Re: Issues with IPSEC over DMVPN on 7604 Router

Hello Farrukh

This same config worked when I used a 2800 series as the hub router but
didn't work when I replaced the 2800 router with a 7604 router.
HUB
===
crypto isakmp policy 11
 authentication pre-share
 group 2

crypto isakmp key scpckey address 0.0.0.0 0.0.0.0

crypto ipsec transform-set scpcvpnset esp-3des esp-md5-hmac

crypto ipsec profile scpcprof
 set transform-set scpcvpnset

int tunnel 1
ip add y.y.2.1 255.255.255.0
Description HQ DMVPN tunnel to Spoke
no ip redirects
ip nhrp authentication SCPC
ip nhrp map multicast dynamic
ip nhrp network-id 11
no ip split-horizon eigrp 10
ip summary-address eigrp 10 x.31.0.0 255.255.0.0
ip summary-address eigrp 10 x.29.0.0 255.255.0.0
ip summary-address eigrp 10 x.28.0.0 255.255.0.0
ip summary-address eigrp 10 x.22.0.0 255.255.0.0
tunnel source c.d.102.1
tunnel mode gre multipoint
tunnel key 11

router eigrp 10
network y.y.2.0 0.0.0.255
no auto-summary

spoke
======

crypto isakmp policy 11
 authentication pre-share
 group 2

crypto isakmp key scpckey address 0.0.0.0 0.0.0.0

crypto ipsec transform-set scpcvpnset esp-3des esp-md5-hmac

crypto ipsec profile scpcprof
 set transform-set scpcvpnset

int tunnel 1
description spoke DMVPN tunnel to HQ
ip add y.y.2.2 255.255.255.0
ip nhrp authentication SCPC
ip nhrp map multicast c.d.102.1
ip nhrp map y.y.2.1 c.d.102.1
ip nhrp nhs 10.204.2.1
ip nhrp network-id 11
ip nhrp registration timeout 30
ip nhrp holdtime 300
tunnel source a.b.5.138
tunnel destination c.d.102.1
tunnel key 11

router eigrp 10
network y.y.2.0 0.0.0.255
no auto-summary

On Wed, May 27, 2009 at 12:47 AM, Farrukh Haroon <farrukhharoon_at_gmail.com>wrote:

> It appears the other side is still sending non-encrypted GRE packets. Did
> you try to remove and re-apply the crypto map or shut/no shut the tunnel
> interface (in case of VTI profiles)?. This is on the remote side having the
> IP 10.200.102.1.
>
> If possible, please post the sanitized configs.
>
> Regards
>
> Farrukh
>
> On Wed, May 27, 2009 at 10:21 AM, olumayokun fowowe <
> olumayokun_at_gmail.com> wrote:
>
>> Hello all,
>>
>> Has anybody implemented DMVPN with IPSEC on a 7604 router successfully? I
>> recently deployed with a 7604 router as the hub and a mixture of 2800,
>> 1800
>> and 2600 series routers as spokes. The DMVPN implementation was successful
>> but when I implemented IPSEC over the implementation, I had the following
>> error:
>>
>> ABC_RT(config)#int tunnel 1
>> ABC_RT(config-if)#tunnel protection ipsec profile scpcprof
>> ABC_RT(config-if)#
>> May 26 17:59:46.848 gmt: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
>> May 26 17:59:46.892 gmt: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not
>> an
>> IPSEC packet.
>> (ip) vrf/dest_addr= /172.28.5.138, src_addr= 10.200.102.1, prot=
>> 47
>> ABC_RT(config-if)#
>> May 26 17:59:57.152 gmt: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
>> 10.204.2.1 (Tunnel1) is down: holding time expired
>>
>>
>> I replaced the 7604 router with a 2800 series router and the whole
>> implementation was successful with IPSEC over the DMVPN. The IOS image I
>> have on the 7604 is: c7600rsp72043-advipservicesk9-mz.122-33.SRC3.bin and
>> I
>> have a mixture of 12.3 and 12.4 images on the spokes. The following is a
>> show version output on the 7604 router:
>>
>> ABC_RT#show version
>> Cisco IOS Software, c7600rsp72043_rp Software
>> (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRC3, RELEASE
>> SOFTWARE
>> (fc2)
>> Technical Support: http://www.cisco.com/techsupport
>> Copyright (c) 1986-2008 by Cisco Systems, Inc.
>> Compiled Tue 16-Dec-08 09:49 by prod_rel_team
>> ROM: System Bootstrap, Version 12.2(33r)SRD2, RELEASE SOFTWARE (fc1)
>> 7604_Router uptime is 13 hours, 26 minutes
>> Uptime for this control processor is 13 hours, 27 minutes
>> System returned to ROM by s/w reset (SP by power-on)
>> System image file is
>> "bootdisk:c7600rsp72043-advipservicesk9-mz.122-33.SRC3.bin"
>> Last reload type: Normal Reload
>>
>> This product contains cryptographic features and is subject to United
>> States and local country laws governing import, export, transfer and
>> use. Delivery of Cisco cryptographic products does not imply
>> third-party authority to import, export, distribute or use encryption.
>> Importers, exporters, distributors and users are responsible for
>> compliance with U.S. and local country laws. By using this product you
>> agree to comply with applicable laws and regulations. If you are unable
>> to comply with U.S. and local laws, return this product immediately.
>> A summary of U.S. laws governing Cisco cryptographic products may be found
>> at:
>> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
>> If you require further assistance please contact us by sending email to
>> export_at_cisco.com.
>> Cisco CISCO7604 (M8500) processor (revision 2.0) with 1835008K/131072K
>> bytes
>> of memory.
>> Processor board ID FOX1247H11N
>> BASEBOARD: RSP720
>> CPU: MPC8548_E, Version: 2.0, (0x80390020)
>> CORE: E500, Version: 2.0, (0x80210020)
>> CPU:1200MHz, CCB:400MHz, DDR:200MHz,
>> L1: D-cache 32 kB enabled
>> I-cache 32 kB enabled
>> Last reset from power-on
>> 1 SSC-400 controller (1 IPSEC).
>> 1 Virtual Ethernet interface
>> 52 Gigabit Ethernet interfaces
>> 3964K bytes of non-volatile configuration memory.
>> 507024K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
>> Configuration register is 0x2102
>> ABC_RT#
>> Do anybody have an idea about what might be wrong? The 7604 router has a
>> VPN
>> module which the status is showing on. Do I have to enter any command to
>> make the VPN module functional?
>>
>> I will appreciate your contributions.
>>
>> 'Mayokun
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed May 27 2009 - 02:31:28 ART