11-14-2013 11:21 AM
Hi
I have a 2901 Hub with Version 15.0(1r)M16 (C2900-UNIVERSALK9-M), Version 15.2(4)M2,
and a Cisco 1841 with Version 12.4(13r)T C1841-ADVSECURITYK9-M), Version 15.1(1)T
but i did not get working a DMVPN between this 2 devices. Is it possible that the Software is not compatible? Or maybe my config is wrong.
Thanks
11-14-2013 11:26 AM
It is very not likely that the software is not compatible. Clearly the software on the 1841 should support DMVPN. We would need some information about the licenses applied on the 2901 to be sure whether this router supports it also. Did both routers accept the commands to configure DMVPN? That would be a good indicator that both routers support the function. In that case I would think that the issue likely is in your config. Perhaps you can post the relevant parts of the config?
HTH
Rick
11-14-2013 12:01 PM
Cisco 1841
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
service sequence-numbers
!
hostname Zentrale-Spoke1
!
boot-start-marker
boot system flash:c1841-advsecurityk9-mz.151-4.M2.bin
boot system flash:c1841-advsecurityk9-mz.124-22.T.bin
boot-end-marker
!
logging buffered 20000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_list local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network local_list local
!
!
!
!
!
aaa session-id common
!
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
!
!
ip cef
ip inspect max-incomplete low 250
ip inspect max-incomplete high 400
ip inspect one-minute low 400
ip inspect one-minute high 2000
ip inspect udp idle-time 300
ip inspect tcp finwait-time 4
ip inspect tcp synwait-time 25
ip inspect tcp max-incomplete host 250 block-time 60
ip inspect name Firewall ftp timeout 600
ip inspect name Firewall tcp timeout 3600
ip inspect name Firewall udp timeout 300
ip inspect name Firewall ssh timeout 300
ip inspect name Firewall http timeout 3600
ip inspect name Firewall icmp timeout 300
ip inspect name Firewall sip timeout 3600
ip inspect name Firewall sip-tls timeout 3600
ip inspect name Firewall ntp
ip inspect name Firewall https timeout 3600
ip inspect name Firewall esmtp timeout 3600
no ip bootp server
no ip domain lookup
ip domain name XXXXXXXXXXX
!
multilink bundle-name authenticated
!
!
key chain EIGRP1-key
key 1
key-string 7 XXXXXXXXXXXXXXXXX
key chain TUNNEL1-key
key 2
key-string 7 XXXXXXXXXXXXXXXXXXXXXXXXX
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO1841 sn FCZ15049161
archive
log config
hidekeys
!
redundancy
!
!
ip tcp synwait-time 5
ip tcp path-mtu-discovery age-timer 30
ip ssh authentication-retries 4
ip ssh version 2
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key XXXXXXXXX address 0.0.0.0 0.0.0.0
crypto isakmp fragmentation
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3 periodic
crypto isakmp nat keepalive 20
!
crypto ipsec security-association replay window-size 256
!
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile DMVPN
set transform-set ESP-AES256-SHA
set pfs group5
!
!
!
!
!
!
interface Tunnel1
description DMVPN zu HUB1
bandwidth 100000
ip address 10.100.0.5 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip verify unicast reverse-path
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 EIGRP1-key
ip nhrp authentication XXXXXXXX
ip nhrp map XXXXXXXXXXXXXXXXXXX
ip nhrp map multicast XXXXXXXXXXX
ip nhrp network-id 1
ip nhrp nhs 10.100.0.250
ip nhrp registration no-unique
ip nhrp redirect
ip tcp adjust-mss 1360
snmp trap ip verify drop-rate
keepalive 10 3
cdp enable
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 2
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
description ****** Inside ******
ip address 192.168.4.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 EIGRP1-key
load-interval 30
duplex auto
speed auto
snmp trap ip verify drop-rate
random-detect
!
interface FastEthernet0/1
description ******* Outside *******
ip address XXXXXXXXXXXXXXXX
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
load-interval 30
duplex auto
speed auto
snmp trap ip verify drop-rate
random-detect
no cdp enable
!
!
router eigrp 1
network 10.100.0.0 0.0.255.255
network 172.16.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
network 172.16.3.0 0.0.0.255
network 172.16.4.0 0.0.0.255
network 172.20.1.0 0.0.0.255
network 192.168.1.0
network 192.168.4.0
passive-interface FastEthernet0/1
eigrp router-id 10.100.0.5
!
router nhrp
!
ip forward-protocol nd
Cisco 2901
! Last configuration change at 16:26:38 CET Wed Nov 13 2013 by admin
! NVRAM config last updated at 17:12:36 CET Tue Nov 12 2013 by admin
! NVRAM config last updated at 17:12:36 CET Tue Nov 12 2013 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXXXXXX
!
boot-start-marker
boot-end-marker
!
!
logging buffered 100000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_list local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network local_list local
!
