You are missing 'ip nhrp nhs' on the spokes. Try to remove tunnel
protection first and see if it works, because nothing seem wrong with
the crypto configuration.
HTH,
Mihai Dumitru
CCIE #16616 (SP, R&S)
On Monday, May 11, 2009, olumayokun fowowe <olumayokun_at_gmail.com> wrote:
> Hello all,
>
> I have the following situation:
>
> R1 is the hub, and it is connecting to two spoke routers. The tunnel forms
> and works well untill I applied ipsec to the routers. Then if I do show
> ipsec sessions, I will have the interface in down negotiating
>
> Thanks for your help.
>
> R1
> ===
>
> crypto isakmp policy 1
> authentication pre-share
> group 2
> crypto isakmp key cisco_vpnkey address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set cisco_vpnset esp-3des esp-sha-hmac
> !
> crypto ipsec profile cisco_vpnprof
> set transform-set cisco_vpnset
> !
> !
> !
> !
> !
> interface Tunnel0
> description HQ DMVPN tunnel to branches
> bandwidth 1000
> ip address 10.x.x.1 255.255.255.0
> no ip redirects
> ip nhrp authentication cisco
> ip nhrp map multicast dynamic
> ip nhrp network-id 10
> ip nhrp cache non-authoritative
> no ip split-horizon eigrp 10
> tunnel source y.y.50.102
> tunnel mode gre multipoint
> tunnel key 1
> tunnel protection ipsec profile cisco_vpnprof
>
> router eigrp 10
> network 10.x.x.0 0.0.0.255
>
> R2
> ===
>
> crypto isakmp policy 1
> authentication pre-share
> group 2
> crypto isakmp key cisco_vpnkey address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set cisco_vpnset esp-3des esp-sha-hmac
> !
> crypto ipsec profile cisco_vpnprof
> set transform-set cisco_vpnset
> !
> !
> !
> !
> !
> interface Tunnel0
> description HQ DMVPN tunnel to branches
> bandwidth 1000
> ip address 10.x.x.2 255.255.255.0
> no ip redirects
> ip nhrp authentication cisco
> ip nhrp map multicast y.y.50.102
> ip nhrp map 10.x.x.1 y.y.50.102
> ip nhrp network-id 10
> ip nhrp holdtime 60
> ip nhrp registration timeout 30
> ip nhrp cache non-authoritative
> no ip split-horizon eigrp 10
> tunnel source y.y50.70
> tunnel destination y.y.50.102
> tunnel key 1
> tunnel protection ipsec profile cisco_vpnprof
>
> router eigrp 10
> network 10.x.x.0 0.0.0.255
>
> R2
> ===
>
> crypto isakmp policy 1
> authentication pre-share
> group 2
> crypto isakmp key cisco_vpnkey address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set cisco_vpnset esp-3des esp-sha-hmac
> !
> crypto ipsec profile cisco_vpnprof
> set transform-set cisco_vpnset
> !
> !
> !
> !
> !
> interface Tunnel0
> description HQ DMVPN tunnel to branches
> bandwidth 1000
> ip address 10.x.x.3 255.255.255.0
> no ip redirects
> ip nhrp authentication cisco
> ip nhrp map multicast y.y.50.102
> ip nhrp map 10.x.x.1 y.y.50.102
> ip nhrp network-id 10
> ip nhrp holdtime 60
> ip nhrp registration timeout 30
> ip nhrp cache non-authoritative
> no ip split-horizon eigrp 10
> tunnel source y.y.50.58
> tunnel destination y.y.50.102
> tunnel key 1
> tunnel protection ipsec profile cisco_vpnprof
>
> router eigrp 10
> network 10.x.x.0 0.0.0.255
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed May 13 2009 - 08:30:32 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:42 ART