thanks Farrukh.
it worked.
On Tue, Dec 22, 2009 at 11:50 AM, Farrukh Haroon
<farrukhharoon_at_gmail.com> wrote:
> Dear backbone
>
> You have to use the loopback's IP in your map statements on the spokes and
> nto 200.0.0.1
>
> ip nhrp map 123.123.123.1 200.0.0.1
>
> Regards
>
> Farrukh
>
> On Tue, Dec 22, 2009 at 11:25 AM, backbone systems
> <backbone.systems_at_gmail.com> wrote:
>>
>> Below is the config,
>>
>>
>> !
>> hostname R1
>> !
>> boot-start-marker
>> boot-end-marker
>> !
>> !
>> no aaa new-model
>> !
>> resource policy
>> !
>> memory-size iomem 5
>> !
>> !
>> ip cef
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> crypto isakmp policy 11
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>> !
>> !
>> crypto ipsec transform-set DMVPN esp-3des esp-sha-hmac
>> mode transport
>> !
>> crypto ipsec profile DMVPN
>> set transform-set DMVPN
>> !
>> !
>> !
>> !
>> !
>> interface Tunnel0
>> ip address 123.123.123.1 255.255.255.0
>> no ip redirects
>> ip nhrp authentication cisco
>> ip nhrp map multicast dynamic
>> ip nhrp network-id 123
>> no ip split-horizon eigrp 10
>> no ip split-horizon
>> ip ospf network broadcast
>> tunnel source lo0
>> tunnel mode gre multipoint
>> tunnel key 123
>> tunnel protection ipsec profile DMVPN
>> !
>> interface Loopback0
>> ip address 1.1.1.1 255.255.255.255
>> !
>> interface Loopback1
>> ip address 150.1.1.1 255.255.255.255
>> !
>> interface Loopback2
>> ip address 191.1.1.1 255.255.255.255
>> !
>> interface Serial0/0
>> ip address 200.0.0.1 255.255.255.0
>> encapsulation frame-relay
>> serial restart-delay 0
>> no dce-terminal-timing-enable
>> frame-relay map ip 200.0.0.2 102 broadcast
>> frame-relay map ip 200.0.0.3 103 broadcast
>> no frame-relay inverse-arp
>> !
>> interface Serial0/1
>> no ip address
>> shutdown
>> serial restart-delay 0
>> no dce-terminal-timing-enable
>> !
>> interface Serial0/2
>> no ip address
>> shutdown
>> serial restart-delay 0
>> no dce-terminal-timing-enable
>> !
>> interface Serial0/3
>> no ip address
>> shutdown
>> serial restart-delay 0
>> no dce-terminal-timing-enable
>> !
>> router eigrp 10
>> network 123.0.0.0
>> network 150.1.0.0
>> no auto-summary
>> !
>> router ospf 1
>> log-adjacency-changes
>> network 123.123.123.1 0.0.0.0 area 0
>> network 191.1.1.1 0.0.0.0 area 0
>> !
>> router rip
>> version 2
>> network 1.0.0.0
>> network 200.0.0.0
>> no auto-summary
>> !
>> ip http server
>> no ip http secure-server
>> !
>> !
>> !
>> !
>> !
>> !
>> control-plane
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> line con 0
>> exec-timeout 0 0
>> line aux 0
>> line vty 0 4
>> login
>> !
>> !
>> end
>>
>> R2
>>
>>
>> R2(config-if)#do sh run
>> Building configuration...
>>
>> Current configuration : 2093 bytes
>> !
>> version 12.4
>> service timestamps debug datetime msec
>> service timestamps log datetime msec
>> no service password-encryption
>> !
>> hostname R2
>> !
>> boot-start-marker
>> boot-end-marker
>> !
>> !
>> no aaa new-model
>> !
>> resource policy
>> !
>> memory-size iomem 5
>> !
>> !
>> ip cef
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> crypto isakmp policy 11
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>> !
>> !
>> crypto ipsec transform-set DMVPN esp-3des esp-sha-hmac
>> mode transport
>> !
