HELP. DMVPN - NHRP dynamic spoke problem

- D
- Dan Murray
  
  Contact options for registered users
posted
15 years ago

Mon, Jun 2, 2008 2:58 PM

Hub site tunnel will not come up.
NHRP does not come up at hub (probably due to 1)
OSPF not learning routes (see 1 and 2)

Followed DocID 41940 to the letter. also reviewed 43068. I'm sure I'm missing something simple like a proper access list application, but darned if I have been able to find it.

At the hub, I have the following:

interface Tunnel0 bandwidth 1000 ip address 192.168.252.1 255.255.255.0 ip mtu 1400 ip nhrp authentication NHRP_KEY ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 600 ip ospf network broadcast ip ospf priority 2 delay 1000 tunnel source Ethernet0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof

router ospf 1 network 192.168.252.0 0.0.0.255 area 0 network 192.168.200.0 0.0.0.255 area 0 ! ip access-list extended ACL-From-ISP remark Defines what UNSOLICITED Traffic remark (applies to traffic coming IN to the interface from ISP) remark coming IN from the Internet is allowed permit icmp any any echo log-input permit icmp any any echo-reply log-input permit icmp any any traceroute permit gre any any log-input permit esp any any log-input permit tcp any any eq 22 log-input permit tcp any any eq 443 log-input permit udp any any eq domain log-input permit ip any any

At the spoke (3) I have:

crypto isakmp policy 1 authentication pre-share crypto isakmp key IsaKMP-Key address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set TRANS-FIPS esp-aes esp-md5-hmac mode transport ! crypto ipsec profile vpnprof set transform-set TRANS-FIPS ! interface FastEthernet1 description ######## bandwidth 1544 ip address e.f.g.h 255.255.255.224 ip access-group ACL-From-ISP in ip flow ingress ip flow egress ip nat outside ip virtual-reassembly duplex auto speed auto ! interface Tunnel0 bandwidth 1000 ip address 192.168.252.3 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication NHRP_KEY ip nhrp map multicast A.B.C.D ip nhrp map 192.168.252.1 68.225.80.199 ip nhrp network-id 100000 ip nhrp holdtime 300 ip nhrp nhs 192.168.252.1 ip ospf network broadcast ip ospf priority 0 delay 1000 tunnel source FastEthernet1 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof

! ip access-list extended ACL-From-ISP remark Defines what UNSOLICITED Traffic remark (applies to traffic coming IN to the interface from ISP) remark coming IN from the Internet is allowed permit icmp any any echo log-input permit icmp any any echo-reply log-input permit icmp any any traceroute permit gre any any log-input permit esp any any log-input permit tcp any any eq 22 log-input permit tcp any any eq 443 log-input permit udp any any eq domain log-input permit ip any any

Loading thread data ...

- A
- Andrew Lutov
  
  Contact options for registered users
Vote on answer
posted
15 years ago

Tue, Jun 3, 2008 6:43 AM

Hello, Dan! You wrote on Mon, 2 Jun 2008 10:58:06 -0400:

DM> Followed DocID 41940 to the letter. also reviewed 43068. I'm sure DM> I'm missing something simple like a proper access list application, but DM> darned if I have been able to find it.

DM> At the hub, I have the following:

DM> crypto isakmp policy 1 DM> authentication pre-share DM> crypto isakmp key IsaKMP-Key address 0.0.0.0 0.0.0.0

crypto isakmp identity hostname

DM> ! DM> ! DM> crypto ipsec transform-set TRANS-FIPS esp-aes esp-md5-hmac DM> mode transport DM> ! DM> crypto ipsec profile vpnprof DM> set transform-set TRANS-FIPS DM> !interface FastEthernet0 DM> description XXXXXXXXXX DM> bandwidth 3000 DM> ip address A.B.C.D 255.255.255.240 DM> ip access-group ACL-From-ISP in DM> ip nat outside DM> ip virtual-reassembly DM> no ip route-cache cef DM> no ip route-cache DM> no ip mroute-cache DM> speed auto DM> full-duplex DM> !

DM> interface Tunnel0 DM> bandwidth 1000 DM> ip address 192.168.252.1 255.255.255.0 DM> ip mtu 1400 DM> ip nhrp authentication NHRP_KEY DM> ip nhrp map multicast dynamic DM> ip nhrp network-id 100000 DM> ip nhrp holdtime 600 DM> ip ospf network broadcast DM> ip ospf priority 2 DM> delay 1000 DM> tunnel source Ethernet0 DM> tunnel mode gre multipoint DM> tunnel key 100000 DM> tunnel protection ipsec profile vpnprof

DM> router ospf 1 DM> network 192.168.252.0 0.0.0.255 area 0 DM> network 192.168.200.0 0.0.0.255 area 0 DM> ! DM> ip access-list extended ACL-From-ISP DM> remark Defines what UNSOLICITED Traffic DM> remark (applies to traffic coming IN to the interface from ISP) DM> remark coming IN from the Internet is allowed DM> permit icmp any any echo log-input DM> permit icmp any any echo-reply log-input DM> permit icmp any any traceroute DM> permit gre any any log-input DM> permit esp any any log-input DM> permit tcp any any eq 22 log-input DM> permit tcp any any eq 443 log-input DM> permit udp any any eq domain log-input DM> permit ip any any

DM> At the spoke (3) I have:

DM> crypto isakmp policy 1 DM> authentication pre-share DM> crypto isakmp key IsaKMP-Key address 0.0.0.0 0.0.0.0

crypto isakmp identity hostname

DM> ! DM> ! DM> crypto ipsec transform-set TRANS-FIPS esp-aes esp-md5-hmac DM> mode transport DM> ! DM> crypto ipsec profile vpnprof DM> set transform-set TRANS-FIPS DM> ! DM> interface FastEthernet1 DM> description ######## DM> bandwidth 1544 DM> ip address e.f.g.h 255.255.255.224 DM> ip access-group ACL-From-ISP in DM> ip flow ingress DM> ip flow egress DM> ip nat outside DM> ip virtual-reassembly DM> duplex auto DM> speed auto DM> ! DM> interface Tunnel0 DM> bandwidth 1000 DM> ip address 192.168.252.3 255.255.255.0 DM> no ip redirects DM> ip mtu 1400 DM> ip nhrp authentication NHRP_KEY DM> ip nhrp map multicast A.B.C.D DM> ip nhrp map 192.168.252.1 68.225.80.199 DM> ip nhrp network-id 100000 DM> ip nhrp holdtime 300 DM> ip nhrp nhs 192.168.252.1 DM> ip ospf network broadcast DM> ip ospf priority 0 DM> delay 1000 DM> tunnel source FastEthernet1 DM> tunnel mode gre multipoint DM> tunnel key 100000 DM> tunnel protection ipsec profile vpnprof

With best regards, Andrew Lutov.