[c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels
Luan M Nguyen
luan at t3technology.com
Mon Aug 25 11:19:20 EDT 2008
Maybe try to put in an ACL or could use netflow for this as well...
ip access-list extend check_packets_in
permit esp any any
permit udp any eq isakmp any eq isakmp
permit ip any any
interface dialer 1
ip access-group check_packets_in in
To see if ESP coming in to your spoke router.
-Luan
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nic Tjirkalli
Sent: Monday, August 25, 2008 3:40 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to
tunnels
howdy ho all,
thanx to thise who sent through suggestions to how to get the IPSEC to
work
- the ideas were :- try mode transport
:- dont use wilcard for the secret
so i changed the hub and spoke as follows :-
crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
mode transport
crypto isakmp key CISCO address 41.195.37.0 255.255.255.0
crypto isakmp key CISCO address 196.47.0.204 255.255.255.0
alss same symptons
- crypto comes up
- hub reports IPSEC encaps and decaps
- spoke sites report 0 decaps for IPSEC and no errors
any other ideas?
thanx
>
>
> howdy ho all,
>
> Was hoping I could use this forum to get some direction on resolving a
> strange issue I have with a DMVPN setup.
>
> All works 100% if I do not protect the tunnels with IPSEC. As soon as I
> enable IPSEC the tunnels stop passing traffic.
>
>
> The setup :-
> ============
>
> All routers are CISCO 1841 platforms. the IOS image is :-
> C1841-ADVIPSERVICESK9-M
> c1841-advipservicesk9-mz.124-21.bin
>
>
> HUB Router
> ----------
> HUB router connects via ADSL (a PPPOE session over ethernet) and then
fires
> up an L2TP tunnel to obtain a static IP address.
>
> The IP address allocated to the L2TP interface is 196.47.0.204
(Virtual-PPP1)
> This IP address is the NHS. All connections to/from the hub
> use the address of 196.47.0.204.
>
> Tunnel interface on the hub router is 10.0.0.1
>
>
> Spoke Router
> ------------
> the Spoke router (there are 2 I am just showing one) connects via ADSL
> (a PPPOE session over ethernet) and obtains a dynamic IP address. the
spoke
> routers use Dialer1 as their interface into the NHRP cloud.
>
> NHRP comes up and if I do not use IPSEC encryption on the Tunnel interface
> ie do not add the command tunnel protection ipsec profile DMVPN
> on Tunnel0
>
> Tunnel interface on the hub router is 10.0.0.3
> all works perfectly.
>
>
> The Problem
> ===========
>
> When I enable IPSEC encryption on the tunnel interfaces on all routers
> then things break. I have tried with both 3DES and AES and same issue.
>
> All the crypto sessions seem correct - correct SAs come up. The
dynamically
> created crypto-maps seem correct.
>
> BUT. on the spoke routers, IPSEC reports that no packets are being
> de-encapsulated but no errors are reported.
>
> nhrp-spoke-2#show crypto ipsec sa
>
> interface: Tunnel0
> local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0)
> remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
> current_peer 196.47.0.204 port 500
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0
> #pkts not decompressed: 0, #pkts decompress failed: 0
> #send errors 3, #recv errors 0
>
>
> But on the HUB. all is well
> protected vrf: (none)
> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
> remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0)
> current_peer 41.195.37.191 port 500
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153
> #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0
> #pkts not decompressed: 0, #pkts decompress failed: 0
> #send errors 1, #recv errors 0
>
>
> Any ideas/thoughts would be greatly appreciated.
>
> The configuration's and some useful output are below
>
>
>
> HUB Configuration
> =================
>
> hostname adsl-nhrp-hub
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 4096 debugging
> !
> no aaa new-model
> ip cef
> !
> !
> !
> !
> no ip domain lookup
> ip auth-proxy max-nodata-conns 3
> ip admission max-nodata-conns 3
> vpdn enable
> !
> l2tp-class l2tpclass1
> authentication
> password 7 03070E0C2E572B6A1719
> !
> !
> !
> !
> !
> !
> pseudowire-class pwclass1
> encapsulation l2tpv2
> protocol l2tpv2 l2tpclass1
> ip local interface Dialer1
> !
> !
> !
> crypto isakmp policy 10
> encr aes
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
> !
> crypto ipsec profile DMVPN
> set transform-set 3DES_MD5
> !
> !
> !
> !
> interface Loopback0
> ip address 172.16.1.1 255.255.255.255
> !
> interface Tunnel0
> ip address 10.0.0.1 255.255.255.0
> no ip redirects
> ip mtu 1400
> no ip next-hop-self eigrp 1
> ip nhrp authentication xxxxxxxxxx
> ip nhrp map multicast dynamic
> ip nhrp network-id 1
> ip nhrp holdtime 60
> ip nhrp registration timeout 30
> ip tcp adjust-mss 1360
> no ip split-horizon eigrp 1
> tunnel source Virtual-PPP1
> tunnel mode gre multipoint
> tunnel key 1
> tunnel protection ipsec profile DMVPN
> !
> interface Null0
> no ip unreachables
> !
> interface FastEthernet0/0
> no ip address
> speed 100
> full-duplex
> pppoe enable group global
> pppoe-client dial-pool-number 1
> !
> interface FastEthernet0/1
> no ip address
> duplex auto
> speed auto
> !
> interface Virtual-PPP1
> ip address negotiated
> ip mtu 1452
> ip virtual-reassembly
> no logging event link-status
> no peer neighbor-route
> no cdp enable
> ppp chap hostname XXXXX
> ppp chap password 7 XXXXXX
> ppp pap sent-username XXXX password 7 XXXXX
> pseudowire 196.30.121.42 10 pw-class pwclass1
> !
> interface Dialer1
> mtu 1492
> ip address negotiated
> ip virtual-reassembly
> encapsulation ppp
> ip tcp adjust-mss 1452
> dialer pool 1
> dialer-group 1
> ppp chap hostname XXX
> ppp chap password 7 XXXX
> ppp pap sent-username XXXX password 7 XXXX
> !
> router eigrp 1
> redistribute connected route-map to-eigrp
> redistribute static
> passive-interface Dialer1
> network 10.0.0.0 0.0.0.255
> no auto-summary
> !
> no ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
> ip route 196.30.121.42 255.255.255.255 Dialer1
> !
> !
> ip http server
> no ip http secure-server
> !
> !
> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32
> ip prefix-list local seq 10 permit 196.47.0.0/16 le 32
> access-list 1 permit any
> access-list 2 deny any
> access-list 3 permit 10.0.0.2
> access-list 3 permit 10.222.0.1
> access-list 3 permit 10.222.0.2
> access-list 3 permit 10.244.0.2
> no cdp run
> !
> route-map to-eigrp deny 10
> match ip address prefix-list local
> !
> route-map to-eigrp permit 1000
>
>
> adsl-nhrp-hub#show ip nhrp
> 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 03:19:00, expire 00:00:57
> Type: dynamic, Flags: authoritative unique registered used
> NBMA address: 41.195.37.174
> 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:04:56, expire 00:00:33
> Type: dynamic, Flags: authoritative unique registered used
> NBMA address: 41.195.37.191
>
> adsl-nhrp-hub#show crypto ipsec sa
>
> interface: Tunnel0
> Crypto map tag: Tunnel0-head-0, local addr 196.47.0.204
>
> protected vrf: (none)
> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
> remote ident (addr/mask/prot/port): (41.195.37.174/255.255.255.255/47/0)
> current_peer 41.195.37.174 port 500
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 5764, #pkts encrypt: 5764, #pkts digest: 5764
> #pkts decaps: 3484, #pkts decrypt: 3484, #pkts verify: 3484
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0
> #pkts not decompressed: 0, #pkts decompress failed: 0
> #send errors 0, #recv errors 0
>
> local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.174
> path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1
> current outbound spi: 0xD9D819B1(3654818225)
>
> inbound esp sas:
> spi: 0x8AD878CD(2329442509)
> transform: esp-aes esp-md5-hmac ,
> in use settings ={Tunnel, }
> conn id: 3006, flow_id: FPGA:6, crypto map: Tunnel0-head-0
> sa timing: remaining key lifetime (k/sec): (4437499/1923)
> IV size: 16 bytes
> replay detection support: Y
> Status: ACTIVE
>
> inbound ah sas:
>
> inbound pcp sas:
>
> outbound esp sas:
> spi: 0xD9D819B1(3654818225)
> transform: esp-aes esp-md5-hmac ,
> in use settings ={Tunnel, }
> conn id: 3005, flow_id: FPGA:5, crypto map: Tunnel0-head-0
> sa timing: remaining key lifetime (k/sec): (4437454/1923)
> IV size: 16 bytes
> replay detection support: Y
> Status: ACTIVE
>
> outbound ah sas:
>
> outbound pcp sas:
>
> protected vrf: (none)
> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
> remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0)
> current_peer 41.195.37.191 port 500
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153
> #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0
> #pkts not decompressed: 0, #pkts decompress failed: 0
> #send errors 1, #recv errors 0
>
> local crypto endpt.: 196.47.0.204, remote crypto endpt.: 41.195.37.191
> path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1
> current outbound spi: 0x6E27D1C2(1848103362)
>
> inbound esp sas:
> spi: 0xEE9B0E5D(4003139165)
> transform: esp-aes esp-md5-hmac ,
> in use settings ={Tunnel, }
> conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
> sa timing: remaining key lifetime (k/sec): (4478781/3289)
> IV size: 16 bytes
> replay detection support: Y
> Status: ACTIVE
>
> inbound ah sas:
>
> inbound pcp sas:
>
> outbound esp sas:
> spi: 0x6E27D1C2(1848103362)
> transform: esp-aes esp-md5-hmac ,
> in use settings ={Tunnel, }
> conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
> sa timing: remaining key lifetime (k/sec): (4478771/3289)
> IV size: 16 bytes
> replay detection support: Y
> Status: ACTIVE
>
> outbound ah sas:
>
> outbound pcp sas:
>
> adsl-nhrp-hub#show crypto map
> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
> Profile name: DMVPN
> Security association lifetime: 4608000 kilobytes/3600 seconds
> PFS (Y/N): N
> Transform sets={
> 3DES_MD5,
> }
>
> Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp
> Map is a PROFILE INSTANCE.
> Peer = 41.195.37.174
> Extended IP access list
> access-list permit gre host 196.47.0.204 host 41.195.37.174
> Current peer: 41.195.37.174
> Security association lifetime: 4608000 kilobytes/3600 seconds
> PFS (Y/N): N
> Transform sets={
> 3DES_MD5,
> }
>
> Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp
> Map is a PROFILE INSTANCE.
> Peer = 41.195.37.191
> Extended IP access list
> access-list permit gre host 196.47.0.204 host 41.195.37.191
> Current peer: 41.195.37.191
> Security association lifetime: 4608000 kilobytes/3600 seconds
> PFS (Y/N): N
> Transform sets={
> 3DES_MD5,
> }
> Interfaces using crypto map Tunnel0-head-0:
> Tunnel0
>
> adsl-nhrp-hub#show crypto engine connections active
>
> ID Interface IP-Address State Algorithm
Encrypt
> Dt
> 16 Virtual-PPP1 196.47.0.204 set HMAC_MD5+AES_CBC
0
> 0
> 18 Tunnel0 10.0.0.1 set HMAC_MD5+AES_CBC
0
> 0
> 3003 Tunnel0 196.47.0.204 set AES+MD5
169
> 0
> 3004 Tunnel0 196.47.0.204 set AES+MD5
0
> 8
> 3005 Virtual-PPP1 196.47.0.204 set AES+MD5
818
> 0
> 3006 Virtual-PPP1 196.47.0.204 set AES+MD5
0
> 1
>
>
> Spoke Configuration
> ===================
>
> ip cef
> !
> no ip domain lookup
> ip auth-proxy max-nodata-conns 3
> ip admission max-nodata-conns 3
> vpdn enable
> !
> l2tp-class l2tpclass1
> authentication
> password 7 xxxx
> !
> !
> pseudowire-class pwclass1
> encapsulation l2tpv2
> protocol l2tpv2 l2tpclass1
> ip local interface Dialer1
> !
> !
> crypto isakmp policy 10
> encr aes
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
> !
> crypto ipsec profile DMVPN
> set transform-set 3DES_MD5
> !
> !
> !
> !
> interface Loopback0
> ip address 172.16.1.3 255.255.255.255
> !
> interface Tunnel0
> ip address 10.0.0.3 255.255.255.0
> no ip redirects
> ip mtu 1400
> ip nhrp authentication xxxxxxxxxx
> ip nhrp map 10.0.0.1 196.47.0.204
> ip nhrp map multicast 196.47.0.204
> ip nhrp network-id 1
> ip nhrp holdtime 60
> ip nhrp nhs 10.0.0.1
> ip nhrp registration timeout 30
> ip tcp adjust-mss 1360
> tunnel source Dialer1
> tunnel mode gre multipoint
> tunnel key 1
> tunnel protection ipsec profile DMVPN
> !
> interface FastEthernet0/0
> ip address dhcp
> speed 100
> full-duplex
> pppoe enable group global
> pppoe-client dial-pool-number 1
> !
> interface FastEthernet0/1
> ip address 10.222.0.1 255.255.255.0
> speed 100
> full-duplex
> !
> !
