[c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels

Nic Tjirkalli nic.tjirkalli at za.verizonbusiness.com
Mon Aug 25 03:40:26 EDT 2008


howdy ho all,

thanx to thise who sent through suggestions to how to get the IPSEC to
work
- the ideas were :- try mode transport
                  :- dont use wilcard for the secret

so i changed the hub and spoke as follows :-
crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
  mode transport

crypto isakmp key CISCO address 41.195.37.0 255.255.255.0
crypto isakmp key CISCO address 196.47.0.204 255.255.255.0


alss same symptons
- crypto comes up
- hub reports IPSEC encaps and decaps
- spoke sites report 0 decaps for IPSEC and no errors


any other ideas?

thanx

>
>
> howdy ho all,
>
> Was hoping I could use this forum to get some direction on resolving a
> strange issue I have with a DMVPN setup.
>
> All works 100% if I do not protect the tunnels with IPSEC. As soon as I 
> enable IPSEC the tunnels stop passing traffic.
>
>
> The setup :-
> ============
>
> All routers are CISCO 1841 platforms. the IOS image is :-
> C1841-ADVIPSERVICESK9-M
> c1841-advipservicesk9-mz.124-21.bin
>
>
> HUB Router
> ----------
> HUB router connects via ADSL (a PPPOE session over ethernet) and then fires 
> up an L2TP tunnel to obtain a static IP address.
>
> The IP address allocated to the L2TP interface is 196.47.0.204 (Virtual-PPP1)
> This IP address is the NHS. All connections to/from the hub
> use the address of 196.47.0.204.
>
> Tunnel interface on the hub router is 10.0.0.1
>
>
> Spoke Router
> ------------
> the Spoke router (there are 2 I am just showing one) connects via ADSL
> (a PPPOE session over ethernet) and obtains a dynamic IP address. the spoke
> routers use Dialer1 as their interface into the NHRP cloud.
>
> NHRP comes up and if I do not use IPSEC encryption on the Tunnel interface
> ie do not add the command tunnel protection ipsec profile DMVPN
> on Tunnel0
>
> Tunnel interface on the hub router is 10.0.0.3
> all works perfectly.
>
>
> The Problem
> ===========
>
> When I enable IPSEC encryption on the tunnel interfaces on all routers
> then things break. I have tried with both 3DES and AES and same issue.
>
> All the crypto sessions seem correct - correct SAs come up. The dynamically 
> created crypto-maps seem correct.
>
> BUT. on the spoke routers, IPSEC reports that no packets are being 
> de-encapsulated but no errors are reported.
>
> nhrp-spoke-2#show crypto ipsec sa
>
> interface: Tunnel0
>   local  ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0)
>   remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>   current_peer 196.47.0.204 port 500
>     PERMIT, flags={origin_is_acl,}
>    #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410
>    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
>    #pkts compressed: 0, #pkts decompressed: 0
>    #pkts not compressed: 0, #pkts compr. failed: 0
>    #pkts not decompressed: 0, #pkts decompress failed: 0
>    #send errors 3, #recv errors 0
>
>
> But on the HUB. all is well
>   protected vrf: (none)
>   local  ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>   remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0)
>   current_peer 41.195.37.191 port 500
>     PERMIT, flags={origin_is_acl,}
>    #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153
>    #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
>    #pkts compressed: 0, #pkts decompressed: 0
>    #pkts not compressed: 0, #pkts compr. failed: 0
>    #pkts not decompressed: 0, #pkts decompress failed: 0
>    #send errors 1, #recv errors 0
>
>
> Any ideas/thoughts would be greatly appreciated.
>
> The configuration's and some useful output are  below
