02-29-2012 03:07 AM
Hello.
I am trying to set up a DMVPN.
The setup is the following:
1751-V is a spoke - c1700-advsecurityk9-mz.124-15.T14.bin
2691xm is a hub - c2691-advsecurityk9-mz.124-15.T14.bin
As I stated in the title, my clients' 2691xm router is deaf to ISAKMP. It is configured as a hub for DMVPN, and doesn't show that it is receiving anything VPN-related. The 1751-V on the other hand is very noisy sending out alot of IKE requests to the 2691xm.
I made the 1751-V talk to my home's 1751-V with a slightly modified version of the 2691xm's config without any problems. I didn't get access through the VPN quite yet, but they at least got through ISAKMP.
I turned on "debug dmvpn all all" and "term mon", and I get NO ouput from the 2691xm.
I also get nothing from "show crypto isakmp sa".
I thought the traffic might be blocked by the ISP. I called and asked, and it isn't.
I thought the traffic might be stopped at the firewall, so I set the relevant ports to log traffic as evident in the next paste.
router-1#show access-list INTERNET_IN
Extended IP access list INTERNET_IN
...
70 permit udp any any eq isakmp log (2576 matches)
80 permit gre any any log
90 permit esp any any log
...
So I AM getting traffic through to the router, but my router isn't reacting to it?
Below are snippets of relevant configs.
HUB:
Internet: int fa0/1 - T1 w/ static IP through ethernet
LAN : int fa0/0 - lan 192.168.20.1
ip multicast-routing
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp key ABCD address 0.0.0.0 no-xauth
!
crypto ipsec transform-set TRANSFORM_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile PROFILE_1
set security-association lifetime seconds 600
set transform-set TRANSFORM_1
set pfs group2
!
interface Tunnel0
ip pim sparse-mod
bandwidth 1536
ip address 10.0.20.20 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source fa0/1
tunnel mode gre multipoint
tunnel protection ipsec profile PROFILE_1
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 600
ip nhrp authentication ABCD ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
!
router eigrp 1
network 10.0.20.0 0.0.0.255
network 192.168.20.0 0.0.0.255
no auto-summary
!
ip access-list extended NAT_TRAFFIC
deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
route-map NONAT permit 10
match ip address NAT_TRAFFIC
ip nat inside source route-map NONAT interface fa0/1 overload
SPOKE:
Internet: int dialer0 - DSL, PPPoE, DHCP
LAN : int vlan0 - 192.168.22.1
ip multicast-routing
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ABCD address 0.0.0.0 no-xauth
!
crypto ipsec transform-set TRANSFORM_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile PROFILE_1
set security-association lifetime seconds 600
set transform-set TRANSFORM_1
set pfs group2
!
interface Tunnel0
ip pim sparse-mod
bandwidth 1536
ip address 10.0.20.22 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source d0
tunnel mode gre multipoint
tunnel protection ipsec profile PROFILE_1
ip nhrp map 10.0.20.20 2691_WAN_IP
ip nhrp map multicast 2691_WAN_IP
ip nhrp network-id 20
ip nhrp holdtime 600
ip nhrp nhs 10.0.20.20
ip nhrp authentication ABCD ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
!
router eigrp 1
network 10.0.20.0 0.0.0.255
network 192.168.22.0 0.0.0.255
no auto-summary
eigrp stub connected
!
ip access-list extended NAT_TRAFFIC
deny ip 192.168.22.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.22.0 0.0.0.255 any
route-map NONAT permit 10
match ip address NAT_TRAFFIC
!
ip nat inside source route-map NONAT interface Dialer0 overload
!
As I previously said, 2691xm DOES NOT REACT. Only thing I have been able to determine is the router DOES NOT block traffic on port 500 UDP.
Here is some output from 1751-v (spoke router).
ISAKMP: set new node 0 to QM_IDLE
ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 1751_WAN_IP, remote 2691_WAN_IP)
ISAKMP: Error while processing SA request: Failed to initialize SA
ISAKMP: Error while processing KMI message 0, error 2.
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
router-1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
2691_WAN_IP 1751_WAN_IP MM_NO_STATE 0 0 ACTIVE
2691_WAN_IP 1751_WAN_IP MM_NO_STATE 0 0 ACTIVE (deleted)
The 1751-v works with another 1751-v (to an extent), just not the 2691xm I need it to work with.
Please help as this is driving me CRAZY!!!!
I would appreciate ANY suggestions/comments/critisicms/hypotheses/requests/ANYTHING!!!!
-Vittorio
Solved! Go to Solution.
02-29-2012 09:02 AM
No crypto map means theres some sort of issue on the hub with config - try the following:
term mon
debug crypto socket
debug tunnel protection
conf t
logging on
logging mon debugging
int tunnel0
shut
no tunnel protection ipsec profile PROFILE_1
tunnel protection ipsec profile PROFILE_1
no shut
See if that gives us any debugs.
02-29-2012 08:19 AM
Need to see the interface config for fa0/1 on the hub as well as any routing statement and ACL used by the interface.
--Jason
02-29-2012 08:37 AM
Here is the requested information:
interface Tunnel0
bandwidth 1536
ip address 10.0.20.20 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip pim sparse-mode
ip nhrp authentication ABADCADS
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 600
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile PROFILE_1
!
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
ip address INTERNET_ADDRESS 255.255.255.248
ip access-group INTERNET_IN in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
router eigrp 1
network 10.0.20.0 0.0.0.255
network 192.168.20.0
no auto-summary
!
ip access-list extended INTERNET_IN
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit tcp any any established
permit udp any eq domain any
permit udp any any eq ntp
permit udp any any eq isakmp log
permit gre any any log
permit esp any any log
permit udp any eq ntp any
permit tcp any any eq 22
deny ip any any log-input
ip access-list extended NAT_TRAFFIC
deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
!
ip nat inside source route-map NONAT interface FastEthernet0/1 overload
!
Thank you, please tell me if you need anything else
-Vittorio
02-29-2012 08:44 AM
Hmmm.
Try:
conf t
crypto isakmp enable
Also, what is the output of a 'show crypto map' ?
02-29-2012 08:50 AM
crypto isakmp enable didn't do anything.
router-1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
router-1# show crypto map
No crypto maps found.
02-29-2012 09:02 AM
No crypto map means theres some sort of issue on the hub with config - try the following:
term mon
debug crypto socket
debug tunnel protection
conf t
logging on
logging mon debugging
int tunnel0
shut
no tunnel protection ipsec profile PROFILE_1
tunnel protection ipsec profile PROFILE_1
no shut
See if that gives us any debugs.
02-29-2012 09:09 AM
My God man. You sir are a genius.
Who would've thunk turning it on and off again would do the trick!!
That should be the first troubleshooting step LOL!
I couldn't reset it because it's a production machine, and I didn't wanna save the config in case everything went wrong.
Interface reset was definitely the way to go!
Just for your info there was NO output even after debug crypto socket and debug tunnel protection. Everything sparked to life as soon as I typed no shut.
Thank you very much for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide