Re: Issues with IPSEC over DMVPN on 7604 Router

It appears the other side is still sending non-encrypted GRE packets. Did
you try to remove and re-apply the crypto map or shut/no shut the tunnel
interface (in case of VTI profiles)?. This is on the remote side having the
IP 10.200.102.1.

If possible, please post the sanitized configs.

Regards

Farrukh

On Wed, May 27, 2009 at 10:21 AM, olumayokun fowowe <olumayokun_at_gmail.com>wrote:

> Hello all,
>
> Has anybody implemented DMVPN with IPSEC on a 7604 router successfully? I
> recently deployed with a 7604 router as the hub and a mixture of 2800, 1800
> and 2600 series routers as spokes. The DMVPN implementation was successful
> but when I implemented IPSEC over the implementation, I had the following
> error:
>
> ABC_RT(config)#int tunnel 1
> ABC_RT(config-if)#tunnel protection ipsec profile scpcprof
> ABC_RT(config-if)#
> May 26 17:59:46.848 gmt: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
> May 26 17:59:46.892 gmt: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
> IPSEC packet.
> (ip) vrf/dest_addr= /172.28.5.138, src_addr= 10.200.102.1, prot= 47
> ABC_RT(config-if)#
> May 26 17:59:57.152 gmt: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
> 10.204.2.1 (Tunnel1) is down: holding time expired
>
>
> I replaced the 7604 router with a 2800 series router and the whole
> implementation was successful with IPSEC over the DMVPN. The IOS image I
> have on the 7604 is: c7600rsp72043-advipservicesk9-mz.122-33.SRC3.bin and I
> have a mixture of 12.3 and 12.4 images on the spokes. The following is a
> show version output on the 7604 router:
>
> ABC_RT#show version
> Cisco IOS Software, c7600rsp72043_rp Software
> (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRC3, RELEASE
> SOFTWARE
> (fc2)
> Technical Support: http://www.cisco.com/techsupport
> Copyright (c) 1986-2008 by Cisco Systems, Inc.
> Compiled Tue 16-Dec-08 09:49 by prod_rel_team
> ROM: System Bootstrap, Version 12.2(33r)SRD2, RELEASE SOFTWARE (fc1)
> 7604_Router uptime is 13 hours, 26 minutes
> Uptime for this control processor is 13 hours, 27 minutes
> System returned to ROM by s/w reset (SP by power-on)
> System image file is
> "bootdisk:c7600rsp72043-advipservicesk9-mz.122-33.SRC3.bin"
> Last reload type: Normal Reload
>
> This product contains cryptographic features and is subject to United
> States and local country laws governing import, export, transfer and
> use. Delivery of Cisco cryptographic products does not imply
> third-party authority to import, export, distribute or use encryption.
> Importers, exporters, distributors and users are responsible for
> compliance with U.S. and local country laws. By using this product you
> agree to comply with applicable laws and regulations. If you are unable
> to comply with U.S. and local laws, return this product immediately.
> A summary of U.S. laws governing Cisco cryptographic products may be found
> at:
> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
> If you require further assistance please contact us by sending email to
> export_at_cisco.com.
> Cisco CISCO7604 (M8500) processor (revision 2.0) with 1835008K/131072K
> bytes
> of memory.
> Processor board ID FOX1247H11N
> BASEBOARD: RSP720
> CPU: MPC8548_E, Version: 2.0, (0x80390020)
> CORE: E500, Version: 2.0, (0x80210020)
> CPU:1200MHz, CCB:400MHz, DDR:200MHz,
> L1: D-cache 32 kB enabled
> I-cache 32 kB enabled
> Last reset from power-on
> 1 SSC-400 controller (1 IPSEC).
> 1 Virtual Ethernet interface
> 52 Gigabit Ethernet interfaces
> 3964K bytes of non-volatile configuration memory.
> 507024K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
> Configuration register is 0x2102
> ABC_RT#
> Do anybody have an idea about what might be wrong? The 7604 router has a
> VPN
> module which the status is showing on. Do I have to enter any command to
> make the VPN module functional?
>
> I will appreciate your contributions.
>
> 'Mayokun
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed May 27 2009 - 10:47:49 ART