This should show then NBMA or public ip address of spoke - 100.40.105.22
2) If 1 is successful, then try pinging the hub tunnel ip address from the spoke. You should see stats of packets encaps and decaps from both hub and spoke. You can use this to see where the packets are dropped.
This is a good starting step to see whats going wrong.
12-06-2015 12:31 AM
Now I am Able to See Tunnel is UP now and end to end it is pinging
I am configuring second vrf with same config but with IP address change.
I am seeing in the output of <show dmvpn>
both stucks in IKE stage. To make it up is there any thing I need to change .Below is the config of Tunnel
Please note when i am shuting the Tunnel21 that is of vrf campus other is coming up, simutainously both are not coming up and IPSec is Up Packets are Encrypte and descrypted
Hub Side
interface Tunnel20
ip vrf forwarding cisadmin
ip address 10.1.24.13 255.255.255.252
no ip redirects
ip nhrp authentication DMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp redirect
ip ospf network broadcast
tunnel source GigabitEthernet0/0/2
tunnel mode gre multipoint
tunnel vrf internet-vrf
tunnel protection ipsec profile cust1-ipsec-prof shared
!
interface Tunnel21
ip vrf forwarding campus
ip address 10.1.19.13 255.255.255.252
no ip redirects
ip nhrp authentication DMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp redirect
ip ospf network broadcast
shutdown
tunnel source GigabitEthernet0/0/2
tunnel mode gre multipoint
tunnel vrf internet-vrf
tunnel protection ipsec profile cust1-ipsec-prof shared
Spoke side
interface Tunnel20
ip vrf forwarding cisadmin
ip address 10.1.24.14 255.255.255.252
no ip redirects
ip nhrp authentication DMVPN
ip nhrp map 10.1.24.13 138.16.176.14
ip nhrp map multicast 138.16.176.14
ip nhrp network-id 1
ip nhrp nhs 10.1.24.13
ip nhrp shortcut
ip ospf network broadcast
ip ospf priority 0
tunnel source GigabitEthernet0/0/1
tunnel mode gre multipoint
tunnel vrf internet-vrf
tunnel protection ipsec profile cust1-ipsec-prof shared
!
interface Tunnel21
ip vrf forwarding campus
ip address 10.1.19.14 255.255.255.252
no ip redirects
ip nhrp authentication DMVPN
ip nhrp map 10.1.19.13 138.16.176.14
ip nhrp map multicast 138.16.176.14
ip nhrp network-id 2
ip nhrp nhs 10.1.19.13
ip nhrp shortcut
ip ospf network broadcast
ip ospf priority 0
shutdown
tunnel source GigabitEthernet0/0/1
tunnel mode gre multipoint
tunnel vrf internet-vrf
tunnel protection ipsec profile cust1-ipsec-prof shared
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide