Re: Issues with IPSEC over DMVPN on 7604 Router

What module are you using? SPA/VSPA?

Regards

Farrukh

On Wed, May 27, 2009 at 12:31 PM, olumayokun fowowe <olumayokun_at_gmail.com>wrote:

> Hello Farrukh
>
> This same config worked when I used a 2800 series as the hub router but
> didn't work when I replaced the 2800 router with a 7604 router.
> HUB
> ===
> crypto isakmp policy 11
> authentication pre-share
> group 2
>
> crypto isakmp key scpckey address 0.0.0.0 0.0.0.0
>
> crypto ipsec transform-set scpcvpnset esp-3des esp-md5-hmac
>
> crypto ipsec profile scpcprof
> set transform-set scpcvpnset
>
> int tunnel 1
> ip add y.y.2.1 255.255.255.0
> Description HQ DMVPN tunnel to Spoke
> no ip redirects
> ip nhrp authentication SCPC
> ip nhrp map multicast dynamic
> ip nhrp network-id 11
> no ip split-horizon eigrp 10
> ip summary-address eigrp 10 x.31.0.0 255.255.0.0
> ip summary-address eigrp 10 x.29.0.0 255.255.0.0
> ip summary-address eigrp 10 x.28.0.0 255.255.0.0
> ip summary-address eigrp 10 x.22.0.0 255.255.0.0
> tunnel source c.d.102.1
> tunnel mode gre multipoint
> tunnel key 11
>
> router eigrp 10
> network y.y.2.0 0.0.0.255
> no auto-summary
>
>
> spoke
> ======
>
> crypto isakmp policy 11
> authentication pre-share
> group 2
>
> crypto isakmp key scpckey address 0.0.0.0 0.0.0.0
>
> crypto ipsec transform-set scpcvpnset esp-3des esp-md5-hmac
>
> crypto ipsec profile scpcprof
> set transform-set scpcvpnset
>
> int tunnel 1
> description spoke DMVPN tunnel to HQ
> ip add y.y.2.2 255.255.255.0
> ip nhrp authentication SCPC
> ip nhrp map multicast c.d.102.1
> ip nhrp map y.y.2.1 c.d.102.1
> ip nhrp nhs 10.204.2.1
> ip nhrp network-id 11
> ip nhrp registration timeout 30
> ip nhrp holdtime 300
> tunnel source a.b.5.138
> tunnel destination c.d.102.1
> tunnel key 11
>
> router eigrp 10
> network y.y.2.0 0.0.0.255
> no auto-summary
>
>
>
>
> On Wed, May 27, 2009 at 12:47 AM, Farrukh Haroon <farrukhharoon_at_gmail.com>wrote:
>
>> It appears the other side is still sending non-encrypted GRE packets.
>> Did you try to remove and re-apply the crypto map or shut/no shut the
>> tunnel interface (in case of VTI profiles)?. This is on the remote side
>> having the IP 10.200.102.1.
>>
>> If possible, please post the sanitized configs.
>>
>> Regards
>>
>> Farrukh
>>
>> On Wed, May 27, 2009 at 10:21 AM, olumayokun fowowe <
>> olumayokun_at_gmail.com> wrote:
>>
>>> Hello all,
>>>
>>> Has anybody implemented DMVPN with IPSEC on a 7604 router successfully? I
>>> recently deployed with a 7604 router as the hub and a mixture of 2800,
>>> 1800
>>> and 2600 series routers as spokes. The DMVPN implementation was
>>> successful
>>> but when I implemented IPSEC over the implementation, I had the following
>>> error:
>>>
>>> ABC_RT(config)#int tunnel 1
>>> ABC_RT(config-if)#tunnel protection ipsec profile scpcprof
>>> ABC_RT(config-if)#
>>> May 26 17:59:46.848 gmt: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
>>> May 26 17:59:46.892 gmt: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not
>>> an
>>> IPSEC packet.
>>> (ip) vrf/dest_addr= /172.28.5.138, src_addr= 10.200.102.1, prot=
>>> 47
>>> ABC_RT(config-if)#
>>> May 26 17:59:57.152 gmt: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
>>> 10.204.2.1 (Tunnel1) is down: holding time expired
>>>
>>>
>>> I replaced the 7604 router with a 2800 series router and the whole
>>> implementation was successful with IPSEC over the DMVPN. The IOS image I
>>> have on the 7604 is: c7600rsp72043-advipservicesk9-mz.122-33.SRC3.bin and
>>> I
>>> have a mixture of 12.3 and 12.4 images on the spokes. The following is a
>>> show version output on the 7604 router:
>>>
>>> ABC_RT#show version
>>> Cisco IOS Software, c7600rsp72043_rp Software
>>> (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRC3, RELEASE
>>> SOFTWARE
>>> (fc2)
>>> Technical Support: http://www.cisco.com/techsupport
>>> Copyright (c) 1986-2008 by Cisco Systems, Inc.
>>> Compiled Tue 16-Dec-08 09:49 by prod_rel_team
>>> ROM: System Bootstrap, Version 12.2(33r)SRD2, RELEASE SOFTWARE (fc1)
>>> 7604_Router uptime is 13 hours, 26 minutes
>>> Uptime for this control processor is 13 hours, 27 minutes
>>> System returned to ROM by s/w reset (SP by power-on)
>>> System image file is
>>> "bootdisk:c7600rsp72043-advipservicesk9-mz.122-33.SRC3.bin"
>>> Last reload type: Normal Reload
>>>
>>> This product contains cryptographic features and is subject to United
>>> States and local country laws governing import, export, transfer and
>>> use. Delivery of Cisco cryptographic products does not imply
>>> third-party authority to import, export, distribute or use encryption.
>>> Importers, exporters, distributors and users are responsible for
>>> compliance with U.S. and local country laws. By using this product you
>>> agree to comply with applicable laws and regulations. If you are unable
>>> to comply with U.S. and local laws, return this product immediately.
>>> A summary of U.S. laws governing Cisco cryptographic products may be
>>> found
>>> at:
>>> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
>>> If you require further assistance please contact us by sending email to
>>> export_at_cisco.com.
>>> Cisco CISCO7604 (M8500) processor (revision 2.0) with 1835008K/131072K
>>> bytes
>>> of memory.
>>> Processor board ID FOX1247H11N
>>> BASEBOARD: RSP720
>>> CPU: MPC8548_E, Version: 2.0, (0x80390020)
>>> CORE: E500, Version: 2.0, (0x80210020)
>>> CPU:1200MHz, CCB:400MHz, DDR:200MHz,
>>> L1: D-cache 32 kB enabled
>>> I-cache 32 kB enabled
>>> Last reset from power-on
>>> 1 SSC-400 controller (1 IPSEC).
>>> 1 Virtual Ethernet interface
>>> 52 Gigabit Ethernet interfaces
>>> 3964K bytes of non-volatile configuration memory.
>>> 507024K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
>>> Configuration register is 0x2102
>>> ABC_RT#
>>> Do anybody have an idea about what might be wrong? The 7604 router has a
>>> VPN
>>> module which the status is showing on. Do I have to enter any command to
>>> make the VPN module functional?
>>>
>>> I will appreciate your contributions.
>>>
>>> 'Mayokun
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed May 27 2009 - 13:20:40 ART