Re: Issues with IPSEC over DMVPN on 7604 Router

Hello Thomas,

Thanks for the url you posted. I found it very helpful in resolving the
issues that I have. For record purposes,
I think every body should know that the way IPSEC over DMVPN is done on 6500
and 7600 series(with VPN module)
is different from how it is done on other routers. After a succesful
implementation, I still had issues with flapping EIGRP
neighbors but that was resolved as soon as I upgraded the image on the 7600
to the latest image from cisco.com.

Moreover, what I am concerned with now is how to implement QOS on DMVPN
tunnels on the 7604 router. It seems that this is
not supported!

Input will be appreciated,

'Mayokun

On Wed, May 27, 2009 at 7:48 AM, Thomas Renzy (threnzy)
<threnzy_at_cisco.com>wrote:

> Hello Olumayokun,
>
> Please try removing the command "tunnel key 11" from the 7604 on the
> Tunnel 1 interface.
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Confi
> g_Notes/78_14459.html
>
> "The following options are not supported: checksum enabled, sequence
> check enabled, tunnel key feature configured, and IP security options.
> If any of these options are specified, the VPN module will not seize the
> GRE tunnel. "
>
> Also, please remove the EIGRP summary address commands as well. EIGRP
> summarization is used in DMVPN phase 3 which is currently not supported
> on the 7600/6500 platforms.
>
> Hope this helps.
>
> Thomas
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> olumayokun fowowe
> Sent: Wednesday, May 27, 2009 2:31 AM
> To: Farrukh Haroon
> Cc: Cisco certification
> Subject: Re: Issues with IPSEC over DMVPN on 7604 Router
>
> Hello Farrukh
>
> This same config worked when I used a 2800 series as the hub router but
> didn't work when I replaced the 2800 router with a 7604 router.
> HUB
> ===
> crypto isakmp policy 11
> authentication pre-share
> group 2
>
> crypto isakmp key scpckey address 0.0.0.0 0.0.0.0
>
> crypto ipsec transform-set scpcvpnset esp-3des esp-md5-hmac
>
> crypto ipsec profile scpcprof
> set transform-set scpcvpnset
>
> int tunnel 1
> ip add y.y.2.1 255.255.255.0
> Description HQ DMVPN tunnel to Spoke
> no ip redirects
> ip nhrp authentication SCPC
> ip nhrp map multicast dynamic
> ip nhrp network-id 11
> no ip split-horizon eigrp 10
> ip summary-address eigrp 10 x.31.0.0 255.255.0.0 ip summary-address
> eigrp 10 x.29.0.0 255.255.0.0 ip summary-address eigrp 10 x.28.0.0
> 255.255.0.0 ip summary-address eigrp 10 x.22.0.0 255.255.0.0 tunnel
> source c.d.102.1 tunnel mode gre multipoint tunnel key 11
>
> router eigrp 10
> network y.y.2.0 0.0.0.255
> no auto-summary
>
>
> spoke
> ======
>
> crypto isakmp policy 11
> authentication pre-share
> group 2
>
> crypto isakmp key scpckey address 0.0.0.0 0.0.0.0
>
> crypto ipsec transform-set scpcvpnset esp-3des esp-md5-hmac
>
> crypto ipsec profile scpcprof
> set transform-set scpcvpnset
>
> int tunnel 1
> description spoke DMVPN tunnel to HQ
> ip add y.y.2.2 255.255.255.0
> ip nhrp authentication SCPC
> ip nhrp map multicast c.d.102.1
> ip nhrp map y.y.2.1 c.d.102.1
> ip nhrp nhs 10.204.2.1
> ip nhrp network-id 11
> ip nhrp registration timeout 30
> ip nhrp holdtime 300
> tunnel source a.b.5.138
> tunnel destination c.d.102.1
> tunnel key 11
>
> router eigrp 10
> network y.y.2.0 0.0.0.255
> no auto-summary
>
>
>
>
> On Wed, May 27, 2009 at 12:47 AM, Farrukh Haroon
> <farrukhharoon_at_gmail.com>wrote:
>
> > It appears the other side is still sending non-encrypted GRE packets.
>
> > Did you try to remove and re-apply the crypto map or shut/no shut the
>
> > tunnel interface (in case of VTI profiles)?. This is on the remote
> > side having the IP 10.200.102.1.
> >
> > If possible, please post the sanitized configs.
> >
> > Regards
> >
> > Farrukh
> >
> > On Wed, May 27, 2009 at 10:21 AM, olumayokun fowowe <
> > olumayokun_at_gmail.com> wrote:
> >
> >> Hello all,
> >>
