Remove the ipsec profiles and start by troubleshooting GRE. If you can get that to work then work on the IPsec configuration. Provide more debugs when you do so.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Bruno Sent: Monday, May 16, 2011 6:50 PM To: Mark Senteza Cc: [email protected] Subject: Re: [OSL | CCIE_Security] DMVPN troubleshooting well, some crypto isakmp debug output would be helpful On Mon, May 16, 2011 at 6:46 PM, Mark Senteza <[email protected]> wrote: Hey all, A real scenario that I'd appreciate your opinion on. I've got a DMVPN setup that I'm trying to deploy. The endpoints sit inside the secure network, so I'm using NAT's on the ASAs to give them a public presence. The VPN wont come up though, and I'm trying to figure out what I'm missing and where I should be looking. Appreciate any responses. The DMVPN routers sit behind ASAs on either end. The logical topology looks like: Router-R1 (DMVPN HUB) Gi0/0.600 -----Router-RA----------ASA-1 --------------------INTERNET-------------------ASA-2---------------Router-RB----------------Gi0/0.603 Router-R2 (DMVPN Spoke) The tunnel source interfaces at both ends have NAT'd IPs on the ASAs and use these IPs for peering. Configs are as follows: ROUTER-R1 (DMVPN Hub) crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key dmvpnpasswd address 222.222.222.222 crypto ipsec transform-set AESSHA-TRANSFORM esp-aes esp-sha-hmac crypto ipsec profile DMVPN set transform-set AESSHA-TRANSFORM interface Tunnel100 description GI DMVPN Hub Interface ip address 10.1.1.1 255.255.255.248 no ip redirects no ip next-hop-self eigrp 100 ip nhrp map multicast dynamic ip nhrp network-id 100 no ip split-horizon eigrp 100 delay 150000 tunnel source GigabitEthernet0/0.600 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile DMVPN interface GigabitEthernet0/0.600 ip address 10.10.1.1 255.255.255.0 router eigrp 100 passive-interface default no passive-interface Tunnel100 network 10.255.254.48 0.0.0.7 no auto-summary ASA-1 static (inside,outside) 111.111.111.111 10.10.1.1 netmask 255.255.255.255 access-list OUTSIDE line 66 extended permit esp host 222.222.222.222 host 111.111.111.111 (hitcnt=0) 0x628ac306 access-list OUTSIDE line 66 extended permit gre host 222.222.222.222 host 111.111.111.111 (hitcnt=0) 0x1e349ff8 access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 host 111.111.111.111 eq isakmp (hitcnt=0) 0x0a22d45b access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 host 111.111.111.111 eq 4500 (hitcnt=0) ************************************** ROUTER-R2 crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key dmvpnpasswd address 111.111.111.111 crypto ipsec transform-set AESSHA-TRANSFORM esp-aes esp-sha-hmac crypto ipsec profile DMVPN set transform-set AESSHA-TRANSFORM interface Tunnel100 description GI DMVPN Spoke Interface ip address 10.1.1.2 255.255.255.248 no ip redirects ip nhrp map 10.1.1.1 111.111.111.111 ip nhrp map multicast 111.111.111.111 ip nhrp network-id 100 ip nhrp nhs 10.1.1.1 delay 150000 tunnel source GigabitEthernet0/0.603 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile DMVPN interface GigabitEthernet0/0.603 ip address 10.20.2.2 255.255.255.0 <- This has been NAT'd to 222.222.222.222 on the ASA-B firewall, which I dont have visibility into. router eigrp 100 passive-interface default no passive-interface Tunnel100 network 10.1.1.0 0.0.0.7 no auto-summary Observations: 1. I can ping from the DMVPN spoke to the DMVPN hub, using the Public IPs and I see the hit-count on the ASA increasing, so I know for sure that the routing is fine and the NAT on the remote ASA that I dont manage are correct. 2. None of the crypto protocol traffic I'm allowing inbound shows any hit count. 3. The following is the "show crypto isakmp sa" output from the DMVPN spoke (Router-2) dst src state conn-id status 111.111.111.111 10.20.2.2 MM_NO_STATE 0 ACTIVE 111.111.111.111 10.20.2.2 MM_NO_STATE 0 ACTIVE (deleted) _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
