dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1820

Remoter
@bredbandsbolaget.se

Remoter

Anon

[HELP] DmVPN Help needed

Hello guys

I would really appreciate if someone could take a look at these configs and see if i made any errors. The HUB router was configured by someone else and it is working, i know this because there are other sites connected to it already that works. It seems to me isakmp has established but ipsec has not, im totally a newbie when configuring dmvpn's.

I have changed the public addresses in these configs just to be "anonymous", so HUB router has 10.10.10.10 as public ip and Spoke router has 20.20.20.20. The already working spoke i have changed to 30.30.30.30.

Here is some output of commands that i ran to check connectivity and tunnel status.

###SPOKE ROUTER COMMANDS###

Spoke#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.10.10.10 192.168.253.1 IPSEC 01:07:52 S

##Show crypto isakmp sa##

Spoke#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.10.10 20.20.20.20 QM_IDLE 2004 ACTIVE

IPv6 Crypto ISAKMP SA

##Show crypto ipsec sa##

Spoke#Show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 20.20.20.20

protected vrf: (none)
local ident (addr/mask/prot/port): (20.20.20.20/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/47/0)
current_peer 10.10.10.10 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1029, #recv errors 0

local crypto endpt.: 20.20.20.20, remote crypto endpt.: 10.10.10.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

###HUB ROUTER COMMANDS###

##This shows a working tunnel to another site###

HUB#Show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel10, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 172.16.4.10 192.168.253.3 UP 5w5d D

##Show crypto isakmp sa##

HUB#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.10.10 30.30.30.30 QM_IDLE 4223 ACTIVE
10.10.10.10 20.20.20.20 QM_IDLE 4224 ACTIVE

IPv6 Crypto ISAKMP SA

##Show crypto ipsec sa##

HUB#Show crypto ipsec sa

interface: Tunnel10
Crypto map tag: Tunnel10-head-0, local addr 10.10.10.10

protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.4.10/255.255.255.255/47/0)
current_peer 30.30.30.30 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 783219, #pkts encrypt: 783219, #pkts digest: 783219
#pkts decaps: 783023, #pkts decrypt: 783023, #pkts verify: 783023
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.10.10.10, remote crypto endpt.: 30.30.30.30
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xA383C251(2743321169)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x4D743FC8(1299464136)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2053, flow_id: Onboard VPN:53, sibling_flags 80000046, crypto m ap: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4604026/633)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xA383C251(2743321169)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2054, flow_id: Onboard VPN:54, sibling_flags 80000046, crypto m ap: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4604125/633)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

###HUB ROUTER CONF###
Current configuration : 2714 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HUB
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name company.com
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license boot module c1900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
!
crypto keyring TRNSS-KEYRING
pre-shared-key address 0.0.0.0 0.0.0.0 key Cisco123
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile TRNSS-DMVPN-ISAKMP
keyring TRNSS-KEYRING
match identity address 0.0.0.0
keepalive 15 retry 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile TRNSS-DMVPN-IPSEC
set transform-set ESP-3DES-SHA
set isakmp-profile TRNSS-DMVPN-ISAKMP
!
!
!
!
!
!
interface Tunnel0
no ip address
!
interface Tunnel10
description SIMSERVICE mGRE
bandwidth 1000
ip address 192.168.253.1 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 10 35
ip nhrp authentication Cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 360
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 101
tunnel protection ipsec profile TRNSS-DMVPN-IPSEC
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.10.10.10 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.65.5 255.255.255.240
duplex auto
speed auto
!
!
router eigrp 10
network 192.168.65.0 0.0.0.15
network 192.168.253.0
redistribute ospf 10 metric 10000 10 40 10 1400
!
router ospf 10
redistribute eigrp 10 subnets
network 192.168.65.0 0.0.0.15 area 5
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.10.10.10
!
access-list 20 permit 10.100.0.45
!
!
!
!
!
snmp-server community publickO314plyA RO 20
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
transport input ssh
line vty 5 15
login
transport input ssh
!
scheduler allocate 20000 1000
end

###SPOKE ROUTER CONF###

Current configuration : 2555 bytes
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Spoke1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ip domain lookup
ip domain name company.com
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
ip ssh version 2
!
crypto keyring SIMSERVICE
pre-shared-key address 10.10.10.10 key Cisco123
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile SIMSERVICE-DMVPN-ISAKMP
keyring SIMSERVICE
match identity address 0.0.0.0
keepalive 15 retry 10
!
!
crypto ipsec transform-set SIMSERVICE-TRANSFORM-SET esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile SIMSERVICE-DMVPN-IPSEC
set transform-set SIMSERVICE-TRANSFORM-SET
set isakmp-profile SIMSERVICE-DMVPN-ISAKMP
!
!
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.253.6 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 10 35
no ip next-hop-self eigrp 10
ip nhrp authentication Cisco123
ip nhrp map 192.168.253.1 10.10.10.10
ip nhrp map multicast 10.10.10.10
ip nhrp network-id 101
ip nhrp holdtime 360
ip nhrp nhs 192.168.253.1
ip tcp adjust-mss 1360
no ip split-horizon eigrp 10
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 101
tunnel protection ipsec profile SIMSERVICE-DMVPN-IPSEC
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description internet
ip address 20.20.20.20 255.255.255.252
duplex auto
speed auto
!
interface Vlan1
ip address 172.30.9.1 255.255.0.0
!
!
router eigrp 10
network 172.30.0.0
network 192.168.253.0
eigrp stub connected
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 20.20.20.20
ip route 192.168.253.0 255.255.255.0 Tunnel0
!
!
!
!
!
!
control-plane
!
!
line con 0
login local
line aux 0
login local
line vty 0 4
exec-timeout 0 0
login local
transport input ssh
!
end
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

Haven't done any DMVPN, but one place I'd suggest starting is here. Cisco also should have some config guides to start you off.

My 00000010bits

Regards

Remoter
@bredbandsbolaget.se

Remoter

Anon

said by HELLFIRE:

Haven't done any DMVPN, but one place I'd suggest starting is here. Cisco also should have some config guides to start you off.

My 00000010bits

Regards

Hello, thank you for reply. I have been going through alot of cisco guides on this, as far as i can see cisco's guides looks more simpler than the actual configuration on the hub router, if it were up to me i would redo the conf on the hub as well but that conf is basically hands off since there are already sites connected to it.
ladino
join:2001-02-24
USA

ladino to Remoter

Member

to Remoter
Here is a config that I know to work & scales well even when numerous remotes sites connect to the hub

HUB
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key Cisco123 address 0.0.0.0        
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set ABC esp-3des esp-md5-hmac 
 mode transport require
!
!
crypto ipsec profile TRNSS-DMVPN-IPSEC
 set transform-set ABC 
!
 
!
interface Tunnel1
 ip address 192.168.253.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 1
 no ip split-horizon eigrp 1
 ip nhrp authentication Cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 101
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 101
 tunnel protection ipsec profile TRNSS-DMVPN-IPSEC
!
 

SPOKE

!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key Cisco123 address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set ABC esp-3des esp-md5-hmac 
 mode transport require
crypto ipsec df-bit clear
!
!
crypto ipsec profile TRNSS-DMVPN-IPSEC
 set transform-set ABC
!
interface Tunnel1
 ip address 192.168.253.6 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication Cisco123
 ip nhrp map multicast dynamic
 ip nhrp map multicast 10.10.10.10
 ip nhrp map 192.168.253.1 10.10.10.10
 ip nhrp network-id 101
 ip nhrp nhs 192.168.253.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet4
 tunnel mode gre multipoint
 tunnel key 101
 tunnel protection ipsec profile TRNSS-DMVPN-IPSEC shared
!
 

The below link is a good link to refer to also
»www.cisco.com/en/US/tech ··· f7.shtml
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

How come the hub has
tunnel protection ipsec profile TRNSS-DMVPN-IPSEC
 
and the spoke has
tunnel protection ipsec profile TRNSS-DMVPN-IPSEC shared
 
?

Paulg
Displaced Yooper
Premium Member
join:2004-03-15
Neenah, WI

Paulg to ladino

Premium Member

to ladino
3DES? ugh, why?
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Why not?

Paulg
Displaced Yooper
Premium Member
join:2004-03-15
Neenah, WI

Paulg

Premium Member

Why would you not use the strongest encryption possible?
tired_runner
Premium Member
join:2000-08-25
CT
·Frontier FiberOp..

tired_runner

Premium Member

If I'm not mistaken, 3DES may have a smaller keyspace compared to 256-bit AES but it has resisted brute force attacks much longer than AES and is consequently considered more trusthworthy.

I personally use 256-bit AES for authentication and encryption though.
ladino
join:2001-02-24
USA

ladino to Remoter

Member

to Remoter
Shared IPSec is required in some DMVPN configuration, especially when you have multiple tunnels with tunnel protection, sourced from the same tunnel source interface towards the same destination.
EG. in dual DMVPN topology, each spoke forms 2 tunnels, one to each hub.

Since your source interface is the same to both hubs, the 'shared' command is required. This allows a single IPsec SA to be used for all GRE tunnels between the same two endpoints. Otherwise if 'shared' is not used, the tunnel will flap.

I mentioned my example scales well, since most people start of with a single hub & eventually add hubs for redundancy & scalablity. My example can be used in a single or multiple hub topology

3DES & AES is a matter of user opinion & hardware support.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Remoter

MVM

to Remoter
said by Paulg:

3DES? ugh, why?

I was about to agree, then I remembered while DES can be brute forced in less than a day since 2008, there
doesn't seem to be a reliable way to brute force 3DES... yet.

Other reason(s), as ladino See Profile alluded to, can include old(er) equipment, limited support for strong(er)
encryption/hashes, CIO's a moron, corporate mindset of "if it works don't break it"... take your pick.

I'd personally be more worried about using MD5 as THAT one has reliably demonstrated ease in generating collisions.

Regards