> interface Dialer1
> mtu 1492
> ip address negotiated
> ip virtual-reassembly
> encapsulation ppp
> ip tcp adjust-mss 1452
> dialer pool 1
> ppp chap hostname XXXX
> ppp chap password 0 XXXX
> ppp pap sent-username XXXX password 0 XXXXX
> !
> router eigrp 1
> redistribute connected route-map to-eigrp
> redistribute static
> passive-interface FastEthernet0/1
> passive-interface Dialer1
> network 10.0.0.0 0.0.0.255
> no auto-summary
> eigrp stub connected
> !
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 Dialer1
> !
> !
> ip http server
> no ip http secure-server
> !
> !
> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32
> access-list 1 permit any
> access-list 2 deny any
> access-list 3 permit 10.222.0.1
> access-list 3 permit 10.222.0.2
> access-list 3 permit 10.244.0.2
> access-list 3 permit 10.244.0.1
> !
> route-map clear-df permit 10
> set ip df 0
> !
> route-map to-eigrp deny 10
> match ip address prefix-list local
> !
> route-map to-eigrp permit 1000
>
>
> Some Debugs
> ===========
>
> nhrp-spoke-2#show ip nhrp
> 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 23:59:15, never expire
> Type: static, Flags: authoritative used
> NBMA address: 196.47.0.204
>
>
> nhrp-spoke-2#show crypto ipsec sa
>
> interface: Tunnel0
> Crypto map tag: Tunnel0-head-0, local addr 41.195.37.191
>
> protected vrf: (none)
> local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0)
> remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
> current_peer 196.47.0.204 port 500
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0
> #pkts not decompressed: 0, #pkts decompress failed: 0
> #send errors 3, #recv errors 0
>
> local crypto endpt.: 41.195.37.191, remote crypto endpt.: 196.47.0.204
> path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
> current outbound spi: 0xEE9B0E5D(4003139165)
>
> inbound esp sas:
> spi: 0x6E27D1C2(1848103362)
> transform: esp-aes esp-md5-hmac ,
> in use settings ={Tunnel, }
> conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
> sa timing: remaining key lifetime (k/sec): (4530791/3584)
> IV size: 16 bytes
> replay detection support: Y
> Status: ACTIVE
>
> inbound ah sas:
>
> inbound pcp sas:
>
> outbound esp sas:
> spi: 0xEE9B0E5D(4003139165)
> transform: esp-aes esp-md5-hmac ,
> in use settings ={Tunnel, }
> conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
> sa timing: remaining key lifetime (k/sec): (4530789/3584)
> IV size: 16 bytes
> replay detection support: Y
> Status: ACTIVE
>
> outbound ah sas:
>
> outbound pcp sas:
>
> nhrp-spoke-2#show crypto engine connections active
>
> ID Interface IP-Address State Algorithm
Encrypt
> Decrypt
> 13 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC
0
> 0
> 14 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC
0
> 0
> 3003 Dialer1 41.195.37.191 set AES+MD5
15
> 0
> 3004 Dialer1 41.195.37.191 set AES+MD5
0
> 0
>
> nhrp-spoke-2#show crypto map
> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
> Profile name: DMVPN
> Security association lifetime: 4608000 kilobytes/3600 seconds
> PFS (Y/N): N
> Transform sets={
> 3DES_MD5,
> }
>
> Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
> Map is a PROFILE INSTANCE.
> Peer = 196.47.0.204
> Extended IP access list
> access-list permit gre host 41.195.37.191 host 196.47.0.204
> Current peer: 196.47.0.204
> Security association lifetime: 4608000 kilobytes/3600 seconds
> PFS (Y/N): N
> Transform sets={
> 3DES_MD5,
> }
> Interfaces using crypto map Tunnel0-head-0:
> Tunnel0
>
>
> ---------------------------------------------------------------------
> A feature is a bug with seniority.
>
> Nic Tjirkalli
> Verizon Business South Africa
> Network Strategy Team
>
> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
> is strictly confidential and intended only for use by the addressee unless
> otherwise indicated.
>
> Company Information:http:// www.verizonbusiness.com/za/contact/legal/
>
> This e-mail is strictly confidential and intended only for use by the
> addressee unless otherwise indicated.
>
>
---------------------------------------------------------------------
Some days you're the pigeon, and some days you're the statue.
Nic Tjirkalli
Verizon Business South Africa
Network Strategy Team
Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
is strictly confidential and intended only for use by the addressee unless
otherwise indicated.
Company Information:http:// www.verizonbusiness.com/za/contact/legal/
This e-mail is strictly confidential and intended only for use by the
addressee unless otherwise indicated.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list