Re: DMVPN with loopback as source

Below is the config,

!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set DMVPN esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN
!
!
!
!
!
interface Tunnel0
 ip address 123.123.123.1 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 123
 no ip split-horizon eigrp 10
 no ip split-horizon
 ip ospf network broadcast
 tunnel source lo0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile DMVPN
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
 ip address 150.1.1.1 255.255.255.255
!
interface Loopback2
 ip address 191.1.1.1 255.255.255.255
!
interface Serial0/0
 ip address 200.0.0.1 255.255.255.0
 encapsulation frame-relay
 serial restart-delay 0
 no dce-terminal-timing-enable
 frame-relay map ip 200.0.0.2 102 broadcast
 frame-relay map ip 200.0.0.3 103 broadcast
 no frame-relay inverse-arp
!
interface Serial0/1
 no ip address
 shutdown
 serial restart-delay 0
 no dce-terminal-timing-enable
!
interface Serial0/2
 no ip address
 shutdown
 serial restart-delay 0
 no dce-terminal-timing-enable
!
interface Serial0/3
 no ip address
 shutdown
 serial restart-delay 0
 no dce-terminal-timing-enable
!
router eigrp 10
 network 123.0.0.0
 network 150.1.0.0
 no auto-summary
!
router ospf 1
 log-adjacency-changes
 network 123.123.123.1 0.0.0.0 area 0
 network 191.1.1.1 0.0.0.0 area 0
!
router rip
 version 2
 network 1.0.0.0
 network 200.0.0.0
 no auto-summary
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
!
end

R2

R2(config-if)#do sh run
Building configuration...

Current configuration : 2093 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set DMVPN esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN
!
!
!
!
!
interface Tunnel0
 ip address 123.123.123.2 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map 123.123.123.1 200.0.0.1
 ip nhrp map multicast 200.0.0.1
 ip nhrp network-id 123
 ip nhrp nhs 123.123.123.1
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source lo0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile DMVPN
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
 ip address 150.2.2.2 255.255.255.255
!
interface Loopback2
 ip address 191.2.2.2 255.255.255.255
!
interface Serial0/0
 ip address 200.0.0.2 255.255.255.0
 encapsulation frame-relay
 serial restart-delay 0
 no dce-terminal-timing-enable
 frame-relay map ip 200.0.0.1 201 broadcast
 frame-relay map ip 200.0.0.3 201 broadcast
 no frame-relay inverse-arp
!
interface Serial0/1
 no ip address
 shutdown
 serial restart-delay 0
 no dce-terminal-timing-enable
!
interface Serial0/2
 no ip address
 shutdown
 serial restart-delay 0
 no dce-terminal-timing-enable
!
interface Serial0/3
 no ip address
 shutdown
 serial restart-delay 0
 no dce-terminal-timing-enable
!
router eigrp 10
 network 123.0.0.0
 network 150.2.0.0
 no auto-summary
!
router ospf 1
 log-adjacency-changes
 network 123.123.123.2 0.0.0.0 area 0
 network 191.2.2.2 0.0.0.0 area 0
!
router rip
 version 2
 network 2.0.0.0
 network 200.0.0.0
 no auto-summary
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
!
end

R2(config-if)#

R3

R3(config-if)#do wr
Building configuration...
[OK]
R3(config-if)#do sh run
Building configuration...

Current configuration : 2093 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set DMVPN esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set DMVPN
!
!
!
!
!
interface Tunnel0
 ip address 123.123.123.3 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map 123.123.123.1 200.0.0.1
 ip nhrp map multicast 200.0.0.1
 ip nhrp network-id 123
 ip nhrp nhs 123.123.123.1
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source lo0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile DMVPN
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Loopback1
 ip address 150.3.3.3 255.255.255.255
!
interface Loopback2
 ip address 191.3.3.3 255.255.255.255
!
interface Serial0/0
 ip address 200.0.0.3 255.255.255.0
 encapsulation frame-relay
 serial restart-delay 0
 no dce-terminal-timing-enable
 frame-relay map ip 200.0.0.1 301 broadcast
 frame-relay map ip 200.0.0.2 301 broadcast
 no frame-relay inverse-arp
!
interface Serial0/1
 no ip address
 shutdown
 serial restart-delay 0
 no dce-terminal-timing-enable
!
interface Serial0/2
 no ip address
 shutdown
 serial restart-delay 0
 no dce-terminal-timing-enable
!
interface Serial0/3
 no ip address
 shutdown
 serial restart-delay 0
 no dce-terminal-timing-enable
!
router eigrp 10
 network 123.0.0.0
 network 150.3.0.0
 no auto-summary
!
router ospf 1
 log-adjacency-changes
 network 123.123.123.3 0.0.0.0 area 0
 network 191.3.3.3 0.0.0.0 area 0
!
router rip
 version 2
 network 3.0.0.0
 network 200.0.0.0
 no auto-summary
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
!
end

R3(config-if)#

Thanks

On Tue, Dec 22, 2009 at 11:18 AM, Rick Mur <rmur_at_ipexpert.com> wrote:
> Indeed it would be helpful to see the configuration.
>
> Did you configure the tunnel source as Loopback0 and also configured the NHRP map settings on the spokes to the Loopback of the hub?
> Did you also configure a wildcard ISAKMP key or a keys for the correct addresses (when using PSK)?
>
> --
> Regards,
>
> Rick Mur
> CCIE2 #21946 (R&S / Service Provider)
> Sr. Support Engineer  IPexpert, Inc.
> URL: http://www.IPexpert.com
>
> On 22 dec 2009, at 09:13, Farrukh Haroon wrote:
>
>> Did you define the crypto local-address on all sides?
>>
>> Can you please post your configuration
>>
>> On Tue, Dec 22, 2009 at 10:55 AM, backbone systems <
>> backbone.systems_at_gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I am trying to built a DMVPN tunnel bw R1-R2-R3 with R1 as HUB.
>>> When i try to build the tunnel with tunnel source as loopback 0
>>> .......the sh cry isa gives me the following error....
>>>
>>> *Mar 1 01:43:57.359: ISAKMP:(0:116:SW:1): IPSec policy invalidated
>>> proposal
>>> *Mar 1 01:43:57.363: ISAKMP:(0:116:SW:1): phase 2 SA policy not
>>> acceptable! (local 200.0.0.1 remote 3.3.3.3)
>>>
>>> though my lo0 is advertised to all the peers via RIP and i can
>>> successfully ping it from all routers.
>>>
>>> If i just change the source to my WAN(FR) interface ....the tunnel
>>> works fine and i can successfully build the eigrp and ospf nei
>>> relationships......
>>>
>>> What could be wrong?
>>>
>>> BB
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 22 2009 - 11:25:19 ART