hehe, I think I must provide some CCO link as you still don't believe me :)
Here you have some proof: Restrictions DVTI is only supported in the context of Enhanced Easy VPN. Routing with DVTIs is not supported or recommended. A DVTI interface on the headend router cannot terminate on an SVTI interface on the remote peer. An SVTI interface can only terminate on another SVTI interface. http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html So, you can have dynamic IP on the spoke routers but you must configure them as EasyVPN Remote (client or NEM) to make it work for you. Regards, Piotr 2011/3/5 Bruno <[email protected]> > you know when you have the following scenario: > R1 <> NAT device <> R2 > > The way of prepare R2 for that is to configure dynamic crypto maps like we > would do for easy vpn without specifying any address and having only R1 > initiating the connection. The R1 configuration is normal with any > difference. > Actually, I came from this scenario with R1 behind a NAT device and R2 with > dynamic maps to accept any ip address and do the L2L vpn > > I think I could do the same with DVTI as they are the new fashion way of > dynamic crypto maps > > > On Sat, Mar 5, 2011 at 2:29 PM, Piotr Matusiak <[email protected]> wrote: > >> What do you want to achieve? You must have EasyVPN client configured to >> use DVTI. >> SVTI configuration is not EasyVPN. >> >> >> >> 2011/3/5 Bruno <[email protected]> >> >>> Sorry Piotr, but that`s the config >>> >>> >>> R1 >>> interface Tunnel100 >>> ip address 1.1.1.1 255.255.255.0 >>> tunnel source FastEthernet0/0 >>> tunnel destination 136.1.122.2 >>> tunnel mode ipsec ipv4 >>> tunnel protection ipsec profile ipsec_prof >>> >>> R2 >>> interface Virtual-Template2 type tunnel >>> ip address 1.1.1.2 255.255.255.0 >>> tunnel source FastEthernet0/0 >>> tunnel mode ipsec ipv4 >>> tunnel protection ipsec profile ipsec_prof >>> >>> >>> Router 2 >>> *show cry isa sa* >>> dst src state conn-id slot status >>> 136.1.122.2 136.1.121.1 QM_IDLE 1003 0 ACTIVE >>> >>> *show cry isa sa det* >>> C-id Local Remote I-VRF Status Encr Hash Auth DH >>> Lifetime Cap. >>> >>> 1003 136.1.122.2 136.1.121.1 ACTIVE 3des md5 rsig 2 >>> 23:59:40 >>> >>> Router1 >>> *show cry ips sa* >>> Rack1R1(config)#do cry2 >>> >>> interface: Tunnel100 >>> Crypto map tag: Tunnel100-head-0, local addr 136.1.121.1 >>> >>> protected vrf: (none) >>> local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) >>> remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) >>> current_peer 136.1.122.2 port 500 >>> PERMIT, flags={origin_is_acl,} >>> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 >>> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 >>> >>> >>> Running EIGRP on both Routers >>> router eigrp 1 >>> network 1.1.1.0 0.0.0.255 >>> >>> Still same issue >>> Mar 2 08:45:02.331: IPSEC(ipsec_process_proposal): invalid local address >>> 136.1.122.2 >>> Mar 2 08:45:02.335: ISAKMP:(1003): IPSec policy invalidated proposal >>> with error 8 >>> Mar 2 08:45:02.339: ISAKMP:(1003): phase 2 SA policy not acceptable! >>> (local 136.1.122.2 remote 136.1.121.1) >>> Mar 2 08:45:02.343: ISAKMP: set new node -1211542580 to QM_IDLE >>> Mar 2 08:45:02.347: ISAKMP:(1003):Sending NOTIFY PROPOSAL_NOT_CHOSEN >>> protocol 3 >>> spi 1690522144, message ID = -1211542580 >>> Mar 2 08:45:02.355: ISAKMP:(1003): sending packet to 136.1.121.1 my_port >>> 500 peer_port 500 (R) QM_IDLE >>> Rack1R2(config-if)# >>> Mar 2 08:45:02.355: ISAKMP:(1003):Sending an IKE IPv4 Packet. >>> Mar 2 08:45:02.359: ISAKMP:(1003):purging node -1211542580 >>> Mar 2 08:45:02.363: ISAKMP:(1003):deleting node 729790222 error TRUE >>> reason "QM rejected" >>> >>> As I said, as soon as I configure "tunnel destination 136.1.121.1" >>> pointing to R1, it works. I did not configure any isakmp profile on R2 to >>> attach virtual-template because I don't think it would be the solution >>> >>> >>> Rack1R2(config-if)#*tunnel destination 136.1.121.1* >>> Mar 2 08:49:11.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface >>> Virtual-Template2, changed state to up >>> Mar 2 08:49:12.443: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 1.1.1.1 >>> (Virtual-Template2) is up: new adjacency >>> >>> >>> >>> On Sat, Mar 5, 2011 at 1:56 PM, Piotr Matusiak <[email protected]> wrote: >>> >>>> interface Virtual-Template2 type tunnel >>>> tunnel protection ipsec profile ipsec_prof >>>> >>>> >>>> >>>> 2011/3/5 Bruno <[email protected]> >>>> >>>>> Hey guys, >>>>> >>>>> I've been trying to get this stuff working a while and no luck. I am >>>>> thinking it`s no possible but would like some insights >>>>> >>>>> R1 <> ASA <> R2 >>>>> >>>>> R1 >>>>> interface Tunnel100 >>>>> ip address 1.1.1.1 255.255.255.0 >>>>> tunnel source FastEthernet0/0 >>>>> tunnel destination 136.1.122.2 >>>>> tunnel mode ipsec ipv4 >>>>> tunnel protection ipsec profile ipsec_prof >>>>> >>>>> R2 initially had the same config and it worked just fine. Then I >>>>> changed the configuration on R2 to DVTI >>>>> interface Virtual-Template2 type tunnel >>>>> ip address 1.1.1.2 255.255.255.0 >>>>> tunnel source FastEthernet0/0 >>>>> tunnel mode ipsec ipv4 >>>>> >>>>> The interesting is that as soon as I configured *"tunnel destination*" >>>>> pointing to R1 it works. But that's exactly what I do not want to do, >>>>> supposing R1 had dynamic ip, it should work without destination address. >>>>> >>>>> The log is: >>>>> IPSec policy invalidated proposal with error 8 >>>>> Mar 2 07:20:35.303: ISAKMP:(1013): phase 2 SA policy not acceptable! >>>>> (local 136.1.122.2 remote 136.1.121.1) >>>>> Mar 2 07:20:35.303: ISAKMP: set new node 1645030739 to QM_IDLE >>>>> Mar 2 07:20:35.311: ISAKMP:(1013):Sending NOTIFY PROPOSAL_NOT_CHOSEN >>>>> protocol 3 >>>>> >>>>> Any idea is welcome. >>>>> >>>>> Cisco DOC for VTI >>>>> >>>>> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html >>>>> >>>>> -- >>>>> Bruno Fagioli (by Jaunty Jackalope) >>>>> Cisco Security Professional >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> >>>> >>> >>> >>> -- >>> Bruno Fagioli (by Jaunty Jackalope) >>> Cisco Security Professional >>> >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