>
>
>
> HUB Configuration
> =================
>
> hostname adsl-nhrp-hub
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 4096 debugging
> !
> no aaa new-model
> ip cef
> !
> !
> !
> !
> no ip domain lookup
> ip auth-proxy max-nodata-conns 3
> ip admission max-nodata-conns 3
> vpdn enable
> !
> l2tp-class l2tpclass1
> authentication
> password 7 03070E0C2E572B6A1719
> !
> !
> !
> !
> !
> !
> pseudowire-class pwclass1
> encapsulation l2tpv2
> protocol l2tpv2 l2tpclass1
> ip local interface Dialer1
> !
> !
> !
> crypto isakmp policy 10
> encr aes
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
> !
> crypto ipsec profile DMVPN
> set transform-set 3DES_MD5
> !
> !
> !
> !
> interface Loopback0
> ip address 172.16.1.1 255.255.255.255
> !
> interface Tunnel0
> ip address 10.0.0.1 255.255.255.0
> no ip redirects
> ip mtu 1400
> no ip next-hop-self eigrp 1
> ip nhrp authentication xxxxxxxxxx
> ip nhrp map multicast dynamic
> ip nhrp network-id 1
> ip nhrp holdtime 60
> ip nhrp registration timeout 30
> ip tcp adjust-mss 1360
> no ip split-horizon eigrp 1
> tunnel source Virtual-PPP1
> tunnel mode gre multipoint
> tunnel key 1
> tunnel protection ipsec profile DMVPN
> !
> interface Null0
> no ip unreachables
> !
> interface FastEthernet0/0
> no ip address
> speed 100
> full-duplex
> pppoe enable group global
> pppoe-client dial-pool-number 1
> !
> interface FastEthernet0/1
> no ip address
> duplex auto
> speed auto
> !
> interface Virtual-PPP1
> ip address negotiated
> ip mtu 1452
> ip virtual-reassembly
> no logging event link-status
> no peer neighbor-route
> no cdp enable
> ppp chap hostname XXXXX
> ppp chap password 7 XXXXXX
> ppp pap sent-username XXXX password 7 XXXXX
> pseudowire 196.30.121.42 10 pw-class pwclass1
> !
> interface Dialer1
> mtu 1492
> ip address negotiated
> ip virtual-reassembly
> encapsulation ppp
> ip tcp adjust-mss 1452
> dialer pool 1
> dialer-group 1
> ppp chap hostname XXX
> ppp chap password 7 XXXX
> ppp pap sent-username XXXX password 7 XXXX
> !
> router eigrp 1
> redistribute connected route-map to-eigrp
> redistribute static
> passive-interface Dialer1
> network 10.0.0.0 0.0.0.255
> no auto-summary
> !
> no ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
> ip route 196.30.121.42 255.255.255.255 Dialer1
> !
> !
> ip http server
> no ip http secure-server
> !
> !
> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32
> ip prefix-list local seq 10 permit 196.47.0.0/16 le 32
> access-list 1 permit any
> access-list 2 deny   any
> access-list 3 permit 10.0.0.2
> access-list 3 permit 10.222.0.1
> access-list 3 permit 10.222.0.2
> access-list 3 permit 10.244.0.2
> no cdp run
> !
> route-map to-eigrp deny 10
> match ip address prefix-list local
> !
> route-map to-eigrp permit 1000
>
>
> adsl-nhrp-hub#show ip nhrp
> 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 03:19:00, expire 00:00:57
>  Type: dynamic, Flags: authoritative unique registered used
>  NBMA address: 41.195.37.174
> 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:04:56, expire 00:00:33
>  Type: dynamic, Flags: authoritative unique registered used
>  NBMA address: 41.195.37.191
>
> adsl-nhrp-hub#show crypto ipsec sa
>
> interface: Tunnel0
>    Crypto map tag: Tunnel0-head-0, local addr 196.47.0.204
>
>   protected vrf: (none)
>   local  ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>   remote ident (addr/mask/prot/port): (41.195.37.174/255.255.255.255/47/0)
>   current_peer 41.195.37.174 port 500
>     PERMIT, flags={origin_is_acl,}
>    #pkts encaps: 5764, #pkts encrypt: 5764, #pkts digest: 5764
>    #pkts decaps: 3484, #pkts decrypt: 3484, #pkts verify: 3484
>    #pkts compressed: 0, #pkts decompressed: 0
>    #pkts not compressed: 0, #pkts compr. failed: 0
>    #pkts not decompressed: 0, #pkts decompress failed: 0
>    #send errors 0, #recv errors 0
>
>     local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.174
>     path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1
>     current outbound spi: 0xD9D819B1(3654818225)
>
>     inbound esp sas:
>      spi: 0x8AD878CD(2329442509)
>        transform: esp-aes esp-md5-hmac ,
>        in use settings ={Tunnel, }
>        conn id: 3006, flow_id: FPGA:6, crypto map: Tunnel0-head-0
>        sa timing: remaining key lifetime (k/sec): (4437499/1923)
>        IV size: 16 bytes
>        replay detection support: Y
>        Status: ACTIVE
>
>     inbound ah sas:
>
>     inbound pcp sas:
>
>     outbound esp sas:
>      spi: 0xD9D819B1(3654818225)
>        transform: esp-aes esp-md5-hmac ,
>        in use settings ={Tunnel, }
>        conn id: 3005, flow_id: FPGA:5, crypto map: Tunnel0-head-0
>        sa timing: remaining key lifetime (k/sec): (4437454/1923)
>        IV size: 16 bytes
>        replay detection support: Y
>        Status: ACTIVE
>
>     outbound ah sas:
>
>     outbound pcp sas:
>
>   protected vrf: (none)
>   local  ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>   remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0)
>   current_peer 41.195.37.191 port 500
>     PERMIT, flags={origin_is_acl,}
>    #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153
>    #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
>    #pkts compressed: 0, #pkts decompressed: 0
>    #pkts not compressed: 0, #pkts compr. failed: 0
>    #pkts not decompressed: 0, #pkts decompress failed: 0
>    #send errors 1, #recv errors 0
>
>     local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.191
>     path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1
>     current outbound spi: 0x6E27D1C2(1848103362)
>
>     inbound esp sas:
>      spi: 0xEE9B0E5D(4003139165)
>        transform: esp-aes esp-md5-hmac ,
>        in use settings ={Tunnel, }
>        conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
>        sa timing: remaining key lifetime (k/sec): (4478781/3289)
>        IV size: 16 bytes
>        replay detection support: Y
>        Status: ACTIVE
>
>     inbound ah sas:
>
>     inbound pcp sas:
>
>     outbound esp sas:
>      spi: 0x6E27D1C2(1848103362)
>        transform: esp-aes esp-md5-hmac ,
>        in use settings ={Tunnel, }
>        conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
>        sa timing: remaining key lifetime (k/sec): (4478771/3289)
>        IV size: 16 bytes
>        replay detection support: Y
>        Status: ACTIVE
>
>     outbound ah sas:
>
>     outbound pcp sas:
>
> adsl-nhrp-hub#show crypto map
> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
>        Profile name: DMVPN
>        Security association lifetime: 4608000 kilobytes/3600 seconds
>        PFS (Y/N): N
>        Transform sets={
>                3DES_MD5,
>        }
>
> Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp
>        Map is a PROFILE INSTANCE.
>        Peer = 41.195.37.174
>        Extended IP access list
>            access-list  permit gre host 196.47.0.204 host 41.195.37.174
>        Current peer: 41.195.37.174
>        Security association lifetime: 4608000 kilobytes/3600 seconds
>        PFS (Y/N): N
>        Transform sets={
>                3DES_MD5,
>        }
>
> Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp
>        Map is a PROFILE INSTANCE.
>        Peer = 41.195.37.191
>        Extended IP access list
>            access-list  permit gre host 196.47.0.204 host 41.195.37.191
>        Current peer: 41.195.37.191
>        Security association lifetime: 4608000 kilobytes/3600 seconds
>        PFS (Y/N): N
>        Transform sets={
>                3DES_MD5,
>        }
>        Interfaces using crypto map Tunnel0-head-0:
>                Tunnel0
>
> adsl-nhrp-hub#show crypto engine connections active
>
>  ID Interface            IP-Address      State  Algorithm           Encrypt 
> Dt
>  16 Virtual-PPP1         196.47.0.204    set    HMAC_MD5+AES_CBC          0 
> 0
>  18 Tunnel0              10.0.0.1        set    HMAC_MD5+AES_CBC          0 
> 0
> 3003 Tunnel0              196.47.0.204    set    AES+MD5                 169 
> 0
> 3004 Tunnel0              196.47.0.204    set    AES+MD5                   0 
> 8
> 3005 Virtual-PPP1         196.47.0.204    set    AES+MD5                 818 
> 0
> 3006 Virtual-PPP1         196.47.0.204    set    AES+MD5                   0 
> 1
>
>
> Spoke Configuration
> ===================
>
> ip cef
> !
> no ip domain lookup
> ip auth-proxy max-nodata-conns 3
> ip admission max-nodata-conns 3
> vpdn enable
> !
> l2tp-class l2tpclass1
> authentication
> password 7 xxxx
> !
> !
> pseudowire-class pwclass1
> encapsulation l2tpv2
> protocol l2tpv2 l2tpclass1
> ip local interface Dialer1
> !
> !
> crypto isakmp policy 10
> encr aes
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
> !
> crypto ipsec profile DMVPN
> set transform-set 3DES_MD5
> !
> !
> !
> !
> interface Loopback0
> ip address 172.16.1.3 255.255.255.255
> !
> interface Tunnel0
> ip address 10.0.0.3 255.255.255.0
> no ip redirects
> ip mtu 1400
> ip nhrp authentication xxxxxxxxxx
> ip nhrp map 10.0.0.1 196.47.0.204
> ip nhrp map multicast 196.47.0.204
> ip nhrp network-id 1
> ip nhrp holdtime 60
> ip nhrp nhs 10.0.0.1
> ip nhrp registration timeout 30
> ip tcp adjust-mss 1360
> tunnel source Dialer1
> tunnel mode gre multipoint
> tunnel key 1
> tunnel protection ipsec profile DMVPN
> !
> interface FastEthernet0/0
> ip address dhcp
> speed 100
> full-duplex
> pppoe enable group global
> pppoe-client dial-pool-number 1
> !
> interface FastEthernet0/1
> ip address 10.222.0.1 255.255.255.0
> speed 100
> full-duplex
> !
> !
> interface Dialer1
> mtu 1492
> ip address negotiated
> ip virtual-reassembly
> encapsulation ppp
> ip tcp adjust-mss 1452
> dialer pool 1
> ppp chap hostname XXXX
> ppp chap password 0 XXXX
> ppp pap sent-username XXXX password 0 XXXXX
> !
> router eigrp 1
> redistribute connected route-map to-eigrp
> redistribute static
> passive-interface FastEthernet0/1
> passive-interface Dialer1
> network 10.0.0.0 0.0.0.255
> no auto-summary
> eigrp stub connected
> !
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 Dialer1
> !
> !
> ip http server
> no ip http secure-server
> !
> !
> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32
> access-list 1 permit any
> access-list 2 deny   any
> access-list 3 permit 10.222.0.1
> access-list 3 permit 10.222.0.2
> access-list 3 permit 10.244.0.2
> access-list 3 permit 10.244.0.1
> !
> route-map clear-df permit 10
> set ip df 0
> !
> route-map to-eigrp deny 10
> match ip address prefix-list local
> !
> route-map to-eigrp permit 1000
>
>
> Some Debugs
> ===========
>
> nhrp-spoke-2#show ip nhrp
> 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 23:59:15, never expire
>  Type: static, Flags: authoritative used
>  NBMA address: 196.47.0.204
>
>
> nhrp-spoke-2#show crypto ipsec sa
>
> interface: Tunnel0
>    Crypto map tag: Tunnel0-head-0, local addr 41.195.37.191
>
>   protected vrf: (none)
>   local  ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0)
>   remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>   current_peer 196.47.0.204 port 500
>     PERMIT, flags={origin_is_acl,}
