HELP. DMVPN - NHRP dynamic spoke problem

Discussion in 'Cisco' started by Dan Murray, Jun 2, 2008.

  1. Dan Murray

    Dan Murray Guest

    1. Hub site tunnel will not come up.
    2. NHRP does not come up at hub (probably due to 1)
    3. OSPF not learning routes (see 1 and 2)

    Followed DocID 41940 to the letter. also reviewed 43068. I'm sure I'm
    missing something simple like a proper access list application, but darned
    if I have been able to find it.

    At the hub, I have the following:

    crypto isakmp policy 1
    authentication pre-share
    crypto isakmp key IsaKMP-Key address 0.0.0.0 0.0.0.0
    !
    !
    crypto ipsec transform-set TRANS-FIPS esp-aes esp-md5-hmac
    mode transport
    !
    crypto ipsec profile vpnprof
    set transform-set TRANS-FIPS
    !interface FastEthernet0
    description XXXXXXXXXX
    bandwidth 3000
    ip address A.B.C.D 255.255.255.240
    ip access-group ACL-From-ISP in
    ip nat outside
    ip virtual-reassembly
    no ip route-cache cef
    no ip route-cache
    no ip mroute-cache
    speed auto
    full-duplex
    !

    interface Tunnel0
    bandwidth 1000
    ip address 192.168.252.1 255.255.255.0
    ip mtu 1400
    ip nhrp authentication NHRP_KEY
    ip nhrp map multicast dynamic
    ip nhrp network-id 100000
    ip nhrp holdtime 600
    ip ospf network broadcast
    ip ospf priority 2
    delay 1000
    tunnel source Ethernet0
    tunnel mode gre multipoint
    tunnel key 100000
    tunnel protection ipsec profile vpnprof

    router ospf 1
    network 192.168.252.0 0.0.0.255 area 0
    network 192.168.200.0 0.0.0.255 area 0
    !
    ip access-list extended ACL-From-ISP
    remark Defines what UNSOLICITED Traffic
    remark (applies to traffic coming IN to the interface from ISP)
    remark coming IN from the Internet is allowed
    permit icmp any any echo log-input
    permit icmp any any echo-reply log-input
    permit icmp any any traceroute
    permit gre any any log-input
    permit esp any any log-input
    permit tcp any any eq 22 log-input
    permit tcp any any eq 443 log-input
    permit udp any any eq domain log-input
    permit ip any any


    At the spoke (3) I have:

    crypto isakmp policy 1
    authentication pre-share
    crypto isakmp key IsaKMP-Key address 0.0.0.0 0.0.0.0
    !
    !
    crypto ipsec transform-set TRANS-FIPS esp-aes esp-md5-hmac
    mode transport
    !
    crypto ipsec profile vpnprof
    set transform-set TRANS-FIPS
    !
    interface FastEthernet1
    description ########
    bandwidth 1544
    ip address e.f.g.h 255.255.255.224
    ip access-group ACL-From-ISP in
    ip flow ingress
    ip flow egress
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface Tunnel0
    bandwidth 1000
    ip address 192.168.252.3 255.255.255.0
    no ip redirects
    ip mtu 1400
    ip nhrp authentication NHRP_KEY
    ip nhrp map multicast A.B.C.D
    ip nhrp map 192.168.252.1 68.225.80.199
    ip nhrp network-id 100000
    ip nhrp holdtime 300
    ip nhrp nhs 192.168.252.1
    ip ospf network broadcast
    ip ospf priority 0
    delay 1000
    tunnel source FastEthernet1
    tunnel mode gre multipoint
    tunnel key 100000
    tunnel protection ipsec profile vpnprof

    !
    ip access-list extended ACL-From-ISP
    remark Defines what UNSOLICITED Traffic
    remark (applies to traffic coming IN to the interface from ISP)
    remark coming IN from the Internet is allowed
    permit icmp any any echo log-input
    permit icmp any any echo-reply log-input
    permit icmp any any traceroute
    permit gre any any log-input
    permit esp any any log-input
    permit tcp any any eq 22 log-input
    permit tcp any any eq 443 log-input
    permit udp any any eq domain log-input
    permit ip any any
     
    Dan Murray, Jun 2, 2008
    #1
    1. Advertisements

  2. Dan Murray

    Andrew Lutov Guest

    Hello, Dan!
    You wrote on Mon, 2 Jun 2008 10:58:06 -0400:

    DM> Followed DocID 41940 to the letter. also reviewed 43068. I'm sure
    DM> I'm missing something simple like a proper access list application, but
    DM> darned if I have been able to find it.

