RE: DMVPN ipsec from Joseph L. Brunner on 2009-05-12 (Ccielab archives 05/2009)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Tue, 12 May 2009 12:19:21 -0400

Please refer to my free and simply to follow lab walk thru on DMVPN-

Compare your configs to mine to get started...

http://www.affirmedsystems.com/workbooks/CCNP-ISCW-Lab-4-Solutions.pdf

(use EIGRP instead of OSPF its easier, just to get a feel for the commands and the troubleshooting, etc. You want to put the tunnel interface ip's and if desired the lan subnet interface ip's into eigrp)

i.e.

interface tunnel1
ip address 172.17.17.1 255.255.255.0

int fastethernet0/0
ip address 10.1.1.1 255.255.255.0

router eigrp 10
network 172.17.17.1 0.0.0.0
network 10.1.1.1 0.0.0.0
no auto-summary

-Joe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of olumayokun fowowe
Sent: Tuesday, May 12, 2009 12:23 PM
To: Dale Shaw
Cc: Cisco certification
Subject: Re: DMVPN ipsec

Hello all,

Thanks for your help so far. I have done all that you've suggested but the
situation still remain the same:

Crypto ISAKMP debugging is on
SPOKE#
May 12 15:18:07.334: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
May 12 15:18:07.334: ISAKMP (0:0): incrementing error counter on sa, attempt
2 of 5: retransmit phase 1
May 12 15:18:07.334: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
May 12 15:18:07.334: ISAKMP:(0): sending packet to y.y.50.102 my_port 500
peer_port 500 (I) MM_NO_STATE
May 12 15:18:17.333: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
May 12 15:18:17.333: ISAKMP (0:0): incrementing error counter on sa, attempt
3 of 5: retransmit phase 1
May 12 15:18:17.333: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
May 12 15:18:17.333: ISAKMP:(0): sending packet to y.y.50.102 my_port 500
peer_port 500 (I) MM_NO_STATE
May 12 15:18:17.333: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= y.y.50.26, remote= y.y.50.102,
    local_proxy= y.y.50.26/255.255.255.255/47/0 (type=1),
    remote_proxy= y.y.50.102/255.255.255.255/47/0 (type=1)
May 12 15:18:17.333: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= y.y.50.26, remote= y.y.50.102,
    local_proxy= y.y.50.26/255.255.255.255/47/0 (type=1),
    remote_proxy= y.y.50.102/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= NONE (Transport),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
May 12 15:18:17.333: ISAKMP: set new node 0 to QM_IDLE
May 12 15:18:17.333: ISAKMP:(0):SA is still budding. Attached new ipsec
request to it. (local y.y.50.26, remote y.y.50.102)
May 12 15:18:17.333: ISAKMP: Error while processing SA request: Failed to
initialize SA
May 12 15:18:17.333: ISAKMP: Error while processing KMI message 0, error 2.
May 12 15:18:27.332: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
May 12 15:18:27.332: ISAKMP (0:0): incrementing error counter on sa, attempt
4 of 5: retransmit phase 1
May 12 15:18:27.332: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
May 12 15:18:27.332: ISAKMP:(0): sending packet to y.y.50.102 my_port 500
peer_port 500 (I) MM_NO_STATE
May 12 15:18:32.980: ISAKMP:(0):purging node 878653728
May 12 15:18:32.980: ISAKMP:(0):purging node -1735576608
May 12 15:18:37.331: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
May 12 15:18:37.331: ISAKMP (0:0): incrementing error counter on sa, attempt
5 of 5: retransmit phase 1
May 12 15:18:37.331: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
May 12 15:18:37.331: ISAKMP:(0): sending packet to y.y.50.102 my_port 500
peer_port 500 (I) MM_NO_STATE
May 12 15:18:42.979: ISAKMP:(0):purging SA., sa=645B0170, delme=645B0170un
all
May 12 15:18:47.331: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= y.y.50.26, remote= y.y.50.102,
    local_proxy= y.y.50.26/255.255.255.255/47/0 (type=1),
    remote_proxy= y.y.50.102/255.255.255.255/47/0 (type=1)
May 12 15:18:47.331: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
May 12 15:18:47.331: ISAKMP:(0):peer does not do paranoid keepalives.

