Re: Issues with IPSEC over DMVPN on 7604 Router

Just try again, I hope you applied the profile on both sides? :)

Cycle i.e. Shut/no shut the tunnel interfaces on both sides.

Regards

Farrukh

On Wed, May 27, 2009 at 1:20 PM, Farrukh Haroon <farrukhharoon_at_gmail.com>wrote:

> What module are you using? SPA/VSPA?
>
> Regards
>
> Farrukh
>
> On Wed, May 27, 2009 at 12:31 PM, olumayokun fowowe <olumayokun_at_gmail.com>wrote:
>
>> Hello Farrukh
>>
>> This same config worked when I used a 2800 series as the hub router but
>> didn't work when I replaced the 2800 router with a 7604 router.
>> HUB
>> ===
>> crypto isakmp policy 11
>> authentication pre-share
>> group 2
>>
>> crypto isakmp key scpckey address 0.0.0.0 0.0.0.0
>>
>> crypto ipsec transform-set scpcvpnset esp-3des esp-md5-hmac
>>
>> crypto ipsec profile scpcprof
>> set transform-set scpcvpnset
>>
>> int tunnel 1
>> ip add y.y.2.1 255.255.255.0
>> Description HQ DMVPN tunnel to Spoke
>> no ip redirects
>> ip nhrp authentication SCPC
>> ip nhrp map multicast dynamic
>> ip nhrp network-id 11
>> no ip split-horizon eigrp 10
>> ip summary-address eigrp 10 x.31.0.0 255.255.0.0
>> ip summary-address eigrp 10 x.29.0.0 255.255.0.0
>> ip summary-address eigrp 10 x.28.0.0 255.255.0.0
>> ip summary-address eigrp 10 x.22.0.0 255.255.0.0
>> tunnel source c.d.102.1
>> tunnel mode gre multipoint
>> tunnel key 11
>>
>> router eigrp 10
>> network y.y.2.0 0.0.0.255
>> no auto-summary
>>
>>
>> spoke
>> ======
>>
>> crypto isakmp policy 11
>> authentication pre-share
>> group 2
>>
>> crypto isakmp key scpckey address 0.0.0.0 0.0.0.0
>>
>> crypto ipsec transform-set scpcvpnset esp-3des esp-md5-hmac
>>
>> crypto ipsec profile scpcprof
>> set transform-set scpcvpnset
>>
>> int tunnel 1
>> description spoke DMVPN tunnel to HQ
>> ip add y.y.2.2 255.255.255.0
>> ip nhrp authentication SCPC
>> ip nhrp map multicast c.d.102.1
>> ip nhrp map y.y.2.1 c.d.102.1
>> ip nhrp nhs 10.204.2.1
>> ip nhrp network-id 11
>> ip nhrp registration timeout 30
>> ip nhrp holdtime 300
>> tunnel source a.b.5.138
>> tunnel destination c.d.102.1
>> tunnel key 11
>>
>> router eigrp 10
>> network y.y.2.0 0.0.0.255
>> no auto-summary
>>
>>
>>
>>
>> On Wed, May 27, 2009 at 12:47 AM, Farrukh Haroon <farrukhharoon_at_gmail.com
>> > wrote:
>>
>>> It appears the other side is still sending non-encrypted GRE packets.
>>> Did you try to remove and re-apply the crypto map or shut/no shut the
>>> tunnel interface (in case of VTI profiles)?. This is on the remote side
>>> having the IP 10.200.102.1.
>>>
>>> If possible, please post the sanitized configs.
>>>
>>> Regards
>>>
>>> Farrukh
>>>
>>> On Wed, May 27, 2009 at 10:21 AM, olumayokun fowowe <
>>> olumayokun_at_gmail.com> wrote:
>>>
>>>> Hello all,
>>>>
>>>> Has anybody implemented DMVPN with IPSEC on a 7604 router successfully?
>>>> I
>>>> recently deployed with a 7604 router as the hub and a mixture of 2800,
>>>> 1800
>>>> and 2600 series routers as spokes. The DMVPN implementation was
>>>> successful
>>>> but when I implemented IPSEC over the implementation, I had the
>>>> following
>>>> error:
>>>>
>>>> ABC_RT(config)#int tunnel 1
>>>> ABC_RT(config-if)#tunnel protection ipsec profile scpcprof
>>>> ABC_RT(config-if)#
>>>> May 26 17:59:46.848 gmt: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
