[OSL | CCIE_Security] DMVPN (without crypto tunnels WORK but with crypto they dont!!! )

Fri, 21 Jan 2011 21:16:13 -0800 

Dears,
I am stuck with the troubleshooting , need help on this one ~

I practiced a  small setup of 3 routers using same subnet to connect
eachother via a L2 switch. I did this lab in GNS3 with 12.4(15)T IOS. If i
remove crypto commands and tunnel protection , everything seems ok and work
fine......., BUT once the crypto commands and tunnel protection is added ,
it stopped working and no routes were showing in the table!!!

I was trying Phase 2 configuration of DMVPN ~


Here is the config:
==============
crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set TSET
!
!

interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.123.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 123
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 123
 ip nhrp cache non-authoritative
 ip nhrp redirect
 no ip split-horizon eigrp 123
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 123
 network 172.16.0.0
 network 192.168.1.0
 no auto-summary
!
router ospf 123
 log-adjacency-changes
 network 10.1.1.1 0.0.0.0 area 0
!
!
!


OUTPUTS:-
===========

R1#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static
route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.123.0 is directly connected, Tunnel0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, FastEthernet0/0
C    192.168.1.0/24 is directly connected, Loopback0
R1#



R1#SHOW IP NHRP
172.16.123.2/32 via 172.16.123.2, Tunnel0 created 00:05:57, expire 00:05:58
  Type: dynamic, Flags: unique registered used
  NBMA address: 10.1.1.2
172.16.123.3/32 via 172.16.123.3, Tunnel0 created 00:05:59, expire 00:05:45
  Type: dynamic, Flags: unique registered used
  NBMA address: 10.1.1.3
R1#



R1#Show IP eigrp interfaces

IP-EIGRP interfaces for process 123
                        Xmit Queue   Mean   Pacing Time   Multicast
Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer
Routes
Lo0                0        0/0         0       0/1            0           0
Tu0                0        0/0         0      71/2524        50           0
R1#



R1#SH IP INT BRIEF
Interface                  IP-Address      OK? Method Status
Protocol
FastEthernet0/0            10.1.1.1        YES manual up
up
FastEthernet0/1            unassigned      YES unset  administratively down
down
Loopback0                  192.168.1.1     YES manual up
up
Tunnel0                    172.16.123.1    YES manual up
up
R1#




R1#sh crypto ipsec profile DMVPN
IPSEC profile DMVPN
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                TSET,
        }



crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set TSET
!
!
interface Loopback0
 ip address 192.168.2.2 255.255.255.0
!
interface Tunnel0
 ip address 172.16.123.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map 172.16.123.1 10.1.1.1
 ip nhrp network-id 123
 ip nhrp holdtime 360
 ip nhrp nhs 172.16.123.1
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
 ip address 10.1.1.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 123
 network 172.16.0.0
 network 192.168.2.0
 no auto-summary
!
router ospf 123
 log-adjacency-changes
 network 10.1.1.2 0.0.0.0 area 0
!
!


OUTPUTS:
========
R2#sh ip int brief
Interface                  IP-Address      OK? Method Status
Protocol
FastEthernet0/0            10.1.1.2        YES manual up
up
FastEthernet0/1            unassigned      YES unset  administratively down
down
Loopback0                  192.168.2.2     YES manual up
up
Tunnel0                    172.16.123.2    YES manual up
up



R2#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static
route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.123.0 is directly connected, Tunnel0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, FastEthernet0/0
C    192.168.2.0/24 is directly connected, Loopback0
R2#



R2#sh ip eigrp neighbors
IP-EIGRP neighbors for process 123
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   172.16.123.1            Tu0               13 00:00:57    1  5000  2  0
R2#




R2#sh ip eigrp interfaces
IP-EIGRP interfaces for process 123

                        Xmit Queue   Mean   Pacing Time   Multicast
Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer
Routes
Lo0                0        0/0         0       0/1            0           0
Tu0                1        0/0         0      71/2524        50           0
R2#

R2#sh ip nhrp
172.16.123.1/32 via 172.16.123.1, Tunnel0 created 00:11:12, never expire
  Type: static, Flags: used
  NBMA address: 10.1.1.1
R2#


R2#sh cry ipsec profile DMVPN
IPSEC profile DMVPN
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                TSET,
        }

R2#


R3 CONFIG:
==========

crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set TSET
!
!
interface Loopback0
 ip address 192.168.3.3 255.255.255.0
!
interface Tunnel0
 ip address 172.16.123.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map 172.16.123.1 10.1.1.1
 ip nhrp network-id 123
 ip nhrp holdtime 360
 ip nhrp nhs 172.16.123.1
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
 ip address 10.1.1.3 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 123
 network 172.16.0.0
 network 192.168.3.0
 no auto-summary
!
router ospf 1
 log-adjacency-changes
!
router ospf 123
 log-adjacency-changes
 network 10.1.1.3 0.0.0.0 area 0
!
!
!


OUTPUTS:
================

R3#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static
route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.123.0 is directly connected, Tunnel0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, FastEthernet0/0
C    192.168.3.0/24 is directly connected, Loopback0
R3#




R3#SH IP EIgrp interfaces
IP-EIGRP interfaces for process 123

                        Xmit Queue   Mean   Pacing Time   Multicast
Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer
Routes
Lo0                0        0/0         0       0/1            0           0
Tu0                1        0/0         0      71/2524        50           0
R3#


R3#sh ip nhrp
172.16.123.1/32 via 172.16.123.1, Tunnel0 created 00:21:04, never expire
  Type: static, Flags: used
  NBMA address: 10.1.1.1



R3#sh crypto ipsec pro DMVPN
IPSEC profile DMVPN
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                TSET,
        }

R3#

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to