RE: Issues with IPSEC over DMVPN on 7604 Router

Hello Olumayokun,

Please try removing the command "tunnel key 11" from the 7604 on the
Tunnel 1 interface.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Confi
g_Notes/78_14459.html

"The following options are not supported: checksum enabled, sequence
check enabled, tunnel key feature configured, and IP security options.
If any of these options are specified, the VPN module will not seize the
GRE tunnel. "

Also, please remove the EIGRP summary address commands as well. EIGRP
summarization is used in DMVPN phase 3 which is currently not supported
on the 7600/6500 platforms.

Hope this helps.

Thomas

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
olumayokun fowowe
Sent: Wednesday, May 27, 2009 2:31 AM
To: Farrukh Haroon
Cc: Cisco certification
Subject: Re: Issues with IPSEC over DMVPN on 7604 Router

Hello Farrukh

This same config worked when I used a 2800 series as the hub router but
didn't work when I replaced the 2800 router with a 7604 router.
HUB
===
crypto isakmp policy 11
 authentication pre-share
 group 2

crypto isakmp key scpckey address 0.0.0.0 0.0.0.0

crypto ipsec transform-set scpcvpnset esp-3des esp-md5-hmac

crypto ipsec profile scpcprof
 set transform-set scpcvpnset

int tunnel 1
ip add y.y.2.1 255.255.255.0
Description HQ DMVPN tunnel to Spoke
no ip redirects
ip nhrp authentication SCPC
ip nhrp map multicast dynamic
ip nhrp network-id 11
no ip split-horizon eigrp 10
ip summary-address eigrp 10 x.31.0.0 255.255.0.0 ip summary-address
eigrp 10 x.29.0.0 255.255.0.0 ip summary-address eigrp 10 x.28.0.0
255.255.0.0 ip summary-address eigrp 10 x.22.0.0 255.255.0.0 tunnel
source c.d.102.1 tunnel mode gre multipoint tunnel key 11

router eigrp 10
network y.y.2.0 0.0.0.255
no auto-summary

spoke
======

crypto isakmp policy 11
 authentication pre-share
 group 2

crypto isakmp key scpckey address 0.0.0.0 0.0.0.0

crypto ipsec transform-set scpcvpnset esp-3des esp-md5-hmac

crypto ipsec profile scpcprof
 set transform-set scpcvpnset

int tunnel 1
description spoke DMVPN tunnel to HQ
ip add y.y.2.2 255.255.255.0
ip nhrp authentication SCPC
ip nhrp map multicast c.d.102.1
ip nhrp map y.y.2.1 c.d.102.1
ip nhrp nhs 10.204.2.1
ip nhrp network-id 11
ip nhrp registration timeout 30
ip nhrp holdtime 300
tunnel source a.b.5.138
tunnel destination c.d.102.1
tunnel key 11

router eigrp 10
network y.y.2.0 0.0.0.255
no auto-summary

On Wed, May 27, 2009 at 12:47 AM, Farrukh Haroon
<farrukhharoon_at_gmail.com>wrote:

> It appears the other side is still sending non-encrypted GRE packets.

> Did you try to remove and re-apply the crypto map or shut/no shut the

> tunnel interface (in case of VTI profiles)?. This is on the remote
> side having the IP 10.200.102.1.
>
> If possible, please post the sanitized configs.
>
> Regards
>
> Farrukh
>
> On Wed, May 27, 2009 at 10:21 AM, olumayokun fowowe <
> olumayokun_at_gmail.com> wrote:
>
>> Hello all,
>>
>> Has anybody implemented DMVPN with IPSEC on a 7604 router
>> successfully? I recently deployed with a 7604 router as the hub and a

>> mixture of 2800, 1800 and 2600 series routers as spokes. The DMVPN
>> implementation was successful but when I implemented IPSEC over the
>> implementation, I had the following
>> error:
>>
>> ABC_RT(config)#int tunnel 1
>> ABC_RT(config-if)#tunnel protection ipsec profile scpcprof
>> ABC_RT(config-if)# May 26 17:59:46.848 gmt: %CRYPTO-6-ISAKMP_ON_OFF:
>> ISAKMP is ON May 26 17:59:46.892 gmt: %CRYPTO-4-RECVD_PKT_NOT_IPSEC:
>> Rec'd packet not an IPSEC packet.
>> (ip) vrf/dest_addr= /172.28.5.138, src_addr= 10.200.102.1,
>> prot=
>> 47
>> ABC_RT(config-if)#
>> May 26 17:59:57.152 gmt: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
>> 10.204.2.1 (Tunnel1) is down: holding time expired
>>
>>
>> I replaced the 7604 router with a 2800 series router and the whole
>> implementation was successful with IPSEC over the DMVPN. The IOS
>> image I have on the 7604 is:
>> c7600rsp72043-advipservicesk9-mz.122-33.SRC3.bin and I have a mixture

>> of 12.3 and 12.4 images on the spokes. The following is a show
>> version output on the 7604 router:
>>
>> ABC_RT#show version
>> Cisco IOS Software, c7600rsp72043_rp Software
>> (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRC3, RELEASE
>> SOFTWARE
>> (fc2)
>> Technical Support: http://www.cisco.com/techsupport Copyright (c)
>> 1986-2008 by Cisco Systems, Inc.
>> Compiled Tue 16-Dec-08 09:49 by prod_rel_team
>> ROM: System Bootstrap, Version 12.2(33r)SRD2, RELEASE SOFTWARE (fc1)

>> 7604_Router uptime is 13 hours, 26 minutes Uptime for this control
>> processor is 13 hours, 27 minutes System returned to ROM by s/w reset

>> (SP by power-on) System image file is
>> "bootdisk:c7600rsp72043-advipservicesk9-mz.122-33.SRC3.bin"
>> Last reload type: Normal Reload
>>
>> This product contains cryptographic features and is subject to United

>> States and local country laws governing import, export, transfer and
>> use. Delivery of Cisco cryptographic products does not imply
>> third-party authority to import, export, distribute or use
encryption.
>> Importers, exporters, distributors and users are responsible for
>> compliance with U.S. and local country laws. By using this product
>> you agree to comply with applicable laws and regulations. If you are
>> unable to comply with U.S. and local laws, return this product
immediately.
>> A summary of U.S. laws governing Cisco cryptographic products may be
>> found
>> at:
>> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
>> If you require further assistance please contact us by sending email
>> to export_at_cisco.com.
>> Cisco CISCO7604 (M8500) processor (revision 2.0) with
>> 1835008K/131072K bytes of memory.
>> Processor board ID FOX1247H11N
>> BASEBOARD: RSP720
>> CPU: MPC8548_E, Version: 2.0, (0x80390020)
>> CORE: E500, Version: 2.0, (0x80210020) CPU:1200MHz, CCB:400MHz,
>> DDR:200MHz,
>> L1: D-cache 32 kB enabled
>> I-cache 32 kB enabled
>> Last reset from power-on
>> 1 SSC-400 controller (1 IPSEC).
>> 1 Virtual Ethernet interface
>> 52 Gigabit Ethernet interfaces
>> 3964K bytes of non-volatile configuration memory.
>> 507024K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
>> Configuration register is 0x2102
>> ABC_RT#
>> Do anybody have an idea about what might be wrong? The 7604 router
>> has a VPN module which the status is showing on. Do I have to enter
>> any command to make the VPN module functional?
>>
>> I will appreciate your contributions.
>>
>> 'Mayokun
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _____________________________________________________________________
>> __ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed May 27 2009 - 07:48:32 ART