Maybe try to put in an ACL or could use netflow for this as well... ip access-list extend check_packets_in permit esp any any permit udp any eq isakmp any eq isakmp permit ip any any interface dialer 1 ip access-group check_packets_in in
To see if ESP coming in to your spoke router. -Luan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nic Tjirkalli Sent: Monday, August 25, 2008 3:40 AM To: [email protected] Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels howdy ho all, thanx to thise who sent through suggestions to how to get the IPSEC to work - the ideas were :- try mode transport :- dont use wilcard for the secret so i changed the hub and spoke as follows :- crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac mode transport crypto isakmp key CISCO address 41.195.37.0 255.255.255.0 crypto isakmp key CISCO address 196.47.0.204 255.255.255.0 alss same symptons - crypto comes up - hub reports IPSEC encaps and decaps - spoke sites report 0 decaps for IPSEC and no errors any other ideas? thanx > > > howdy ho all, > > Was hoping I could use this forum to get some direction on resolving a > strange issue I have with a DMVPN setup. > > All works 100% if I do not protect the tunnels with IPSEC. As soon as I > enable IPSEC the tunnels stop passing traffic. > > > The setup :- > ============ > > All routers are CISCO 1841 platforms. the IOS image is :- > C1841-ADVIPSERVICESK9-M > c1841-advipservicesk9-mz.124-21.bin > > > HUB Router > ---------- > HUB router connects via ADSL (a PPPOE session over ethernet) and then fires > up an L2TP tunnel to obtain a static IP address. > > The IP address allocated to the L2TP interface is 196.47.0.204 (Virtual-PPP1) > This IP address is the NHS. All connections to/from the hub > use the address of 196.47.0.204. > > Tunnel interface on the hub router is 10.0.0.1 > > > Spoke Router > ------------ > the Spoke router (there are 2 I am just showing one) connects via ADSL > (a PPPOE session over ethernet) and obtains a dynamic IP address. the spoke > routers use Dialer1 as their interface into the NHRP cloud. > > NHRP comes up and if I do not use IPSEC encryption on the Tunnel interface > ie do not add the command tunnel protection ipsec profile DMVPN > on Tunnel0 > > Tunnel interface on the hub router is 10.0.0.3 > all works perfectly. > > > The Problem > =========== > > When I enable IPSEC encryption on the tunnel interfaces on all routers > then things break. I have tried with both 3DES and AES and same issue. > > All the crypto sessions seem correct - correct SAs come up. The dynamically > created crypto-maps seem correct. > > BUT. on the spoke routers, IPSEC reports that no packets are being > de-encapsulated but no errors are reported. > > nhrp-spoke-2#show crypto ipsec sa > > interface: Tunnel0 > local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > current_peer 196.47.0.204 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 3, #recv errors 0 > > > But on the HUB. all is well > protected vrf: (none) > local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) > current_peer 41.195.37.191 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 > #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 1, #recv errors 0 > > > Any ideas/thoughts would be greatly appreciated. > > The configuration's and some useful output are below > > > > HUB Configuration > ================= > > hostname adsl-nhrp-hub > ! > boot-start-marker > boot-end-marker > ! > logging buffered 4096 debugging > ! > no aaa new-model > ip cef > ! > ! > ! > ! > no ip domain lookup > ip auth-proxy max-nodata-conns 3 > ip admission max-nodata-conns 3 > vpdn enable > ! > l2tp-class l2tpclass1 > authentication > password 7 03070E0C2E572B6A1719 > ! > ! > ! > ! > ! > ! > pseudowire-class pwclass1 > encapsulation l2tpv2 > protocol l2tpv2 l2tpclass1 > ip local interface Dialer1 > ! > ! > ! > crypto isakmp policy 10 > encr aes > hash md5 > authentication pre-share > group 2 > crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 > ! > ! > crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac > ! > crypto ipsec profile DMVPN > set transform-set 3DES_MD5 > ! > ! > ! > ! > interface Loopback0 > ip address 172.16.1.1 255.255.255.255 > ! > interface Tunnel0 > ip address 10.0.0.1 255.255.255.0 > no ip redirects > ip mtu 1400 > no ip next-hop-self eigrp 1 > ip nhrp authentication xxxxxxxxxx > ip nhrp map multicast dynamic > ip nhrp network-id 1 > ip nhrp holdtime 60 > ip nhrp registration timeout 30 > ip tcp adjust-mss 1360 > no ip split-horizon eigrp 1 > tunnel source Virtual-PPP1 > tunnel mode gre multipoint > tunnel key 1 > tunnel protection ipsec profile DMVPN > ! > interface Null0 > no ip unreachables > ! > interface FastEthernet0/0 > no ip address > speed 100 > full-duplex > pppoe enable group global > pppoe-client dial-pool-number 1 > ! > interface FastEthernet0/1 > no ip address > duplex auto > speed auto > ! > interface Virtual-PPP1 > ip address negotiated > ip mtu 1452 > ip virtual-reassembly > no logging event link-status > no peer neighbor-route > no cdp enable > ppp chap