>> crypto ipsec profile DMVPN
>> set transform-set DMVPN
>> !
>> !
>> !
>> !
>> !
>> interface Tunnel0
>> ip address 123.123.123.2 255.255.255.0
>> no ip redirects
>> ip nhrp authentication cisco
>> ip nhrp map 123.123.123.1 200.0.0.1
>> ip nhrp map multicast 200.0.0.1
>> ip nhrp network-id 123
>> ip nhrp nhs 123.123.123.1
>> ip ospf network broadcast
>> ip ospf priority 0
>> tunnel source lo0
>> tunnel mode gre multipoint
>> tunnel key 123
>> tunnel protection ipsec profile DMVPN
>> !
>> interface Loopback0
>> ip address 2.2.2.2 255.255.255.255
>> !
>> interface Loopback1
>> ip address 150.2.2.2 255.255.255.255
>> !
>> interface Loopback2
>> ip address 191.2.2.2 255.255.255.255
>> !
>> interface Serial0/0
>> ip address 200.0.0.2 255.255.255.0
>> encapsulation frame-relay
>> serial restart-delay 0
>> no dce-terminal-timing-enable
>> frame-relay map ip 200.0.0.1 201 broadcast
>> frame-relay map ip 200.0.0.3 201 broadcast
>> no frame-relay inverse-arp
>> !
>> interface Serial0/1
>> no ip address
>> shutdown
>> serial restart-delay 0
>> no dce-terminal-timing-enable
>> !
>> interface Serial0/2
>> no ip address
>> shutdown
>> serial restart-delay 0
>> no dce-terminal-timing-enable
>> !
>> interface Serial0/3
>> no ip address
>> shutdown
>> serial restart-delay 0
>> no dce-terminal-timing-enable
>> !
>> router eigrp 10
>> network 123.0.0.0
>> network 150.2.0.0
>> no auto-summary
>> !
>> router ospf 1
>> log-adjacency-changes
>> network 123.123.123.2 0.0.0.0 area 0
>> network 191.2.2.2 0.0.0.0 area 0
>> !
>> router rip
>> version 2
>> network 2.0.0.0
>> network 200.0.0.0
>> no auto-summary
>> !
>> ip http server
>> no ip http secure-server
>> !
>> !
>> !
>> !
>> !
>> !
>> control-plane
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> line con 0
>> exec-timeout 0 0
>> line aux 0
>> line vty 0 4
>> login
>> !
>> !
>> end
>>
>> R2(config-if)#
>>
>>
>> R3
>>
>> R3(config-if)#do wr
>> Building configuration...
>> [OK]
>> R3(config-if)#do sh run
>> Building configuration...
>>
>> Current configuration : 2093 bytes
>> !
>> version 12.4
>> service timestamps debug datetime msec
>> service timestamps log datetime msec
>> no service password-encryption
>> !
>> hostname R3
>> !
>> boot-start-marker
>> boot-end-marker
>> !
>> !
>> no aaa new-model
>> !
>> resource policy
>> !
>> memory-size iomem 5
>> !
>> !
>> ip cef
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> crypto isakmp policy 11
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>> !
>> !
>> crypto ipsec transform-set DMVPN esp-3des esp-sha-hmac
>> mode transport
>> !
>> crypto ipsec profile DMVPN
>> set transform-set DMVPN
>> !
>> !
>> !
>> !
>> !
>> interface Tunnel0
>> ip address 123.123.123.3 255.255.255.0
>> no ip redirects
>> ip nhrp authentication cisco
>> ip nhrp map 123.123.123.1 200.0.0.1
>> ip nhrp map multicast 200.0.0.1
>> ip nhrp network-id 123
>> ip nhrp nhs 123.123.123.1
>> ip ospf network broadcast
>> ip ospf priority 0
>> tunnel source lo0
>> tunnel mode gre multipoint
>> tunnel key 123
>> tunnel protection ipsec profile DMVPN
>> !
>> interface Loopback0
>> ip address 3.3.3.3 255.255.255.255
>> !
