Solved: IPSEC Routing Issue

roharris33 · ‎01-21-2019

I apologize if this is posted in the wrong location. I'm standing up an IPSEC tunnel between two sites. Eventually all sites will use the head end as a backup connection. The tunnel establishes but I'm not seeing an OSPF adjacency nor can I ping the IP of the tunnel on either side. I see that the head end is receiving packets but isn't responding. The route for the far end IP appears to be correct on the head end. I don't see anything else wrong, no errors. Any ideas?

Rob Ingram · ‎01-23-2019

Shutdown tunnel interface, remove tunnel destination and add "tunnel mode gre multipoint", no shut tunnel interface

You've also got different tunnel keys, remove the key you shouldn't need it in your scenario.

View solution in original post

Rob Ingram · ‎01-22-2019

Hi,

On the farend router you should modify the configuration as follows:-

interface tunnel 1

no tunnel destination

tunnel mode gre multipoint

You may also want to add "ip ospf hello-interval 30" on each router's tunnel interface.

HTH

roharris33 · ‎01-22-2019

I made the changes.....same result as before.

Rob Ingram · ‎01-22-2019

Upload "show dmvpn" and "show ip ospf neig" from both routers.

roharris33 · ‎01-22-2019

Interesting as you can see on the head end there isn't any dmvpn information. But the far end shows peer information.

Headend:

Farend:

Rob Ingram · ‎01-23-2019

Can you post your updated configuration please

roharris33 · ‎01-23-2019

I have a duplicate thread. Made a rookie mistake posting in two different places. Here is the link to the other thread. Updated configs are attached.

https://community.cisco.com/t5/routing/routing-over-gre-ipsec-tunnel/m-p/3785459#M308139

roharris33 · ‎01-23-2019

Adding the headend config

Rob Ingram · ‎01-23-2019

Shutdown tunnel interface, remove tunnel destination and add "tunnel mode gre multipoint", no shut tunnel interface

You've also got different tunnel keys, remove the key you shouldn't need it in your scenario.

roharris33 · ‎01-23-2019

tunnel mode gre multipoint was already configured but I did remove the key on both ends and now I have an OSPF adjancy. Thank you very much.

Farend tunnel config:
interface Tunnel1
bandwidth 20000
ip address 10.192.0.254 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication VCbh1q93
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp redirect
ip policy route-map VPN-Internal
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 2
ip ospf mtu-ignore
delay 1000
tunnel source GigabitEthernet0/0/1
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof

Head end tunnel config:
interface Tunnel1
bandwidth 20000
ip address 10.192.0.17 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication VCbh1q93
ip nhrp map 10.192.0.254 111.111.111..237
ip nhrp map multicast 111.111.111.237
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 10.192.0.254
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 2
delay 1000
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof