Re: DMVPN with loopback as source from Farrukh Haroon on 2009-12-22 (Ccielab archives 12/2009)

From: Farrukh Haroon <farrukhharoon_at_gmail.com>
Date: Tue, 22 Dec 2009 11:50:41 +0300

Dear backbone

You have to use the loopback's IP in your map statements on the spokes and
nto 200.0.0.1

ip nhrp map 123.123.123.1 200.0.0.1

Regards

Farrukh

On Tue, Dec 22, 2009 at 11:25 AM, backbone systems <
backbone.systems_at_gmail.com> wrote:

> Below is the config,
>
>
> !
> hostname R1
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> !
> resource policy
> !
> memory-size iomem 5
> !
> !
> ip cef
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> crypto isakmp policy 11
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set DMVPN esp-3des esp-sha-hmac
> mode transport
> !
> crypto ipsec profile DMVPN
> set transform-set DMVPN
> !
> !
> !
> !
> !
> interface Tunnel0
> ip address 123.123.123.1 255.255.255.0
> no ip redirects
> ip nhrp authentication cisco
> ip nhrp map multicast dynamic
> ip nhrp network-id 123
> no ip split-horizon eigrp 10
> no ip split-horizon
> ip ospf network broadcast
> tunnel source lo0
> tunnel mode gre multipoint
> tunnel key 123
> tunnel protection ipsec profile DMVPN
> !
> interface Loopback0
> ip address 1.1.1.1 255.255.255.255
> !
> interface Loopback1
> ip address 150.1.1.1 255.255.255.255
> !
> interface Loopback2
> ip address 191.1.1.1 255.255.255.255
> !
> interface Serial0/0
> ip address 200.0.0.1 255.255.255.0
> encapsulation frame-relay
> serial restart-delay 0
> no dce-terminal-timing-enable
> frame-relay map ip 200.0.0.2 102 broadcast
> frame-relay map ip 200.0.0.3 103 broadcast
> no frame-relay inverse-arp
> !
> interface Serial0/1
> no ip address
> shutdown
> serial restart-delay 0
> no dce-terminal-timing-enable
> !
> interface Serial0/2
> no ip address
> shutdown
> serial restart-delay 0
> no dce-terminal-timing-enable
> !
> interface Serial0/3
> no ip address
> shutdown
> serial restart-delay 0
> no dce-terminal-timing-enable
> !
> router eigrp 10
> network 123.0.0.0
> network 150.1.0.0
> no auto-summary
> !
> router ospf 1
> log-adjacency-changes
> network 123.123.123.1 0.0.0.0 area 0
> network 191.1.1.1 0.0.0.0 area 0
> !
> router rip
> version 2
> network 1.0.0.0
> network 200.0.0.0
> no auto-summary
> !
> ip http server
> no ip http secure-server
> !
> !
> !
> !
> !
> !
> control-plane
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> line con 0
> exec-timeout 0 0
> line aux 0
> line vty 0 4
> login
> !
> !
> end
>
> R2
>
>
> R2(config-if)#do sh run
> Building configuration...
>
> Current configuration : 2093 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R2
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> !
> resource policy
> !
> memory-size iomem 5
> !
> !
> ip cef
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> crypto isakmp policy 11
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set DMVPN esp-3des esp-sha-hmac
> mode transport
> !
> crypto ipsec profile DMVPN
> set transform-set DMVPN
> !
> !
> !
> !
> !
> interface Tunnel0
> ip address 123.123.123.2 255.255.255.0
> no ip redirects
> ip nhrp authentication cisco
> ip nhrp map 123.123.123.1 200.0.0.1
> ip nhrp map multicast 200.0.0.1
> ip nhrp network-id 123
> ip nhrp nhs 123.123.123.1
> ip ospf network broadcast
> ip ospf priority 0
> tunnel source lo0
> tunnel mode gre multipoint
> tunnel key 123
> tunnel protection ipsec profile DMVPN
> !
> interface Loopback0
> ip address 2.2.2.2 255.255.255.255
> !
> interface Loopback1
> ip address 150.2.2.2 255.255.255.255
> !
> interface Loopback2
> ip address 191.2.2.2 255.255.255.255
> !
> interface Serial0/0
> ip address 200.0.0.2 255.255.255.0
> encapsulation frame-relay
> serial restart-delay 0
> no dce-terminal-timing-enable
> frame-relay map ip 200.0.0.1 201 broadcast
> frame-relay map ip 200.0.0.3 201 broadcast
> no frame-relay inverse-arp
> !
> interface Serial0/1
> no ip address
> shutdown
> serial restart-delay 0
> no dce-terminal-timing-enable
> !
> interface Serial0/2
> no ip address
> shutdown
> serial restart-delay 0
> no dce-terminal-timing-enable
> !
> interface Serial0/3
> no ip address
> shutdown
> serial restart-delay 0
> no dce-terminal-timing-enable
> !
> router eigrp 10
> network 123.0.0.0
> network 150.2.0.0
> no auto-summary
> !
> router ospf 1
> log-adjacency-changes
> network 123.123.123.2 0.0.0.0 area 0
> network 191.2.2.2 0.0.0.0 area 0