>> interface Loopback1
>> ip address 150.3.3.3 255.255.255.255
>> !
>> interface Loopback2
>> ip address 191.3.3.3 255.255.255.255
>> !
>> interface Serial0/0
>> ip address 200.0.0.3 255.255.255.0
>> encapsulation frame-relay
>> serial restart-delay 0
>> no dce-terminal-timing-enable
>> frame-relay map ip 200.0.0.1 301 broadcast
>> frame-relay map ip 200.0.0.2 301 broadcast
>> no frame-relay inverse-arp
>> !
>> interface Serial0/1
>> no ip address
>> shutdown
>> serial restart-delay 0
>> no dce-terminal-timing-enable
>> !
>> interface Serial0/2
>> no ip address
>> shutdown
>> serial restart-delay 0
>> no dce-terminal-timing-enable
>> !
>> interface Serial0/3
>> no ip address
>> shutdown
>> serial restart-delay 0
>> no dce-terminal-timing-enable
>> !
>> router eigrp 10
>> network 123.0.0.0
>> network 150.3.0.0
>> no auto-summary
>> !
>> router ospf 1
>> log-adjacency-changes
>> network 123.123.123.3 0.0.0.0 area 0
>> network 191.3.3.3 0.0.0.0 area 0
>> !
>> router rip
>> version 2
>> network 3.0.0.0
>> network 200.0.0.0
>> no auto-summary
>> !
>> ip http server
>> no ip http secure-server
>> !
>> !
>> !
>> !
>> !
>> !
>> control-plane
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> !
>> line con 0
>> exec-timeout 0 0
>> line aux 0
>> line vty 0 4
>> login
>> !
>> !
>> end
>>
>> R3(config-if)#
>>
>> Thanks
>>
>> On Tue, Dec 22, 2009 at 11:18 AM, Rick Mur <rmur_at_ipexpert.com> wrote:
>> > Indeed it would be helpful to see the configuration.
>> >
>> > Did you configure the tunnel source as Loopback0 and also configured the
>> > NHRP map settings on the spokes to the Loopback of the hub?
>> > Did you also configure a wildcard ISAKMP key or a keys for the correct
>> > addresses (when using PSK)?
>> >
>> > --
>> > Regards,
>> >
>> > Rick Mur
>> > CCIE2 #21946 (R&S / Service Provider)
>> > Sr. Support Engineer � IPexpert, Inc.
>> > URL: http://www.IPexpert.com
>> >
>> > On 22 dec 2009, at 09:13, Farrukh Haroon wrote:
>> >
>> >> Did you define the crypto local-address on all sides?
>> >>
>> >> Can you please post your configuration
>> >>
>> >> On Tue, Dec 22, 2009 at 10:55 AM, backbone systems <
>> >> backbone.systems_at_gmail.com> wrote:
>> >>
>> >>> Hi,
>> >>>
>> >>> I am trying to built a DMVPN tunnel bw R1-R2-R3 with R1 as HUB.
>> >>> When i try to build the tunnel with tunnel source as loopback 0
>> >>> .......the sh cry isa gives me the following error....
>> >>>
>> >>> *Mar 1 01:43:57.359: ISAKMP:(0:116:SW:1): IPSec policy invalidated
>> >>> proposal
>> >>> *Mar 1 01:43:57.363: ISAKMP:(0:116:SW:1): phase 2 SA policy not
>> >>> acceptable! (local 200.0.0.1 remote 3.3.3.3)
>> >>>
>> >>> though my lo0 is advertised to all the peers via RIP and i can
>> >>> successfully ping it from all routers.
>> >>>
>> >>> If i just change the source to my WAN(FR) interface ....the tunnel
>> >>> works fine and i can successfully build the eigrp and ospf nei
>> >>> relationships......
>> >>>
>> >>> What could be wrong?
>> >>>
>> >>> BB
>> >>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> >>>
>> >>>
>> >>> _______________________________________________________________________
>> >>> Subscription information may be found at:
>> >>> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 22 2009 - 12:06:49 ART