Re: Spokes can't ping each other in DVTI VPN setup - Page 2

samy.ccnp · ‎12-28-2016

Hello All,

Hope you all are doing good !

I need your support to fix following issue which i;m facing right now in my lab using DVTI configuration.

Note:- This all setup in GNS3.

Note:- All the routers are running Version 15.2(4)S1 .

Issue:- I can't reach any of the spokes interfaces from any of the other spokes while can ping every spokes from HUB itself also from every of the spokes can ping across HUB subnet .

Tried to ping and trace spoke R3 interface from spoke R2 :-

R2#ping 10.3.3.3 source 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
.....
Success rate is 0 percent (0/5)

R2#traceroute 10.3.3.3 source 10.2.2.2
Type escape sequence to abort.
Tracing the route to 10.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 1.1.1.1 44 msec 44 msec 48 msec
2 * * *
3 * * *
4

Treid ping from spoken R2 to HUB:-

R2#ping 10.1.1.1 source 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/50/132 ms

If i see the config part it seems perfect also i tried to check tunnel status it's also seems up and active on all the spokes and HUB.

Also on top of this i'm running EIGRP and it's up and running (neighbour are up and exchanging routes ) perfectly as can see the routes on all the spokes and HUB.

I verified the configuration again and it seems perfect however would like to know your further views on this so herewith attaching my design and configuration .

Here is the imp output from HUB and spoke R2 and R3 + their running config

HUB:-

HUB#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 15.0.0.1 YES NVRAM up up
Loopback1 1.1.1.1 YES NVRAM up up
Loopback10 10.1.1.1 YES NVRAM up up
Virtual-Access1 1.1.1.1 YES unset up up
Virtual-Access2 1.1.1.1 YES unset up up
Virtual-Access3 1.1.1.1 YES unset up up
Virtual-Template1 1.1.1.1 YES unset up down

HUB#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
15.0.0.1 35.0.0.3 QM_IDLE 1005 ACTIVE
15.0.0.1 25.0.0.2 QM_IDLE 1004 ACTIVE
15.0.0.1 45.0.0.4 QM_IDLE 1006 ACTIVE

IPv6 Crypto ISAKMP SA

HUB#sh crypto engine connections active
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
7 IPsec AES+MD5 0 294 294 15.0.0.1
8 IPsec AES+MD5 289 0 0 15.0.0.1
9 IPsec AES+MD5 0 281 281 15.0.0.1
10 IPsec AES+MD5 278 0 0 15.0.0.1
11 IPsec AES+MD5 0 267 267 15.0.0.1
12 IPsec AES+MD5 268 0 0 15.0.0.1
1004 IKE SHA+AES192 0 0 0 15.0.0.1
1005 IKE SHA+AES192 0 0 0 15.0.0.1
1006 IKE SHA+AES192 0 0 0 15.0.0.1

HUB#sh ip route eig
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 15.0.0.2 to network 0.0.0.0

2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/1433600] via 2.2.2.2, 00:21:42, Virtual-Access1
3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/1433600] via 3.3.3.3, 00:21:01, Virtual-Access2
4.0.0.0/32 is subnetted, 1 subnets
D 4.4.4.4 [90/1433600] via 4.4.4.4, 00:20:28, Virtual-Access3
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D 10.2.2.0/24 [90/1433600] via 2.2.2.2, 00:21:42, Virtual-Access1
D 10.3.3.0/24 [90/1433600] via 3.3.3.3, 00:21:01, Virtual-Access2
D 10.4.4.0/24 [90/1433600] via 4.4.4.4, 00:20:28, Virtual-Access3

Running config from HUB:-

HUB#
HUB#sh run
Building configuration...