>    #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410
>    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
>    #pkts compressed: 0, #pkts decompressed: 0
>    #pkts not compressed: 0, #pkts compr. failed: 0
>    #pkts not decompressed: 0, #pkts decompress failed: 0
>    #send errors 3, #recv errors 0
>
>     local crypto endpt.: 41.195.37.191, remote crypto endpt.: 196.47.0.204
>     path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
>     current outbound spi: 0xEE9B0E5D(4003139165)
>
>     inbound esp sas:
>      spi: 0x6E27D1C2(1848103362)
>        transform: esp-aes esp-md5-hmac ,
>        in use settings ={Tunnel, }
>        conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
>        sa timing: remaining key lifetime (k/sec): (4530791/3584)
>        IV size: 16 bytes
>        replay detection support: Y
>        Status: ACTIVE
>
>     inbound ah sas:
>
>     inbound pcp sas:
>
>     outbound esp sas:
>      spi: 0xEE9B0E5D(4003139165)
>        transform: esp-aes esp-md5-hmac ,
>        in use settings ={Tunnel, }
>        conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
>        sa timing: remaining key lifetime (k/sec): (4530789/3584)
>        IV size: 16 bytes
>        replay detection support: Y
>        Status: ACTIVE
>
>     outbound ah sas:
>
>     outbound pcp sas:
>
> nhrp-spoke-2#show crypto engine connections active
>
>  ID Interface            IP-Address      State  Algorithm           Encrypt 
> Decrypt
>  13 Dialer1              41.195.37.191   set    HMAC_MD5+AES_CBC          0 
> 0
>  14 Dialer1              41.195.37.191   set    HMAC_MD5+AES_CBC          0 
> 0
> 3003 Dialer1              41.195.37.191   set    AES+MD5                  15 
> 0
> 3004 Dialer1              41.195.37.191   set    AES+MD5                   0 
> 0
>
> nhrp-spoke-2#show crypto map
> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
>        Profile name: DMVPN
>        Security association lifetime: 4608000 kilobytes/3600 seconds
>        PFS (Y/N): N
>        Transform sets={
>                3DES_MD5,
>        }
>
> Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
>        Map is a PROFILE INSTANCE.
>        Peer = 196.47.0.204
>        Extended IP access list
>            access-list  permit gre host 41.195.37.191 host 196.47.0.204
>        Current peer: 196.47.0.204
>        Security association lifetime: 4608000 kilobytes/3600 seconds
>        PFS (Y/N): N
>        Transform sets={
>                3DES_MD5,
>        }
>        Interfaces using crypto map Tunnel0-head-0:
>                Tunnel0
>
>
> ---------------------------------------------------------------------
> A feature is a bug with seniority.
>
> Nic Tjirkalli
> Verizon Business South Africa
> Network Strategy Team
>
> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
> is strictly confidential and intended only for use by the addressee unless
> otherwise indicated.
>
> Company Information:http:// www.verizonbusiness.com/za/contact/legal/
>
> This e-mail is strictly confidential and intended only for use by the
> addressee unless otherwise indicated.
>
>


---------------------------------------------------------------------
Some days you're the pigeon, and some days you're the statue.

Nic Tjirkalli
Verizon Business South Africa
Network Strategy Team

Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
is strictly confidential and intended only for use by the addressee unless
otherwise indicated.

Company Information:http:// www.verizonbusiness.com/za/contact/legal/

This e-mail is strictly confidential and intended only for use by the
addressee unless otherwise indicated.



More information about the cisco-nsp mailing list