> !
> router rip
> version 2
> network 2.0.0.0
> network 200.0.0.0
> no auto-summary
> !
> ip http server
> no ip http secure-server
> !
> !
> !
> !
> !
> !
> control-plane
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> line con 0
> exec-timeout 0 0
> line aux 0
> line vty 0 4
> login
> !
> !
> end
>
> R2(config-if)#
>
>
> R3
>
> R3(config-if)#do wr
> Building configuration...
> [OK]
> R3(config-if)#do sh run
> Building configuration...
>
> Current configuration : 2093 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R3
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> !
> resource policy
> !
> memory-size iomem 5
> !
> !
> ip cef
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> crypto isakmp policy 11
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set DMVPN esp-3des esp-sha-hmac
> mode transport
> !
> crypto ipsec profile DMVPN
> set transform-set DMVPN
> !
> !
> !
> !
> !
> interface Tunnel0
> ip address 123.123.123.3 255.255.255.0
> no ip redirects
> ip nhrp authentication cisco
> ip nhrp map 123.123.123.1 200.0.0.1
> ip nhrp map multicast 200.0.0.1
> ip nhrp network-id 123
> ip nhrp nhs 123.123.123.1
> ip ospf network broadcast
> ip ospf priority 0
> tunnel source lo0
> tunnel mode gre multipoint
> tunnel key 123
> tunnel protection ipsec profile DMVPN
> !
> interface Loopback0
> ip address 3.3.3.3 255.255.255.255
> !
> interface Loopback1
> ip address 150.3.3.3 255.255.255.255
> !
> interface Loopback2
> ip address 191.3.3.3 255.255.255.255
> !
> interface Serial0/0
> ip address 200.0.0.3 255.255.255.0
> encapsulation frame-relay
> serial restart-delay 0
> no dce-terminal-timing-enable
> frame-relay map ip 200.0.0.1 301 broadcast
> frame-relay map ip 200.0.0.2 301 broadcast
> no frame-relay inverse-arp
> !
> interface Serial0/1
> no ip address
> shutdown
> serial restart-delay 0
> no dce-terminal-timing-enable
> !
> interface Serial0/2
> no ip address
> shutdown
> serial restart-delay 0
> no dce-terminal-timing-enable
> !
> interface Serial0/3
> no ip address
> shutdown
> serial restart-delay 0
> no dce-terminal-timing-enable
> !
> router eigrp 10
> network 123.0.0.0
> network 150.3.0.0
> no auto-summary
> !
> router ospf 1
> log-adjacency-changes
> network 123.123.123.3 0.0.0.0 area 0
> network 191.3.3.3 0.0.0.0 area 0
> !
> router rip
> version 2
> network 3.0.0.0
> network 200.0.0.0
> no auto-summary
> !
> ip http server
> no ip http secure-server
> !
> !
> !
> !
> !
> !
> control-plane
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> line con 0
> exec-timeout 0 0
> line aux 0
> line vty 0 4
> login
> !
> !
> end
>
> R3(config-if)#
>
> Thanks
>
> On Tue, Dec 22, 2009 at 11:18 AM, Rick Mur <rmur_at_ipexpert.com> wrote:
> > Indeed it would be helpful to see the configuration.
> >
> > Did you configure the tunnel source as Loopback0 and also configured the
> NHRP map settings on the spokes to the Loopback of the hub?
> > Did you also configure a wildcard ISAKMP key or a keys for the correct
> addresses (when using PSK)?
> >
> > --
> > Regards,
> >
> > Rick Mur
> > CCIE2 #21946 (R&S / Service Provider)
> > Sr. Support Engineer IPexpert, Inc.
> > URL: http://www.IPexpert.com <http://www.ipexpert.com/>
> >
> > On 22 dec 2009, at 09:13, Farrukh Haroon wrote:
> >
> >> Did you define the crypto local-address on all sides?
> >>
> >> Can you please post your configuration
> >>
> >> On Tue, Dec 22, 2009 at 10:55 AM, backbone systems <
> >> backbone.systems_at_gmail.com> wrote:
> >>
> >>> Hi,
> >>>
> >>> I am trying to built a DMVPN tunnel bw R1-R2-R3 with R1 as HUB.
> >>> When i try to build the tunnel with tunnel source as loopback 0
> >>> .......the sh cry isa gives me the following error....
> >>>
> >>> *Mar 1 01:43:57.359: ISAKMP:(0:116:SW:1): IPSec policy invalidated
> >>> proposal
> >>> *Mar 1 01:43:57.363: ISAKMP:(0:116:SW:1): phase 2 SA policy not
> >>> acceptable! (local 200.0.0.1 remote 3.3.3.3)
> >>>
> >>> though my lo0 is advertised to all the peers via RIP and i can
> >>> successfully ping it from all routers.
> >>>
> >>> If i just change the source to my WAN(FR) interface ....the tunnel
> >>> works fine and i can successfully build the eigrp and ospf nei
> >>> relationships......
> >>>
> >>> What could be wrong?
> >>>
> >>> BB
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 22 2009 - 11:50:41 ART

This archive was generated by hypermail 2.2.0 : Sat Jan 02 2010 - 11:11:08 ART