well, some crypto isakmp debug output would be helpful On Mon, May 16, 2011 at 6:46 PM, Mark Senteza <[email protected]>wrote:
> Hey all, > > A real scenario that I'd appreciate your opinion on. > > I've got a DMVPN setup that I'm trying to deploy. The endpoints sit inside > the secure network, so I'm using NAT's on the ASAs to give them a public > presence. The VPN wont come up though, and I'm trying to figure out what I'm > missing and where I should be looking. Appreciate any responses. > > > The DMVPN routers sit behind ASAs on either end. The logical topology looks > like: > > *Router-R1 (DMVPN HUB) Gi0/0.600 -----Router-RA----------ASA-1* > --------------------INTERNET-------------------*ASA-2---------------Router-RB----------------Gi0/0.603 > Router-R2 (DMVPN Spoke)* > > The tunnel source interfaces at both ends have NAT'd IPs on the ASAs and > use these IPs for peering. > > Configs are as follows: > > *ROUTER-R1* (DMVPN Hub) > > crypto isakmp policy 10 > encr aes > authentication pre-share > group 2 > > crypto isakmp key dmvpnpasswd address 222.222.222.222 > > crypto ipsec transform-set AESSHA-TRANSFORM esp-aes esp-sha-hmac > > crypto ipsec profile DMVPN > set transform-set AESSHA-TRANSFORM > > > interface Tunnel100 > description GI DMVPN Hub Interface > ip address 10.1.1.1 255.255.255.248 > no ip redirects > no ip next-hop-self eigrp 100 > ip nhrp map multicast dynamic > ip nhrp network-id 100 > no ip split-horizon eigrp 100 > delay 150000 > tunnel source GigabitEthernet0/0.600 > tunnel mode gre multipoint > tunnel key 100 > tunnel protection ipsec profile DMVPN > > interface GigabitEthernet0/0.600 > ip address 10.10.1.1 255.255.255.0 > > router eigrp 100 > passive-interface default > no passive-interface Tunnel100 > network 10.255.254.48 0.0.0.7 > no auto-summary > > > *ASA-1* > > static (inside,outside) 111.111.111.111 10.10.1.1 netmask 255.255.255.255 > > access-list OUTSIDE line 66 extended permit esp host 222.222.222.222 host > 111.111.111.111 (hitcnt=0) 0x628ac306 > access-list OUTSIDE line 66 extended permit gre host 222.222.222.222 host > 111.111.111.111 (hitcnt=0) 0x1e349ff8 > access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 host > 111.111.111.111 eq isakmp (hitcnt=0) 0x0a22d45b > access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 host > 111.111.111.111 eq 4500 (hitcnt=0) > > ************************************** > > *ROUTER-R2* > > crypto isakmp policy 10 > encr aes > authentication pre-share > group 2 > > crypto isakmp key dmvpnpasswd address 111.111.111.111 > > crypto ipsec transform-set AESSHA-TRANSFORM esp-aes esp-sha-hmac > > crypto ipsec profile DMVPN > set transform-set AESSHA-TRANSFORM > > interface Tunnel100 > description GI DMVPN Spoke Interface > ip address 10.1.1.2 255.255.255.248 > no ip redirects > ip nhrp map 10.1.1.1 111.111.111.111 > ip nhrp map multicast 111.111.111.111 > ip nhrp network-id 100 > ip nhrp nhs 10.1.1.1 > delay 150000 > tunnel source GigabitEthernet0/0.603 > tunnel mode gre multipoint > tunnel key 100 > tunnel protection ipsec profile DMVPN > > interface GigabitEthernet0/0.603 > ip address 10.20.2.2 255.255.255.0 <- This > has been NAT'd to 222.222.222.222 on the ASA-B firewall, which I dont have > visibility into. > > router eigrp 100 > passive-interface default > no passive-interface Tunnel100 > network 10.1.1.0 0.0.0.7 > no auto-summary > > > *Observations:* > > 1. I can ping from the DMVPN spoke to the DMVPN hub, using the Public IPs > and I see the hit-count on the ASA increasing, so I know for sure that the > routing is fine and the NAT on the remote ASA that I dont manage are > correct. > 2. None of the crypto protocol traffic I'm allowing inbound shows any hit > count. > > 3. The following is the "show crypto isakmp sa" output from the DMVPN spoke > (Router-2) > > dst src state > conn-id status > 111.111.111.111 10.20.2.2 MM_NO_STATE 0 ACTIVE > 111.111.111.111 10.20.2.2 MM_NO_STATE 0 ACTIVE (deleted) > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
