Hehe, that's Piotr. I am not sad by having spent many hours on this. I am kinda happy I didn't make what I was not suppose to make
Thanks Piotr. On Sat, Mar 5, 2011 at 2:59 PM, Piotr Matusiak <[email protected]> wrote: > hehe, I think I must provide some CCO link as you still don't believe me :) > > Here you have some proof: > > Restrictions > DVTI is only supported in the context of Enhanced Easy VPN. Routing with > DVTIs is not supported or recommended. A DVTI interface on the headend > router cannot terminate on an SVTI interface on the remote peer. An SVTI > interface can only terminate on another SVTI interface. > > > http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html > > > So, you can have dynamic IP on the spoke routers but you must configure > them as EasyVPN Remote (client or NEM) to make it work for you. > > Regards, > Piotr > > > > 2011/3/5 Bruno <[email protected]> > >> you know when you have the following scenario: >> R1 <> NAT device <> R2 >> >> The way of prepare R2 for that is to configure dynamic crypto maps like we >> would do for easy vpn without specifying any address and having only R1 >> initiating the connection. The R1 configuration is normal with any >> difference. >> Actually, I came from this scenario with R1 behind a NAT device and R2 >> with dynamic maps to accept any ip address and do the L2L vpn >> >> I think I could do the same with DVTI as they are the new fashion way of >> dynamic crypto maps >> >> >> On Sat, Mar 5, 2011 at 2:29 PM, Piotr Matusiak <[email protected]> wrote: >> >>> What do you want to achieve? You must have EasyVPN client configured to >>> use DVTI. >>> SVTI configuration is not EasyVPN. >>> >>> >>> >>> 2011/3/5 Bruno <[email protected]> >>> >>>> Sorry Piotr, but that`s the config >>>> >>>> >>>> R1 >>>> interface Tunnel100 >>>> ip address 1.1.1.1 255.255.255.0 >>>> tunnel source FastEthernet0/0 >>>> tunnel destination 136.1.122.2 >>>> tunnel mode ipsec ipv4 >>>> tunnel protection ipsec profile ipsec_prof >>>> >>>> R2 >>>> interface Virtual-Template2 type tunnel >>>> ip address 1.1.1.2 255.255.255.0 >>>> tunnel source FastEthernet0/0 >>>> tunnel mode ipsec ipv4 >>>> tunnel protection ipsec profile ipsec_prof >>>> >>>> >>>> Router 2 >>>> *show cry isa sa* >>>> dst src state conn-id slot status >>>> 136.1.122.2 136.1.121.1 QM_IDLE 1003 0 ACTIVE >>>> >>>> *show cry isa sa det* >>>> C-id Local Remote I-VRF Status Encr Hash Auth DH >>>> Lifetime Cap. >>>> >>>> 1003 136.1.122.2 136.1.121.1 ACTIVE 3des md5 rsig 2 >>>> 23:59:40 >>>> >>>> Router1 >>>> *show cry ips sa* >>>> Rack1R1(config)#do cry2 >>>> >>>> interface: Tunnel100 >>>> Crypto map tag: Tunnel100-head-0, local addr 136.1.121.1 >>>> >>>> protected vrf: (none) >>>> local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) >>>> remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) >>>> current_peer 136.1.122.2 port 500 >>>> PERMIT, flags={origin_is_acl,} >>>> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 >>>> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 >>>> >>>> >>>> Running EIGRP on both Routers >>>> router eigrp 1 >>>> network 1.1.1.0 0.0.0.255 >>>> >>>> Still same issue >>>> Mar 2 08:45:02.331: IPSEC(ipsec_process_proposal): invalid local >>>> address 136.1.122.2 >>>> Mar 2 08:45:02.335: ISAKMP:(1003): IPSec policy invalidated proposal >>>> with error 8 >>>> Mar 2 08:45:02.339: ISAKMP:(1003): phase 2 SA policy not acceptable! >>>> (local 136.1.122.2 remote 136.1.121.1) >>>> Mar 2 08:45:02.343: ISAKMP: set new node -1211542580 to QM_IDLE >>>> Mar 2 08:45:02.347: ISAKMP:(1003):Sending NOTIFY PROPOSAL_NOT_CHOSEN >>>> protocol 3 >>>> spi 1690522144, message ID = -1211542580 >>>> Mar 2 08:45:02.355: ISAKMP:(1003): sending packet to 136.1.121.1 >>>> my_port 500 peer_port 500 (R) QM_IDLE >>>> Rack1R2(config-if)# >>>> Mar 2 08:45:02.355: ISAKMP:(1003):Sending an IKE IPv4 Packet. >>>> Mar 2 08:45:02.359: ISAKMP:(1003):purging node -1211542580 >>>> Mar 2 08:45:02.363: ISAKMP:(1003):deleting node 729790222 error TRUE >>>> reason "QM rejected" >>>> >>>> As I said, as soon as I configure "tunnel destination 136.1.121.1" >>>> pointing to R1, it works. I did not configure any isakmp profile on R2 to >>>> attach virtual-template because I don't think it would be the solution >>>> >>>> >>>> Rack1R2(config-if)#*tunnel destination 136.1.121.1* >>>> Mar 2 08:49:11.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface >>>> Virtual-Template2, changed state to up >>>> Mar 2 08:49:12.443: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 1.1.1.1 >>>> (Virtual-Template2) is up: new adjacency >>>> >>>> >>>> >>>> On Sat, Mar 5, 2011 at 1:56 PM, Piotr Matusiak <[email protected]> wrote: >>>> >>>>> interface Virtual-Template2 type tunnel >>>>> tunnel protection ipsec profile ipsec_prof >>>>> >>>>> >>>>> >>>>> 2011/3/5 Bruno <[email protected]> >>>>> >>>>>> Hey guys, >>>>>> >>>>>> I've been trying to get this stuff working a while and no luck. I am >>>>>> thinking it`s no possible but would like some insights >>>>>> >>>>>> R1 <> ASA <> R2 >>>>>> >>>>>> R1 >>>>>> interface Tunnel100 >>>>>> ip address 1.1.1.1 255.255.255.0 >>>>>> tunnel source FastEthernet0/0 >>>>>> tunnel destination 136.1.122.2 >>>>>> tunnel mode ipsec ipv4 >>>>>> tunnel protection ipsec profile ipsec_prof >>>>>> >>>>>> R2 initially had the same config and it worked just fine. Then I >>>>>> changed the configuration on R2 to DVTI >>>>>> interface Virtual-Template2 type tunnel >>>>>> ip address 1.1.1.2 255.255.255.0 >>>>>> tunnel source FastEthernet0/0 >>>>>> tunnel mode ipsec ipv4 >>>>>> >>>>>> The interesting is that as soon as I configured *"tunnel destination*" >>>>>> pointing to R1 it works. But that's exactly what I do not want to do, >>>>>> supposing R1 had dynamic ip, it should work without destination address. >>>>>> >>>>>> The log is: >>>>>> IPSec policy invalidated proposal with error 8 >>>>>> Mar 2 07:20:35.303: ISAKMP:(1013): phase 2 SA policy not acceptable! >>>>>> (local 136.1.122.2 remote 136.1.121.1) >>>>>> Mar 2 07:20:35.303: ISAKMP: set new node 1645030739 to QM_IDLE >>>>>> Mar 2 07:20:35.311: ISAKMP:(1013):Sending NOTIFY PROPOSAL_NOT_CHOSEN >>>>>> protocol 3 >>>>>> >>>>>> Any idea is welcome. >>>>>> >>>>>> Cisco DOC for VTI >>>>>> >>>>>> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html >>>>>> >>>>>> -- >>>>>> Bruno Fagioli (by Jaunty Jackalope) >>>>>> Cisco Security Professional >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit www.ipexpert.com >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Bruno Fagioli (by Jaunty Jackalope) >>>> Cisco Security Professional >>>> >>> >>> >> >> >> -- >> Bruno Fagioli (by Jaunty Jackalope) >> Cisco Security Professional >> > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
