Marcin,
GET VPN Key Server (KS) cannot be configured on DMVPN Hub as KS is only
distributes Keys/SAs to the spokes and does not establish IPSec SA with
other group members (GM).
To make it work you should configure KS on dedicated router to send out
Keys/SAs to DMVPN Hub and Spokes and then spokes can use IPSec tunnels to
carry GRE traffic.
Nonetheless, your config has different tunnel keys and nhrp network-ids
which effectively doesn't allow DMVPN to work. Also, Hub's f0/0 interface is
shut down and there is wrong crypto map applied to the spoke's f0/0
interface.
HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, SEC)
Technical Instructor
MicronicsTraining.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2009/11/20 Marcin Zgola <MZgola_at_netrixllc.com>
> Guys, trying to get GET VPN in the lab up and running. Just to understands
> basics of GET VPN.
>
> Here is my config. I can't get the tunnel interfaces to talk. I think my
> ACL is wrong, or maybe I am missing something totally different. I want to
> use GET VPN in DMVPN environment where DMVPN HUB will be a KEY SERVER as
> well.
>
> HUB:
> !
> !
> !
> !
> !
> !
> !
> !
> !
> crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
> mode transport
> !
> crypto ipsec profile getvpn-profile
> set transform-set myset
> !
> crypto gdoi group TEST-VPN
> identity address ipv4 192.168.120.1
> server local
> rekey retransmit 10 number 2
> rekey authentication mypubkey rsa rekey-rsa
> rekey transport unicast
> sa ipsec 1
> profile getvpn-profile
> match address ipv4 getvpn-traffic
> replay time window-size 10
> address ipv4 2.2.2.1
> !
> !
> interface Tunnel1
> bandwidth 45000
> ip address 192.168.120.1 255.255.252.0
> no ip redirects
> ip mtu 1400
> ip nbar protocol-discovery
> ip flow ingress
> ip flow egress
> no ip next-hop-self eigrp 100
> ip pim sparse-dense-mode
> ip nhrp authentication dmvpn
> ip nhrp map multicast dynamic
> ip nhrp network-id 101
> ip nhrp holdtime 300
> ip nhrp shortcut
> ip nhrp redirect
> no ip split-horizon eigrp 100
> no ip mroute-cache
> qos pre-classify
> cdp enable
> tunnel source FastEthernet0/0
> tunnel mode gre multipoint
> tunnel key 1001
> tunnel path-mtu-discovery
> !
> interface FastEthernet0/0
> ip address 2.2.2.1 255.255.255.0
> duplex auto
> shut
>
> interface GigabitEthernet1/0
> ip address 10.0.0.1 255.0.0.0
> !
> router eigrp 100
> network 10.0.0.0
> network 192.168.0.0 0.0.255.255
>
> ip access-list extended getvpn-traffic
> permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
>
> SPOKE
>
> crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
> !
> !
> crypto gdoi group TEST-VPN
> identity address ipv4 192.168.120.1
> server address ipv4 2.2.2.1
> !
> !
> crypto map TEST-VPN 1 gdoi
> set group TEST-VPN
> !
> interface Tunnel1
> bandwidth 1000
> ip address 192.168.120.128 255.255.252.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip flow ingress
> ip pim sparse-dense-mode
> ip nhrp authentication dmvpn
> ip nhrp map multicast 2.2.2.1
> ip nhrp map 192.168.120.1 2.2.2.1
> ip nhrp network-id 100
> ip nhrp holdtime 300
> ip nhrp nhs 192.168.120.1
> ip virtual-reassembly
> ip summary-address eigrp 100 172.20.128.0 255.255.252.0 5
> no ip mroute-cache
> delay 1500
> qos pre-classify
> cdp enable
> tunnel source FastEthernet0/0
> tunnel mode gre multipoint
> tunnel key 1000
> tunnel path-mtu-discovery
> !
> interface FastEthernet0/0
> ip address 2.2.2.2 255.255.255.0
> duplex auto
> speed auto
> crypto map MCENERY-VPN
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sat Nov 21 2009 - 01:24:29 ART