[c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels
Nic Tjirkalli
nic.tjirkalli at za.verizonbusiness.com
Sun Aug 24 03:19:38 EDT 2008
howdy ho all,
Was hoping I could use this forum to get some direction on resolving a
strange issue I have with a DMVPN setup.
All works 100% if I do not protect the tunnels with IPSEC. As soon as I
enable IPSEC the tunnels stop passing traffic.
The setup :-
============
All routers are CISCO 1841 platforms. the IOS image is :-
C1841-ADVIPSERVICESK9-M
c1841-advipservicesk9-mz.124-21.bin
HUB Router
----------
HUB router connects via ADSL (a PPPOE session over ethernet) and then fires up
an L2TP tunnel to obtain a static IP address.
The IP address allocated to the L2TP interface is 196.47.0.204 (Virtual-PPP1)
This IP address is the NHS. All connections to/from the hub
use the address of 196.47.0.204.
Tunnel interface on the hub router is 10.0.0.1
Spoke Router
------------
the Spoke router (there are 2 I am just showing one) connects via ADSL
(a PPPOE session over ethernet) and obtains a dynamic IP address. the spoke
routers use Dialer1 as their interface into the NHRP cloud.
NHRP comes up and if I do not use IPSEC encryption on the Tunnel interface
ie do not add the command
tunnel protection ipsec profile DMVPN
on Tunnel0
Tunnel interface on the hub router is 10.0.0.3
all works perfectly.
The Problem
===========
When I enable IPSEC encryption on the tunnel interfaces on all routers
then things break. I have tried with both 3DES and AES and same issue.
All the crypto sessions seem correct - correct SAs
come up. The dynamically created crypto-maps seem correct.
BUT. on the spoke routers, IPSEC reports that no packets are being
de-encapsulated but no errors are reported.
nhrp-spoke-2#show crypto ipsec sa
interface: Tunnel0
local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
current_peer 196.47.0.204 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 0
But on the HUB. all is well
protected vrf: (none)
local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0)
current_peer 41.195.37.191 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153
#pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
Any ideas/thoughts would be greatly appreciated.
The configuration's and some useful output are below
HUB Configuration
=================
hostname adsl-nhrp-hub
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
l2tp-class l2tpclass1
authentication
password 7 03070E0C2E572B6A1719
!
!
!
!
!
!
pseudowire-class pwclass1
encapsulation l2tpv2
protocol l2tpv2 l2tpclass1
ip local interface Dialer1
!
!
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
!
crypto ipsec profile DMVPN
set transform-set 3DES_MD5
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication xxxxxxxxxx
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 60
ip nhrp registration timeout 30
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
tunnel source Virtual-PPP1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface Virtual-PPP1
ip address negotiated
ip mtu 1452
ip virtual-reassembly
no logging event link-status
no peer neighbor-route
no cdp enable
ppp chap hostname XXXXX
ppp chap password 7 XXXXXX
ppp pap sent-username XXXX password 7 XXXXX
pseudowire 196.30.121.42 10 pw-class pwclass1
!
interface Dialer1
mtu 1492
ip address negotiated
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp chap hostname XXX
ppp chap password 7 XXXX
ppp pap sent-username XXXX password 7 XXXX
!
router eigrp 1
redistribute connected route-map to-eigrp
redistribute static
passive-interface Dialer1
network 10.0.0.0 0.0.0.255
no auto-summary
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
ip route 196.30.121.42 255.255.255.255 Dialer1
!
!
ip http server
no ip http secure-server
!
!
ip prefix-list local seq 5 permit 41.195.37.0/24 le 32
ip prefix-list local seq 10 permit 196.47.0.0/16 le 32
access-list 1 permit any
access-list 2 deny any
access-list 3 permit 10.0.0.2
access-list 3 permit 10.222.0.1
access-list 3 permit 10.222.0.2
access-list 3 permit 10.244.0.2
no cdp run
!
route-map to-eigrp deny 10
match ip address prefix-list local
!