Current configuration : 1586 bytes
!
! Last configuration change at 19:18:50 UTC Wed Dec 28 2016
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HUB
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
crypto keyring OUR-PSK
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 1
encr aes 192
authentication pre-share
group 5
crypto isakmp profile OUR-IKE-PROFILE
keyring OUR-PSK
match identity address 0.0.0.0
virtual-template 1
!
!
crypto ipsec transform-set OUR-SET esp-aes esp-md5-hmac
mode tunnel
!
crypto ipsec profile OUR-PROFILE
set transform-set OUR-SET
!
!
!
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Loopback10
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 15.0.0.1 255.255.255.252
duplex full
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile OUR-PROFILE
!
!
router eigrp 100
network 1.0.0.0
network 10.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 15.0.0.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

HUB#

**********************************************************

Sopke 2

R2#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 25.0.0.2 YES NVRAM up up
Loopback1 2.2.2.2 YES NVRAM up up
Loopback10 10.2.2.2 YES NVRAM up up
Tunnel1 2.2.2.2 YES TFTP up up

R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
15.0.0.1 25.0.0.2 QM_IDLE 1002 ACTIVE

IPv6 Crypto ISAKMP SA

R2#sh crypto engine connections active
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
3 IPsec AES+MD5 0 322 322 25.0.0.2
4 IPsec AES+MD5 326 0 0 25.0.0.2
1002 IKE SHA+AES192 0 0 0 25.0.0.2

R2#sh ip route eig
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 25.0.0.1 to network 0.0.0.0

1.0.0.0/32 is subnetted, 1 subnets
D 1.1.1.1 [90/27008000] via 1.1.1.1, 00:23:49, Tunnel1
3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/28288000] via 1.1.1.1, 00:23:08, Tunnel1
4.0.0.0/32 is subnetted, 1 subnets
D 4.4.4.4 [90/28288000] via 1.1.1.1, 00:22:35, Tunnel1
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D 10.1.1.0/24 [90/27008000] via 1.1.1.1, 00:23:49, Tunnel1
D 10.3.3.0/24 [90/28288000] via 1.1.1.1, 00:23:08, Tunnel1
D 10.4.4.0/24 [90/28288000] via 1.1.1.1, 00:22:35, Tunnel1

Running config of Spoke (R2)

R2#
R2#sh run
Building configuration...

Current configuration : 1450 bytes
!
! Last configuration change at 19:08:34 UTC Wed Dec 28 2016
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr aes 192
authentication pre-share
group 5
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set OUR-SET esp-aes esp-md5-hmac
mode tunnel
!
crypto ipsec profile OUR-PROFILE
set transform-set OUR-SET
!
!
!
!
!
!
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
!
interface Loopback10
ip address 10.2.2.2 255.255.255.0
!
interface Tunnel1
ip unnumbered Loopback1
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 15.0.0.1
tunnel protection ipsec profile OUR-PROFILE
!
interface FastEthernet0/0
ip address 25.0.0.2 255.255.255.252
duplex full
!
!
router eigrp 100
network 2.0.0.0
network 10.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 25.0.0.1
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R2#

Running config from another spoke (R3)

Note:- On R3 all the outputs (Ipsec , EIGRP routes) are same as R2 .

R3#sh run
Building configuration...

Current configuration : 1448 bytes
!
! Last configuration change at 19:09:09 UTC Wed Dec 28 2016
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr aes 192
authentication pre-share
group 5
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set OUR-SET esp-aes esp-md5-hmac
mode tunnel
!
crypto ipsec profile OUR-PROFILE
set transform-set OUR-SET
!
!
!
!
!
!
!
interface Loopback1
ip address 3.3.3.3 255.255.255.255
!
interface Loopback10
ip address 10.3.3.3 255.255.255.0
!
interface Tunnel1
ip unnumbered Loopback1
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 15.0.0.1
tunnel protection ipsec profile OUR-PROFILE
!
interface FastEthernet0/0
ip address 35.0.0.3 255.255.255.0
duplex full
!
!
router eigrp 100
network 3.0.0.0
network 10.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 35.0.0.4
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R3#

Flavio Costa · ‎07-17-2019

Tested here and worked perfectly. +1 for that.