    DM> At the hub, I have the following:

    DM> crypto isakmp policy 1
    DM> authentication pre-share
    DM> crypto isakmp key IsaKMP-Key address 0.0.0.0 0.0.0.0

    crypto isakmp identity hostname

    DM> !
    DM> !
    DM> crypto ipsec transform-set TRANS-FIPS esp-aes esp-md5-hmac
    DM> mode transport
    DM> !
    DM> crypto ipsec profile vpnprof
    DM> set transform-set TRANS-FIPS
    DM> !interface FastEthernet0
    DM> description XXXXXXXXXX
    DM> bandwidth 3000
    DM> ip address A.B.C.D 255.255.255.240
    DM> ip access-group ACL-From-ISP in
    DM> ip nat outside
    DM> ip virtual-reassembly
    DM> no ip route-cache cef
    DM> no ip route-cache
    DM> no ip mroute-cache
    DM> speed auto
    DM> full-duplex
    DM> !

    DM> interface Tunnel0
    DM> bandwidth 1000
    DM> ip address 192.168.252.1 255.255.255.0
    DM> ip mtu 1400
    DM> ip nhrp authentication NHRP_KEY
    DM> ip nhrp map multicast dynamic
    DM> ip nhrp network-id 100000
    DM> ip nhrp holdtime 600
    DM> ip ospf network broadcast
    DM> ip ospf priority 2
    DM> delay 1000
    DM> tunnel source Ethernet0
    DM> tunnel mode gre multipoint
    DM> tunnel key 100000
    DM> tunnel protection ipsec profile vpnprof

    DM> router ospf 1
    DM> network 192.168.252.0 0.0.0.255 area 0
    DM> network 192.168.200.0 0.0.0.255 area 0
    DM> !
    DM> ip access-list extended ACL-From-ISP
    DM> remark Defines what UNSOLICITED Traffic
    DM> remark (applies to traffic coming IN to the interface from ISP)
    DM> remark coming IN from the Internet is allowed
    DM> permit icmp any any echo log-input
    DM> permit icmp any any echo-reply log-input
    DM> permit icmp any any traceroute
    DM> permit gre any any log-input
    DM> permit esp any any log-input
    DM> permit tcp any any eq 22 log-input
    DM> permit tcp any any eq 443 log-input
    DM> permit udp any any eq domain log-input
    DM> permit ip any any

    DM> At the spoke (3) I have:

    DM> crypto isakmp policy 1
    DM> authentication pre-share
    DM> crypto isakmp key IsaKMP-Key address 0.0.0.0 0.0.0.0

    crypto isakmp identity hostname

    DM> !
    DM> !
    DM> crypto ipsec transform-set TRANS-FIPS esp-aes esp-md5-hmac
    DM> mode transport
    DM> !
    DM> crypto ipsec profile vpnprof
    DM> set transform-set TRANS-FIPS
    DM> !
    DM> interface FastEthernet1
    DM> description ########
    DM> bandwidth 1544
    DM> ip address e.f.g.h 255.255.255.224
    DM> ip access-group ACL-From-ISP in
    DM> ip flow ingress
    DM> ip flow egress
    DM> ip nat outside
    DM> ip virtual-reassembly
    DM> duplex auto
    DM> speed auto
    DM> !
    DM> interface Tunnel0
    DM> bandwidth 1000
    DM> ip address 192.168.252.3 255.255.255.0
    DM> no ip redirects
    DM> ip mtu 1400
    DM> ip nhrp authentication NHRP_KEY
    DM> ip nhrp map multicast A.B.C.D
    DM> ip nhrp map 192.168.252.1 68.225.80.199
    DM> ip nhrp network-id 100000
    DM> ip nhrp holdtime 300
    DM> ip nhrp nhs 192.168.252.1
    DM> ip ospf network broadcast
    DM> ip ospf priority 0
    DM> delay 1000
    DM> tunnel source FastEthernet1
    DM> tunnel mode gre multipoint
    DM> tunnel key 100000
    DM> tunnel protection ipsec profile vpnprof


    With best regards, Andrew Lutov.
     
    Andrew Lutov, Jun 3, 2008
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.