- Hub site tunnel will not come up.
- NHRP does not come up at hub (probably due to 1)
- OSPF not learning routes (see 1 and 2)
Followed DocID 41940 to the letter. also reviewed 43068. I'm sure I'm missing something simple like a proper access list application, but darned if I have been able to find it.
At the hub, I have the following:
crypto isakmp policy 1 authentication pre-share crypto isakmp key IsaKMP-Key address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set TRANS-FIPS esp-aes esp-md5-hmac mode transport ! crypto ipsec profile vpnprof set transform-set TRANS-FIPS !interface FastEthernet0 description XXXXXXXXXX bandwidth 3000 ip address A.B.C.D 255.255.255.240 ip access-group ACL-From-ISP in ip nat outside ip virtual-reassembly no ip route-cache cef no ip route-cache no ip mroute-cache speed auto full-duplex !
interface Tunnel0 bandwidth 1000 ip address 192.168.252.1 255.255.255.0 ip mtu 1400 ip nhrp authentication NHRP_KEY ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 600 ip ospf network broadcast ip ospf priority 2 delay 1000 tunnel source Ethernet0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof
router ospf 1 network 192.168.252.0 0.0.0.255 area 0 network 192.168.200.0 0.0.0.255 area 0 ! ip access-list extended ACL-From-ISP remark Defines what UNSOLICITED Traffic remark (applies to traffic coming IN to the interface from ISP) remark coming IN from the Internet is allowed permit icmp any any echo log-input permit icmp any any echo-reply log-input permit icmp any any traceroute permit gre any any log-input permit esp any any log-input permit tcp any any eq 22 log-input permit tcp any any eq 443 log-input permit udp any any eq domain log-input permit ip any any
At the spoke (3) I have:
crypto isakmp policy 1 authentication pre-share crypto isakmp key IsaKMP-Key address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set TRANS-FIPS esp-aes esp-md5-hmac mode transport ! crypto ipsec profile vpnprof set transform-set TRANS-FIPS ! interface FastEthernet1 description ######## bandwidth 1544 ip address e.f.g.h 255.255.255.224 ip access-group ACL-From-ISP in ip flow ingress ip flow egress ip nat outside ip virtual-reassembly duplex auto speed auto ! interface Tunnel0 bandwidth 1000 ip address 192.168.252.3 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NHRP_KEY ip nhrp map multicast A.B.C.D ip nhrp map 192.168.252.1 68.225.80.199 ip nhrp network-id 100000 ip nhrp holdtime 300 ip nhrp nhs 192.168.252.1 ip ospf network broadcast ip ospf priority 0 delay 1000 tunnel source FastEthernet1 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof
! ip access-list extended ACL-From-ISP remark Defines what UNSOLICITED Traffic remark (applies to traffic coming IN to the interface from ISP) remark coming IN from the Internet is allowed permit icmp any any echo log-input permit icmp any any echo-reply log-input permit icmp any any traceroute permit gre any any log-input permit esp any any log-input permit tcp any any eq 22 log-input permit tcp any any eq 443 log-input permit udp any any eq domain log-input permit ip any any