> >> Has anybody implemented DMVPN with IPSEC on a 7604 router
> >> successfully? I recently deployed with a 7604 router as the hub and a
>
> >> mixture of 2800, 1800 and 2600 series routers as spokes. The DMVPN
> >> implementation was successful but when I implemented IPSEC over the
> >> implementation, I had the following
> >> error:
> >>
> >> ABC_RT(config)#int tunnel 1
> >> ABC_RT(config-if)#tunnel protection ipsec profile scpcprof
> >> ABC_RT(config-if)# May 26 17:59:46.848 gmt: %CRYPTO-6-ISAKMP_ON_OFF:
> >> ISAKMP is ON May 26 17:59:46.892 gmt: %CRYPTO-4-RECVD_PKT_NOT_IPSEC:
> >> Rec'd packet not an IPSEC packet.
> >> (ip) vrf/dest_addr= /172.28.5.138, src_addr= 10.200.102.1,
> >> prot=
> >> 47
> >> ABC_RT(config-if)#
> >> May 26 17:59:57.152 gmt: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
> >> 10.204.2.1 (Tunnel1) is down: holding time expired
> >>
> >>
> >> I replaced the 7604 router with a 2800 series router and the whole
> >> implementation was successful with IPSEC over the DMVPN. The IOS
> >> image I have on the 7604 is:
> >> c7600rsp72043-advipservicesk9-mz.122-33.SRC3.bin and I have a mixture
>
> >> of 12.3 and 12.4 images on the spokes. The following is a show
> >> version output on the 7604 router:
> >>
> >> ABC_RT#show version
> >> Cisco IOS Software, c7600rsp72043_rp Software
> >> (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRC3, RELEASE
> >> SOFTWARE
> >> (fc2)
> >> Technical Support: http://www.cisco.com/techsupport Copyright (c)
> >> 1986-2008 by Cisco Systems, Inc.
> >> Compiled Tue 16-Dec-08 09:49 by prod_rel_team
> >> ROM: System Bootstrap, Version 12.2(33r)SRD2, RELEASE SOFTWARE (fc1)
>
> >> 7604_Router uptime is 13 hours, 26 minutes Uptime for this control
> >> processor is 13 hours, 27 minutes System returned to ROM by s/w reset
>
> >> (SP by power-on) System image file is
> >> "bootdisk:c7600rsp72043-advipservicesk9-mz.122-33.SRC3.bin"
> >> Last reload type: Normal Reload
> >>
> >> This product contains cryptographic features and is subject to United
>
> >> States and local country laws governing import, export, transfer and
> >> use. Delivery of Cisco cryptographic products does not imply
> >> third-party authority to import, export, distribute or use
> encryption.
> >> Importers, exporters, distributors and users are responsible for
> >> compliance with U.S. and local country laws. By using this product
> >> you agree to comply with applicable laws and regulations. If you are
> >> unable to comply with U.S. and local laws, return this product
> immediately.
> >> A summary of U.S. laws governing Cisco cryptographic products may be
> >> found
> >> at:
> >> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
> >> If you require further assistance please contact us by sending email
> >> to export_at_cisco.com.
> >> Cisco CISCO7604 (M8500) processor (revision 2.0) with
> >> 1835008K/131072K bytes of memory.
> >> Processor board ID FOX1247H11N
> >> BASEBOARD: RSP720
> >> CPU: MPC8548_E, Version: 2.0, (0x80390020)
> >> CORE: E500, Version: 2.0, (0x80210020) CPU:1200MHz, CCB:400MHz,
> >> DDR:200MHz,
> >> L1: D-cache 32 kB enabled
> >> I-cache 32 kB enabled
> >> Last reset from power-on
> >> 1 SSC-400 controller (1 IPSEC).
> >> 1 Virtual Ethernet interface
> >> 52 Gigabit Ethernet interfaces
> >> 3964K bytes of non-volatile configuration memory.
> >> 507024K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
> >> Configuration register is 0x2102
> >> ABC_RT#
> >> Do anybody have an idea about what might be wrong? The 7604 router
> >> has a VPN module which the status is showing on. Do I have to enter
> >> any command to make the VPN module functional?
> >>
> >> I will appreciate your contributions.
> >>
> >> 'Mayokun
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _____________________________________________________________________
> >> __ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu May 28 2009 - 04:22:32 ART