route-map to-eigrp permit 1000
adsl-nhrp-hub#show ip nhrp
10.0.0.2/32 via 10.0.0.2, Tunnel0 created 03:19:00, expire 00:00:57
Type: dynamic, Flags: authoritative unique registered used
NBMA address: 41.195.37.174
10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:04:56, expire 00:00:33
Type: dynamic, Flags: authoritative unique registered used
NBMA address: 41.195.37.191
adsl-nhrp-hub#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 196.47.0.204
protected vrf: (none)
local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (41.195.37.174/255.255.255.255/47/0)
current_peer 41.195.37.174 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5764, #pkts encrypt: 5764, #pkts digest: 5764
#pkts decaps: 3484, #pkts decrypt: 3484, #pkts verify: 3484
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.174
path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1
current outbound spi: 0xD9D819B1(3654818225)
inbound esp sas:
spi: 0x8AD878CD(2329442509)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3006, flow_id: FPGA:6, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4437499/1923)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD9D819B1(3654818225)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3005, flow_id: FPGA:5, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4437454/1923)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0)
current_peer 41.195.37.191 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153
#pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.191
path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1
current outbound spi: 0x6E27D1C2(1848103362)
inbound esp sas:
spi: 0xEE9B0E5D(4003139165)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4478781/3289)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6E27D1C2(1848103362)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4478771/3289)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
adsl-nhrp-hub#show crypto map
Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
Profile name: DMVPN
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
3DES_MD5,
}
Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 41.195.37.174
Extended IP access list
access-list permit gre host 196.47.0.204 host 41.195.37.174
Current peer: 41.195.37.174
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
3DES_MD5,
}
Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 41.195.37.191
Extended IP access list
access-list permit gre host 196.47.0.204 host 41.195.37.191
Current peer: 41.195.37.191
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
3DES_MD5,
}
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
adsl-nhrp-hub#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Dt
16 Virtual-PPP1 196.47.0.204 set HMAC_MD5+AES_CBC 0 0
18 Tunnel0 10.0.0.1 set HMAC_MD5+AES_CBC 0 0
3003 Tunnel0 196.47.0.204 set AES+MD5 169 0
3004 Tunnel0 196.47.0.204 set AES+MD5 0 8
3005 Virtual-PPP1 196.47.0.204 set AES+MD5 818 0
3006 Virtual-PPP1 196.47.0.204 set AES+MD5 0 1
Spoke Configuration
===================
ip cef
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
l2tp-class l2tpclass1
authentication
password 7 xxxx
!
!
pseudowire-class pwclass1
encapsulation l2tpv2
protocol l2tpv2 l2tpclass1
ip local interface Dialer1
!
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
!
crypto ipsec profile DMVPN
set transform-set 3DES_MD5
!
!
!
!
interface Loopback0
ip address 172.16.1.3 255.255.255.255
!
interface Tunnel0
ip address 10.0.0.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication xxxxxxxxxx
ip nhrp map 10.0.0.1 196.47.0.204
ip nhrp map multicast 196.47.0.204
ip nhrp network-id 1
ip nhrp holdtime 60
ip nhrp nhs 10.0.0.1
ip nhrp registration timeout 30
ip tcp adjust-mss 1360
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
ip address dhcp
speed 100
full-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address 10.222.0.1 255.255.255.0
speed 100
full-duplex
!
!
interface Dialer1
mtu 1492
ip address negotiated
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp chap hostname XXXX
ppp chap password 0 XXXX
ppp pap sent-username XXXX password 0 XXXXX
!
router eigrp 1
redistribute connected route-map to-eigrp
redistribute static
passive-interface FastEthernet0/1
passive-interface Dialer1
network 10.0.0.0 0.0.0.255
no auto-summary
eigrp stub connected
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
!
!
ip prefix-list local seq 5 permit 41.195.37.0/24 le 32
access-list 1 permit any
access-list 2 deny any
access-list 3 permit 10.222.0.1
access-list 3 permit 10.222.0.2
access-list 3 permit 10.244.0.2
access-list 3 permit 10.244.0.1
!
route-map clear-df permit 10
set ip df 0
!
route-map to-eigrp deny 10
match ip address prefix-list local
!
route-map to-eigrp permit 1000
Some Debugs
===========
nhrp-spoke-2#show ip nhrp
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 23:59:15, never expire
Type: static, Flags: authoritative used
NBMA address: 196.47.0.204
nhrp-spoke-2#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 41.195.37.191
protected vrf: (none)
local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
current_peer 196.47.0.204 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 0
local crypto endpt.: 41.195.37.191, remote crypto endpt.: 196.47.0.204
path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0xEE9B0E5D(4003139165)
inbound esp sas:
spi: 0x6E27D1C2(1848103362)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4530791/3584)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEE9B0E5D(4003139165)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4530789/3584)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
nhrp-spoke-2#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
13 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC 0 0
14 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC 0 0
3003 Dialer1 41.195.37.191 set AES+MD5 15 0
3004 Dialer1 41.195.37.191 set AES+MD5 0 0
nhrp-spoke-2#show crypto map
Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
Profile name: DMVPN
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
3DES_MD5,
}
Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 196.47.0.204
Extended IP access list
access-list permit gre host 41.195.37.191 host 196.47.0.204
Current peer: 196.47.0.204
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
3DES_MD5,
}
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
---------------------------------------------------------------------
A feature is a bug with seniority.
Nic Tjirkalli
Verizon Business South Africa
Network Strategy Team
Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
is strictly confidential and intended only for use by the addressee unless
otherwise indicated.
Company Information:http:// www.verizonbusiness.com/za/contact/legal/
This e-mail is strictly confidential and intended only for use by the
addressee unless otherwise indicated.
More information about the cisco-nsp
mailing list