!
!
!
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!
ip cef
!
!
!
!
!
!
no ip bootp server
ip domain name XXXXXXXXXXXXX
ip inspect max-incomplete low 250
ip inspect max-incomplete high 400
ip inspect one-minute low 400
ip inspect one-minute high 2000
ip inspect udp idle-time 300
ip inspect tcp finwait-time 4
ip inspect tcp synwait-time 25
ip inspect tcp max-incomplete host 250 block-time 60
ip inspect name Firewall ftp timeout 600
ip inspect name Firewall tcp timeout 3600
ip inspect name Firewall udp timeout 300
ip inspect name Firewall ssh timeout 300
ip inspect name Firewall http timeout 3600
ip inspect name Firewall icmp timeout 300
ip inspect name Firewall sip timeout 3600
ip inspect name Firewall sip-tls timeout 3600
ip inspect name Firewall ntp
ip inspect name Firewall https timeout 3600
ip inspect name Firewall esmtp timeout 3600
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
key chain EIGRP1-key
key 1
key-string 7 XXXXXXXXXXXXXXXXXXXXXXXX
key chain TUNNEL1-key
key 2
key-string 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
crypto pki trustpoint TP-self-signed-3675680478
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3675680478
revocation-check none
rsakeypair TP-self-signed-3675680478
!
!
crypto pki certificate chain TP-self-signed-3675680478
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363735 36383034 3738301E 170D3133 30313236 31333033
32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36373536
38303437 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A85B 1AE6CA4E 8BEA4922 D6734798 91DA190E F955AA0A D351AE12 B10E671E
58678ABB 2F7808F2 E3F94FA9 5CA5418B 84A9000F 0B72B810 A15F5AB5 FE84BDFE
D1B43391 7E1E5410 CFDFD214 BE6CEAAA 75A065F9 64335A13 C1AB36BD 691AE2EC
B79E0561 84F1EEF1 CEBEB40D AF6961C9 B0D9CA97 9851F26E D5CE1AD3 869A0CCC
19050203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 145B10B4 5D78B70B 4C3618BE 910DF2C9 7767BBFA D4301D06
03551D0E 04160414 5B10B45D 78B70B4C 3618BE91 0DF2C977 67BBFAD4 300D0609
2A864886 F70D0101 05050003 81810024 D3E305A4 8A1E4CDE 024FE14F 52F48D9F
54E9798B 77D78123 63B85128 8924CB20 A5767AAC B9A96C8F AA2AD1A3 6A2CAE5B
C6280BBF 51644419 C9B9B885 78A333A6 B56E77F5 306E5CD6 B9958EE6 AAADC0AE
52C971E3 60DEA2B9 F5122865 9A0941AC DC2E7C7F 9A81F3FA 77382B63 62044BC0
44577627 C2EECFB1 809141DA 954A4D
quit
license udi pid CISCO2901/K9 sn FCZ1704956S
license boot module c2900 technology-package securityk9
!
!
redundancy
!
!
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key XXXXXXXXXXX address 0.0.0.0
crypto isakmp fragmentation
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3 periodic
crypto isakmp nat keepalive 20
!
crypto ipsec security-association replay window-size 256
!
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile DMVPN
set transform-set esp-aes256-sha
set pfs group5
!
!
!
!
!
!
!
interface Tunnel0
description HUB1-DMVPN
bandwidth 1000000
bandwidth inherit
ip address 10.100.0.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip verify unicast reverse-path
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 EIGRP1-key
no ip split-horizon eigrp 1
ip nhrp authentication XXXXXXXXX
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp shortcut
ip nhrp redirect
ip virtual-reassembly in
ip tcp adjust-mss 1360
delay 10
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 2
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description *****A1*****
ip address XXXXXXXXXXXXXXXXXXXXXXX
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet0/1
description *****Wienstrom*****
ip address XXXXXXXXXXXXXXXXXXXX
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
description ***Inside***
ip address 172.20.1.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip virtual-reassembly in
load-interval 30
!
!
router eigrp 1
network 10.100.0.0 0.0.255.255
network 172.16.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
network 172.16.3.0 0.0.0.255
network 172.16.4.0 0.0.0.255
network 172.20.1.0 0.0.0.255
network 192.168.4.0
redistribute static
passive-interface GigabitEthernet0/0
passive-interface GigabitEthernet0/1
eigrp router-id 10.100.0.250
!
ip forward-protocol nd
end
Here is the config. Thanks
11-14-2013 12:34 PM
Thanks for posting the configurations. Can the 1841 access the address 10.100.0.250? (Is there good IP connectivity?)
HTH
Rick
11-14-2013 12:41 PM
The 2 Router can ping each other. But the Tunnel interface 10.100.0.250 from the 1841 is not possible to ping.
So i see in the show crypto isakmp sa the tunnel on the 1841 but on the 2901 i do not see anything.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide