DMVPN ipsec from olumayokun fowowe on 2009-05-11 (Ccielab archives 05/2009)

From: olumayokun fowowe <olumayokun_at_gmail.com>
Date: Mon, 11 May 2009 15:22:04 +0100

Hello all,

I have the following situation:

R1 is the hub, and it is connecting to two spoke routers. The tunnel forms
and works well untill I applied ipsec to the routers. Then if I do show
ipsec sessions, I will have the interface in down negotiating

Thanks for your help.

R1
===

crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key cisco_vpnkey address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set cisco_vpnset esp-3des esp-sha-hmac
!
crypto ipsec profile cisco_vpnprof
set transform-set cisco_vpnset
!
!
!
!
!
interface Tunnel0
description HQ DMVPN tunnel to branches
bandwidth 1000
ip address 10.x.x.1 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp cache non-authoritative
no ip split-horizon eigrp 10
tunnel source y.y.50.102
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco_vpnprof

router eigrp 10
network 10.x.x.0 0.0.0.255

R2
===

crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key cisco_vpnkey address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set cisco_vpnset esp-3des esp-sha-hmac
!
crypto ipsec profile cisco_vpnprof
set transform-set cisco_vpnset
!
!
!
!
!
interface Tunnel0
description HQ DMVPN tunnel to branches
bandwidth 1000
ip address 10.x.x.2 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map multicast y.y.50.102
ip nhrp map 10.x.x.1 y.y.50.102
ip nhrp network-id 10
ip nhrp holdtime 60
ip nhrp registration timeout 30
ip nhrp cache non-authoritative
no ip split-horizon eigrp 10
tunnel source y.y50.70
tunnel destination y.y.50.102
tunnel key 1
tunnel protection ipsec profile cisco_vpnprof

router eigrp 10
network 10.x.x.0 0.0.0.255

R2
===

crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key cisco_vpnkey address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set cisco_vpnset esp-3des esp-sha-hmac
!
crypto ipsec profile cisco_vpnprof
set transform-set cisco_vpnset
!
!
!
!
!
interface Tunnel0
description HQ DMVPN tunnel to branches
bandwidth 1000
ip address 10.x.x.3 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map multicast y.y.50.102
ip nhrp map 10.x.x.1 y.y.50.102
ip nhrp network-id 10
ip nhrp holdtime 60
ip nhrp registration timeout 30
ip nhrp cache non-authoritative
no ip split-horizon eigrp 10
tunnel source y.y.50.58
tunnel destination y.y.50.102
tunnel key 1
tunnel protection ipsec profile cisco_vpnprof

router eigrp 10
network 10.x.x.0 0.0.0.255

Blogs and organic groups at http://www.ccie.net
Received on Mon May 11 2009 - 15:22:04 ART

This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:42 ART