hostname XXXXX > ppp chap password 7 XXXXXX > ppp pap sent-username XXXX password 7 XXXXX > pseudowire 196.30.121.42 10 pw-class pwclass1 > ! > interface Dialer1 > mtu 1492 > ip address negotiated > ip virtual-reassembly > encapsulation ppp > ip tcp adjust-mss 1452 > dialer pool 1 > dialer-group 1 > ppp chap hostname XXX > ppp chap password 7 XXXX > ppp pap sent-username XXXX password 7 XXXX > ! > router eigrp 1 > redistribute connected route-map to-eigrp > redistribute static > passive-interface Dialer1 > network 10.0.0.0 0.0.0.255 > no auto-summary > ! > no ip forward-protocol nd > ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 > ip route 196.30.121.42 255.255.255.255 Dialer1 > ! > ! > ip http server > no ip http secure-server > ! > ! > ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 > ip prefix-list local seq 10 permit 196.47.0.0/16 le 32 > access-list 1 permit any > access-list 2 deny any > access-list 3 permit 10.0.0.2 > access-list 3 permit 10.222.0.1 > access-list 3 permit 10.222.0.2 > access-list 3 permit 10.244.0.2 > no cdp run > ! > route-map to-eigrp deny 10 > match ip address prefix-list local > ! > route-map to-eigrp permit 1000 > > > adsl-nhrp-hub#show ip nhrp > 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 03:19:00, expire 00:00:57 > Type: dynamic, Flags: authoritative unique registered used > NBMA address: 41.195.37.174 > 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:04:56, expire 00:00:33 > Type: dynamic, Flags: authoritative unique registered used > NBMA address: 41.195.37.191 > > adsl-nhrp-hub#show crypto ipsec sa > > interface: Tunnel0 > Crypto map tag: Tunnel0-head-0, local addr 196.47.0.204 > > protected vrf: (none) > local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (41.195.37.174/255.255.255.255/47/0) > current_peer 41.195.37.174 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 5764, #pkts encrypt: 5764, #pkts digest: 5764 > #pkts decaps: 3484, #pkts decrypt: 3484, #pkts verify: 3484 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 0, #recv errors 0 > > local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.174 > path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 > current outbound spi: 0xD9D819B1(3654818225) > > inbound esp sas: > spi: 0x8AD878CD(2329442509) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3006, flow_id: FPGA:6, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4437499/1923) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > inbound ah sas: > > inbound pcp sas: > > outbound esp sas: > spi: 0xD9D819B1(3654818225) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3005, flow_id: FPGA:5, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4437454/1923) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > outbound ah sas: > > outbound pcp sas: > > protected vrf: (none) > local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) > current_peer 41.195.37.191 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153 > #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 1, #recv errors 0 > > local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.191 > path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1 > current outbound spi: 0x6E27D1C2(1848103362) > > inbound esp sas: > spi: 0xEE9B0E5D(4003139165) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4478781/3289) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > inbound ah sas: > > inbound pcp sas: > > outbound esp sas: > spi: 0x6E27D1C2(1848103362) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4478771/3289) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > outbound ah sas: > > outbound pcp sas: > > adsl-nhrp-hub#show crypto map > Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp > Profile name: DMVPN > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > > Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp > Map is a PROFILE INSTANCE. > Peer = 41.195.37.174 > Extended IP access list > access-list permit gre host 196.47.0.204 host 41.195.37.174 > Current peer: 41.195.37.174 > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > > Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp > Map is a PROFILE INSTANCE. > Peer = 41.195.37.191 > Extended IP access list > access-list permit gre host 196.47.0.204 host 41.195.37.191 > Current peer: 41.195.37.191 > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > Interfaces using crypto map Tunnel0-head-0: > Tunnel0 > > adsl-nhrp-hub#show crypto engine connections active > > ID Interface IP-Address State Algorithm Encrypt > Dt > 16 Virtual-PPP1 196.47.0.204 set HMAC_MD5+AES_CBC 0 > 0 > 18 Tunnel0 10.0.0.1 set HMAC_MD5+AES_CBC 0 > 0 > 3003 Tunnel0 196.47.0.204 set AES+MD5 169 > 0 > 3004 Tunnel0 196.47.0.204 set AES+MD5 0 > 8 > 3005 Virtual-PPP1 196.47.0.204 set AES+MD5 818 > 0 > 3006 Virtual-PPP1 196.47.0.204 set AES+MD5 0 > 1 > > > Spoke Configuration > =================== > > ip cef > ! > no ip domain lookup > ip auth-proxy max-nodata-conns 3 > ip admission max-nodata-conns 3 > vpdn enable > ! > l2tp-class l2tpclass1 > authentication > password 7 xxxx > ! > ! > pseudowire-class pwclass1 > encapsulation l2tpv2 > protocol l2tpv2 l2tpclass1 > ip local interface Dialer1 > ! > ! > crypto isakmp policy 10 > encr aes > hash md5 > authentication pre-share > group 2 > crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0 > ! > ! > crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac > ! > crypto ipsec profile DMVPN > set transform-set 3DES_MD5 > ! > ! > ! > ! > interface Loopback0 > ip address 172.16.1.3 255.255.255.255 > ! > interface Tunnel0 > ip address 10.0.0.3 255.255.255.0 > no ip redirects > ip mtu 1400 > ip nhrp authentication xxxxxxxxxx > ip nhrp map 10.0.0.1 196.47.0.204 > ip nhrp map multicast 196.47.0.204 > ip nhrp network-id 1 > ip nhrp holdtime 60 > ip nhrp nhs 10.0.0.1 > ip nhrp registration timeout 30 > ip tcp adjust-mss 1360 > tunnel source Dialer1 > tunnel mode gre multipoint > tunnel key 1 > tunnel protection ipsec profile DMVPN > ! > interface FastEthernet0/0 > ip address dhcp > speed 100 > full-duplex > pppoe enable group global > pppoe-client dial-pool-number 1 > ! > interface FastEthernet0/1 > ip address 10.222.0.1 255.255.255.0 > speed 100 > full-duplex > ! > ! > interface Dialer1 > mtu 1492 > ip address negotiated > ip virtual-reassembly > encapsulation ppp > ip tcp adjust-mss 1452 > dialer pool 1 > ppp chap hostname XXXX > ppp chap password 0 XXXX > ppp pap sent-username XXXX password 0 XXXXX > ! > router eigrp 1 > redistribute connected route-map to-eigrp > redistribute static > passive-interface FastEthernet0/1 > passive-interface Dialer1 > network 10.0.0.0 0.0.0.255 > no auto-summary > eigrp stub connected > ! > ip forward-protocol nd > ip route 0.0.0.0 0.0.0.0 Dialer1 > ! > ! > ip http server > no ip http secure-server > ! > ! > ip prefix-list local seq 5 permit 41.195.37.0/24 le 32 > access-list 1 permit any > access-list 2 deny any > access-list 3 permit 10.222.0.1 > access-list 3 permit 10.222.0.2 > access-list 3 permit 10.244.0.2 > access-list 3 permit 10.244.0.1 > ! > route-map clear-df permit 10 > set ip df 0 > ! > route-map to-eigrp deny 10 > match ip address prefix-list local > ! > route-map to-eigrp permit 1000 > > > Some Debugs > =========== > > nhrp-spoke-2#show ip nhrp > 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 23:59:15, never expire > Type: static, Flags: authoritative used > NBMA address: 196.47.0.204 > > > nhrp-spoke-2#show crypto ipsec sa > > interface: Tunnel0 > Crypto map tag: Tunnel0-head-0, local addr 41.195.37.191 > > protected vrf: (none) > local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0) > remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0) > current_peer 196.47.0.204 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410 > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 3, #recv errors 0 > > local crypto endpt.: 41.195.37.191, remote crypto endpt.: 196.47.0.204 > path mtu 1492, ip mtu 1492, ip mtu idb Dialer1 > current outbound spi: 0xEE9B0E5D(4003139165) > > inbound esp sas: > spi: 0x6E27D1C2(1848103362) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4530791/3584) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > inbound ah sas: > > inbound pcp sas: > > outbound esp sas: > spi: 0xEE9B0E5D(4003139165) > transform: esp-aes esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0 > sa timing: remaining key lifetime (k/sec): (4530789/3584) > IV size: 16 bytes > replay detection support: Y > Status: ACTIVE > > outbound ah sas: > > outbound pcp sas: > > nhrp-spoke-2#show crypto engine connections active > > ID Interface IP-Address State Algorithm Encrypt > Decrypt > 13 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC 0 > 0 > 14 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC 0 > 0 > 3003 Dialer1 41.195.37.191 set AES+MD5 15 > 0 > 3004 Dialer1 41.195.37.191 set AES+MD5 0 > 0 > > nhrp-spoke-2#show crypto map > Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp > Profile name: DMVPN > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > > Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp > Map is a PROFILE INSTANCE. > Peer = 196.47.0.204 > Extended IP access list > access-list permit gre host 41.195.37.191 host 196.47.0.204 > Current peer: 196.47.0.204 > Security association lifetime: 4608000 kilobytes/3600 seconds > PFS (Y/N): N > Transform sets={ > 3DES_MD5, > } > Interfaces using crypto map Tunnel0-head-0: > Tunnel0 > > > --------------------------------------------------------------------- > A feature is a bug with seniority. > > Nic Tjirkalli > Verizon Business South Africa > Network Strategy Team > > Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail > is strictly confidential and intended only for use by the addressee unless > otherwise indicated. > > Company Information:http:// www.verizonbusiness.com/za/contact/legal/ > > This e-mail is strictly confidential and intended only for use by the > addressee unless otherwise indicated. > > --------------------------------------------------------------------- Some days you're the pigeon, and some days you're the statue. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
