Fwd: Issues with IPSEC over DMVPN on 7604 Router

---------- Forwarded message ----------
From: olumayokun fowowe <olumayokun_at_gmail.com>
Date: Thu, May 28, 2009 at 4:58 AM
Subject: Re: Issues with IPSEC over DMVPN on 7604 Router
To: Dale Shaw <dale.shaw_at_gmail.com>
Cc: Cisco certification <ccielab_at_groupstudy.com>

Helloa All,
As per Dale's request, find below the config that eventually worked.
The 7604 router is being used at the hub. The config on the spokes remain
unchanged. The VPN module is on slot 3.

HUB (7604)
===
crypto isakmp policy 11
 authentication pre-share
 group 2
crypto isakmp key scpckey address 0.0.0.0 0.0.0.0
crypto ipsec transform-set scpcvpnset esp-3des esp-md5-hmac
crypto ipsec profile scpcprof
 set transform-set scpcvpnset

int tunnel 1
ip add y.y.2.1 255.255.255.0
Description HQ DMVPN tunnel to Spoke
no ip redirects
ip nhrp authentication SCPC
ip nhrp map multicast dynamic
ip nhrp network-id 11
ip nhrp holdtime 60
no ip split-horizon eigrp 10
ip summary-address eigrp 10 x.31.0.0 255.255.0.0
ip summary-address eigrp 10 x.29.0.0 255.255.0.0
ip summary-address eigrp 10 x.28.0.0 255.255.0.0
ip summary-address eigrp 10 x.22.0.0 255.255.0.0
tunnel source c.d.102.1
tunnel mode gre multipoint
tunnel key 11
crypto engine slot 3/0

int vlan 20
ip address c.d.102.1
crypto engine slot 3/0

int giga 2/20
description WAN interface
crypto connect vlan 20

! I had to create a vlan and move the WAN ip from the physical interface to
the vlan interface

router eigrp 10
network y.y.2.0 0.0.0.255
no auto-summary

spoke
======
crypto isakmp policy 11
 authentication pre-share
 group 2
crypto isakmp key scpckey address 0.0.0.0 0.0.0.0
crypto ipsec transform-set scpcvpnset esp-3des esp-md5-hmac
crypto ipsec profile scpcprof
 set transform-set scpcvpnset
int tunnel 1
description spoke DMVPN tunnel to HQ
ip add y.y.2.2 255.255.255.0
ip nhrp authentication SCPC
ip nhrp map multicast c.d.102.1
ip nhrp map y.y.2.1 c.d.102.1
ip nhrp nhs 10.204.2.1
ip nhrp network-id 11
ip nhrp registration timeout 30
ip nhrp holdtime 60
tunnel source a.b.5.138
tunnel destination c.d.102.1
tunnel key 11
router eigrp 10
network y.y.2.0 0.0.0.255
no auto-summary

  On Thu, May 28, 2009 at 4:32 AM, Dale Shaw <dale.shaw_at_gmail.com> wrote:

> Hi,
>
> On Thu, May 28, 2009 at 9:22 PM, olumayokun fowowe <olumayokun_at_gmail.com>
> wrote:
> > but that was resolved as soon as I upgraded the image on the 7600
> > to the latest image from cisco.com.
>
> Would you mind posting the configs that worked in the end?
>
> Everyone will benefit from your effort as long as you provide full
> details of the working solution.
>
> I'm interested because we have a number of 7200 routers in our DMVPN
> environment that are pushed to their limit. The logical progression is
> 7600 series (before considering ASR), but as you've discovered, there
> are many platform-specific limitations/gotchyas.
>
> cheers,
> Dale

Blogs and organic groups at http://www.ccie.net
Received on Mon Jun 29 2009 - 01:04:00 ART