May 12 15:18:47.331: ISAKMP:(0):deleting SA reason "Death by retransmission
P1" state (I) MM_NO_STATE (peer y.y.50.102)
May 12 15:18:47.331: ISAKMP:(0):deleting SA reason "Death by retransmission
P1" state (I) MM_NO_STATE (peer y.y.50.102)
May 12 15:18:47.331: ISAKMP: Unlocking peer struct 0x652A68A8 for
isadb_mark_sa_deleted(), count 0
May 12 15:18:47.331: ISAKMP: Deleting peer node by peer_reap for y.y.50.102:
652A68A8
May 12 15:18:47.331: ISAKMP:(0):deleting node 921848229 error FALSE reason
"IKE deleted"
May 12 15:18:47.331: ISAKMP:(0):deleting node -1937311521 error FALSE reason
"IKE deleted"
May 12 15:18:47.331: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 12 15:18:47.331: ISAKMP:(0):Old State = IKE_I_MM1 New State =
IKE_DEST_SA

May 12 15:18:47.331: IPSEC(key_engine): got a queue event with 1 KMI
message(s)
May 12 15:18:48.282: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= y.y.50.26, remote= y.y.50.102,
    local_proxy= y.y.50.26/255.255.255.255/47/0 (type=1),
    remote_proxy= y.y.50.102/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= NONE (Transport),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
May 12 15:18:48.282: ISAKMP:(0): SA request profile is (NULL)
May 12 15:18:48.282: ISAKMP: Created a peer struct for y.y.50.102, peer port
500
May 12 15:18:48.282: ISAKMP: New peer created peer = 0x652A68A8 peer_handle
= 0x8000000A
May 12 15:18:48.282: ISAKMP: Locking peer struct 0x652A68A8, refcount 1 for
isakmp_initiator
May 12 15:18:48.282: ISAKMP: local port 500, remote port 500
May 12 15:18:48.282: ISAKMP: set new node 0 to QM_IDLE
May 12 15:18:48.282: ISAKMP: Find a dup sa in the avl tree during calling
isadb_insert sa = 645B0170
May 12 15:18:48.282: ISAKMP:(0):Can not start Aggressive mode, trying Main
mode.
May 12 15:18:48.282: ISAKMP:(0):found peer pre-shared key matching
y.y.50.102
May 12 15:18:48.282: ISAKMP:(0): constructed NAT-T vendor-07 ID
May 12 15:18:48.282: ISAKMP:(0): constructed NAT-T vendor-03 ID
May 12 15:18:48.282: ISAKMP:(0): constructed NAT-T vendor-02 ID
May 12 15:18:48.282: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
May 12 15:18:48.286: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

May 12 15:18:48.286: ISAKMP:(0): beginning Main Mode exchange
May 12 15:18:48.286: ISAKMP:(0): sending packet to y.y.50.102 my_port 500
peer_port 500 (I) MM_NO_STATE
All possible debugging has been turned off

On Tue, May 12, 2009 at 2:50 PM, Dale Shaw <dale.shaw_at_gmail.com> wrote:

> Hi,
>
> Sorry, I missed your earlier point about it all working until you apply
> IPSec.
>
> On Tue, May 12, 2009 at 11:18 PM, olumayokun fowowe
> <olumayokun_at_gmail.com> wrote:
> > Hello Dale
> >
> > I did tunnel mode gre multipoint as you suggested but I'm sitll having
> the
> > same error as indcated below:
>
> Try:
>
> crypto ipsec transform-set cisco_vpnset esp-3des esp-sha-hmac
> mode transport
>
> The other differences I see in your config to my working config are:
>
> crypto ipsec profile cisco_vpnprof
> set pfs group2
>
> (but it's probably not that)
>
> int tun0
> ip mtu 1420
>
> (you need that, but it's probably not that)
>
> on the spokes:
>
> int tun0
> ip nhrp nhs 10.x.x.1
>
> (you need that, but I don't think that'll stop a spoke-to-hub tunnel
> forming)
>
> Take it back to basics.. are you sure you've got the IPSec stuff
> configured properly on all routers? 'tunnel protection ipsec' is
> configured on all tunnel interfaces?
>
> Troubleshoot it as an IPSec problem and forget about DMVPN. Enable
> some debugs -- 'debug crypto isakmp' first, then 'debug crypto ipsec',
> then maybe 'debug crypto engine'
>
> I'm not sure why you're seeing a GRE packet (protocol 47) there..
>
> If all else fails, gather your configs again, except this time post
> the underlying physical interface config used by your tunnels.
>
> cheers,
> Dale

Blogs and organic groups at http://www.ccie.net
Received on Tue May 12 2009 - 12:19:21 ART

This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:42 ART