So here's the "debug crypto isakmp" output of the DMVPN spoke when I change the transform-set to transport mode:
1250096: May 17 16:44:58.279 UTC: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON 1250097: May 17 16:44:58.291 UTC: ISAKMP:(0): SA request profile is (NULL) 1250098: May 17 16:44:58.291 UTC: ISAKMP: Created a peer struct for 111.111.111.111, peer port 500 1250099: May 17 16:44:58.291 UTC: ISAKMP: New peer created peer = 0x47C2184C peer_handle = 0x8000B252 1250100: May 17 16:44:58.291 UTC: ISAKMP: Locking peer struct 0x47C2184C, refcount 1 for isakmp_initiator 1250101: May 17 16:44:58.291 UTC: ISAKMP: local port 500, remote port 500 1250102: May 17 16:44:58.291 UTC: ISAKMP: set new node 0 to QM_IDLE 1250103: May 17 16:44:58.291 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 49C2CD74 1250104: May 17 16:44:58.291 UTC: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. 1250105: May 17 16:44:58.291 UTC: ISAKMP:(0):found peer pre-shared key matching 111.111.111.111 1250106: May 17 16:44:58.291 UTC: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID 1250107: May 17 16:44:58.291 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID 1250108: May 17 16:44:58.291 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID 1250109: May 17 16:44:58.291 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID 1250110: May 17 16:44:58.291 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM 1250111: May 17 16:44:58.291 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 1250112: May 17 16:44:58.291 UTC: ISAKMP:(0): beginning Main Mode exchange 1250113: May 17 16:44:58.291 UTC: ISAKMP:(0): sending packet to 204.108.14.201 my_port 500 peer_port 500 (I) MM_NO_STATE 1250114: May 17 16:44:58.291 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet. 1250116: May 17 16:45:06.467 UTC: ISAKMP:(0):purging node 81046127 1250117: May 17 16:45:06.467 UTC: ISAKMP:(0):purging node -1754295019 1250118: May 17 16:45:08.295 UTC: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... 1250119: May 17 16:45:08.295 UTC: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 1250120: May 17 16:45:08.295 UTC: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE 1250121: May 17 16:45:08.295 UTC: ISAKMP:(0): sending packet to 111.111.111.111 my_port 500 peer_port 500 (I) MM_NO_STATE 1250122: May 17 16:45:08.295 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet. 1250123: May 17 16:45:08.411 UTC: ISAKMP:(0):purging node 387403375 1250126: May 17 16:45:16.467 UTC: ISAKMP:(0):purging SA., sa=47BFEEA4, delme=47BFEEA4 1250127: May 17 16:45:18.295 UTC: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... 1250128: May 17 16:45:18.295 UTC: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 1250129: May 17 16:45:18.295 UTC: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE 1250130: May 17 16:45:18.295 UTC: ISAKMP:(0): sending packet to 111.111.111.111 my_port 500 peer_port 500 (I) MM_NO_STATE 1250131: May 17 16:45:18.295 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet. 1250132: May 17 16:45:18.411 UTC: ISAKMP:(0):purging SA., sa=49BC4B84, delme=49BC4B84 On Mon, May 16, 2011 at 10:42 PM, Kingsley Charles < [email protected]> wrote: > Can you try configuring the transform set of spokes behind NAT using > transport mode. > > > With regards > Kings > > On Tue, May 17, 2011 at 3:16 AM, Mark Senteza <[email protected]>wrote: > >> Hey all, >> >> A real scenario that I'd appreciate your opinion on. >> >> I've got a DMVPN setup that I'm trying to deploy. The endpoints sit inside >> the secure network, so I'm using NAT's on the ASAs to give them a public >> presence. The VPN wont come up though, and I'm trying to figure out what I'm >> missing and where I should be looking. Appreciate any responses. >> >> >> The DMVPN routers sit behind ASAs on either end. The logical topology >> looks like: >> >> *Router-R1 (DMVPN HUB) Gi0/0.600 -----Router-RA----------ASA-1* >> --------------------INTERNET-------------------*ASA-2---------------Router-RB----------------Gi0/0.603 >> Router-R2 (DMVPN Spoke)* >> >> The tunnel source interfaces at both ends have NAT'd IPs on the ASAs and >> use these IPs for peering. >> >> Configs are as follows: >> >> *ROUTER-R1* (DMVPN Hub) >> >> crypto isakmp policy 10 >> encr aes >> authentication pre-share >> group 2 >> >> crypto isakmp key dmvpnpasswd address 222.222.222.222 >> >> crypto ipsec transform-set AESSHA-TRANSFORM esp-aes esp-sha-hmac >> >> crypto ipsec profile DMVPN >> set transform-set AESSHA-TRANSFORM >> >> >> interface Tunnel100 >> description GI DMVPN Hub Interface >> ip address 10.1.1.1 255.255.255.248 >> no ip redirects >> no ip next-hop-self eigrp 100 >> ip nhrp map multicast dynamic >> ip nhrp network-id 100 >> no ip split-horizon eigrp 100 >> delay 150000 >> tunnel source GigabitEthernet0/0.600 >> tunnel mode gre multipoint >> tunnel key 100 >> tunnel protection ipsec profile DMVPN >> >> interface GigabitEthernet0/0.600 >> ip address 10.10.1.1 255.255.255.0 >> >> router eigrp 100 >> passive-interface default >> no passive-interface Tunnel100 >> network 10.255.254.48 0.0.0.7 >> no auto-summary >> >> >> *ASA-1* >> >> static (inside,outside) 111.111.111.111 10.10.1.1 netmask 255.255.255.255 >> >> access-list OUTSIDE line 66 extended permit esp host 222.222.222.222 >> host 111.111.111.111 (hitcnt=0) 0x628ac306 >> access-list OUTSIDE line 66 extended permit gre host 222.222.222.222 >> host 111.111.111.111 (hitcnt=0) 0x1e349ff8 >> access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 >> host 111.111.111.111 eq isakmp (hitcnt=0) 0x0a22d45b >> access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 >> host 111.111.111.111 eq 4500 (hitcnt=0) >> >> ************************************** >> >> *ROUTER-R2* >> >> crypto isakmp policy 10 >> encr aes >> authentication pre-share >> group 2 >> >> crypto isakmp key dmvpnpasswd address 111.111.111.111 >> >> crypto ipsec transform-set AESSHA-TRANSFORM esp-aes esp-sha-hmac >> >> crypto ipsec profile DMVPN >> set transform-set AESSHA-TRANSFORM >> >> interface Tunnel100 >> description GI DMVPN Spoke Interface >> ip address 10.1.1.2 255.255.255.248 >> no ip redirects >> ip nhrp map 10.1.1.1 111.111.111.111 >> ip nhrp map multicast 111.111.111.111 >> ip nhrp network-id 100 >> ip nhrp nhs 10.1.1.1 >> delay 150000 >> tunnel source GigabitEthernet0/0.603 >> tunnel mode gre multipoint >> tunnel key 100 >> tunnel protection ipsec profile DMVPN >> >> interface GigabitEthernet0/0.603 >> ip address 10.20.2.2 255.255.255.0 <- This >> has been NAT'd to 222.222.222.222 on the ASA-B firewall, which I dont have >> visibility into. >> >> router eigrp 100 >> passive-interface default >> no passive-interface Tunnel100 >> network 10.1.1.0 0.0.0.7 >> no auto-summary >> >> >> *Observations:* >> >> 1. I can ping from the DMVPN spoke to the DMVPN hub, using the Public IPs >> and I see the hit-count on the ASA increasing, so I know for sure that the >> routing is fine and the NAT on the remote ASA that I dont manage are >> correct. >> 2. None of the crypto protocol traffic I'm allowing inbound shows any hit >> count. >> >> 3. The following is the "show crypto isakmp sa" output from the DMVPN >> spoke (Router-2) >> >> dst src state >> conn-id status >> 111.111.111.111 10.20.2.2 MM_NO_STATE 0 ACTIVE >> 111.111.111.111 10.20.2.2 MM_NO_STATE 0 ACTIVE (deleted) >> >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