>>>> May 26 17:59:46.892 gmt: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not
>>>> an
>>>> IPSEC packet.
>>>> (ip) vrf/dest_addr= /172.28.5.138, src_addr= 10.200.102.1, prot=
>>>> 47
>>>> ABC_RT(config-if)#
>>>> May 26 17:59:57.152 gmt: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
>>>> 10.204.2.1 (Tunnel1) is down: holding time expired
>>>>
>>>>
>>>> I replaced the 7604 router with a 2800 series router and the whole
>>>> implementation was successful with IPSEC over the DMVPN. The IOS image I
>>>> have on the 7604 is: c7600rsp72043-advipservicesk9-mz.122-33.SRC3.bin
>>>> and I
>>>> have a mixture of 12.3 and 12.4 images on the spokes. The following is a
>>>> show version output on the 7604 router:
>>>>
>>>> ABC_RT#show version
>>>> Cisco IOS Software, c7600rsp72043_rp Software
>>>> (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRC3, RELEASE
>>>> SOFTWARE
>>>> (fc2)
>>>> Technical Support: http://www.cisco.com/techsupport
>>>> Copyright (c) 1986-2008 by Cisco Systems, Inc.
>>>> Compiled Tue 16-Dec-08 09:49 by prod_rel_team
>>>> ROM: System Bootstrap, Version 12.2(33r)SRD2, RELEASE SOFTWARE (fc1)
>>>> 7604_Router uptime is 13 hours, 26 minutes
>>>> Uptime for this control processor is 13 hours, 27 minutes
>>>> System returned to ROM by s/w reset (SP by power-on)
>>>> System image file is
>>>> "bootdisk:c7600rsp72043-advipservicesk9-mz.122-33.SRC3.bin"
>>>> Last reload type: Normal Reload
>>>>
>>>> This product contains cryptographic features and is subject to United
>>>> States and local country laws governing import, export, transfer and
>>>> use. Delivery of Cisco cryptographic products does not imply
>>>> third-party authority to import, export, distribute or use encryption.
>>>> Importers, exporters, distributors and users are responsible for
>>>> compliance with U.S. and local country laws. By using this product you
>>>> agree to comply with applicable laws and regulations. If you are unable
>>>> to comply with U.S. and local laws, return this product immediately.
>>>> A summary of U.S. laws governing Cisco cryptographic products may be
>>>> found
>>>> at:
>>>> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
>>>> If you require further assistance please contact us by sending email to
>>>> export_at_cisco.com.
>>>> Cisco CISCO7604 (M8500) processor (revision 2.0) with 1835008K/131072K
>>>> bytes
>>>> of memory.
>>>> Processor board ID FOX1247H11N
>>>> BASEBOARD: RSP720
>>>> CPU: MPC8548_E, Version: 2.0, (0x80390020)
>>>> CORE: E500, Version: 2.0, (0x80210020)
>>>> CPU:1200MHz, CCB:400MHz, DDR:200MHz,
>>>> L1: D-cache 32 kB enabled
>>>> I-cache 32 kB enabled
>>>> Last reset from power-on
>>>> 1 SSC-400 controller (1 IPSEC).
>>>> 1 Virtual Ethernet interface
>>>> 52 Gigabit Ethernet interfaces
>>>> 3964K bytes of non-volatile configuration memory.
>>>> 507024K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
>>>> Configuration register is 0x2102
>>>> ABC_RT#
>>>> Do anybody have an idea about what might be wrong? The 7604 router has a
>>>> VPN
>>>> module which the status is showing on. Do I have to enter any command to
>>>> make the VPN module functional?
>>>>
>>>> I will appreciate your contributions.
>>>>
>>>> 'Mayokun
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed May 27 2009 - 13:25:42 ART