[c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels
Aaron
dudepron at gmail.com
Tue Aug 26 11:26:04 EDT 2008
How about putting on the outbound to make sure that you are sending it the
the hub?
On Tue, Aug 26, 2008 at 1:37 AM, Nic Tjirkalli <
nic.tjirkalli at za.verizonbusiness.com> wrote:
> Howdy ho,
>
>
> Maybe try to put in an ACL or could use netflow for this as well...
>> ip access-list extend check_packets_in
>> permit esp any any
>> permit udp any eq isakmp any eq isakmp
>> permit ip any any
>> interface dialer 1
>> ip access-group check_packets_in in
>>
>> To see if ESP coming in to your spoke router.
>>
> good suggestion but now I am even more c0onfused
>
> created acl as follows and applied to dialer 1 in :-
> interface Dialer1
> ip access-group check_packets_in in
>
> but there ar no matches at all - not even IP nhrp-spoke-2#show access-lists
> check_packets_in
> Extended IP access list check_packets_in
> 10 permit ahp any any
> 20 permit esp any any
> 30 permit udp any eq isakmp any eq isakmp
> 40 permit ip any any
>
>
> `:wq``
>
>
>
>
>> -Luan
>>
>>
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nic Tjirkalli
>> Sent: Monday, August 25, 2008 3:40 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to
>> tunnels
>>
>> howdy ho all,
>>
>> thanx to thise who sent through suggestions to how to get the IPSEC to
>> work
>> - the ideas were :- try mode transport
>> :- dont use wilcard for the secret
>>
>> so i changed the hub and spoke as follows :-
>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
>> mode transport
>>
>> crypto isakmp key CISCO address 41.195.37.0 255.255.255.0
>> crypto isakmp key CISCO address 196.47.0.204 255.255.255.0
>>
>>
>> alss same symptons
>> - crypto comes up
>> - hub reports IPSEC encaps and decaps
>> - spoke sites report 0 decaps for IPSEC and no errors
>>
>>
>> any other ideas?
>>
>> thanx
>>
>>
>>>
>>> howdy ho all,
>>>
>>> Was hoping I could use this forum to get some direction on resolving a
>>> strange issue I have with a DMVPN setup.
>>>
>>> All works 100% if I do not protect the tunnels with IPSEC. As soon as I
>>> enable IPSEC the tunnels stop passing traffic.
>>>
>>>
>>> The setup :-
>>> ============
>>>
>>> All routers are CISCO 1841 platforms. the IOS image is :-
>>> C1841-ADVIPSERVICESK9-M
>>> c1841-advipservicesk9-mz.124-21.bin
>>>
>>>
>>> HUB Router
>>> ----------
>>> HUB router connects via ADSL (a PPPOE session over ethernet) and then
>>>
>> fires
>>
>>> up an L2TP tunnel to obtain a static IP address.
>>>
>>> The IP address allocated to the L2TP interface is 196.47.0.204
>>>
>> (Virtual-PPP1)
>>
>>> This IP address is the NHS. All connections to/from the hub
>>> use the address of 196.47.0.204.
>>>
>>> Tunnel interface on the hub router is 10.0.0.1
>>>
>>>
>>> Spoke Router
>>> ------------
>>> the Spoke router (there are 2 I am just showing one) connects via ADSL
>>> (a PPPOE session over ethernet) and obtains a dynamic IP address. the
>>>
>> spoke
>>
>>> routers use Dialer1 as their interface into the NHRP cloud.
>>>
>>> NHRP comes up and if I do not use IPSEC encryption on the Tunnel
>>> interface
>>> ie do not add the command tunnel protection ipsec profile DMVPN
>>> on Tunnel0
>>>
>>> Tunnel interface on the hub router is 10.0.0.3
>>> all works perfectly.
>>>
>>>
>>> The Problem
>>> ===========
>>>
>>> When I enable IPSEC encryption on the tunnel interfaces on all routers
>>> then things break. I have tried with both 3DES and AES and same issue.
>>>
>>> All the crypto sessions seem correct - correct SAs come up. The
>>>
>> dynamically
>>
>>> created crypto-maps seem correct.
>>>
>>> BUT. on the spoke routers, IPSEC reports that no packets are being
>>> de-encapsulated but no errors are reported.
>>>
>>> nhrp-spoke-2#show crypto ipsec sa
>>>
>>> interface: Tunnel0
>>> local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0
>>> )
>>> remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>>> current_peer 196.47.0.204 port 500
>>> PERMIT, flags={origin_is_acl,}
>>> #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410
>>> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
>>> #pkts compressed: 0, #pkts decompressed: 0
>>> #pkts not compressed: 0, #pkts compr. failed: 0
>>> #pkts not decompressed: 0, #pkts decompress failed: 0
>>> #send errors 3, #recv errors 0
>>>
>>>
>>> But on the HUB. all is well
>>> protected vrf: (none)
>>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>>> remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0
>>> )
>>> current_peer 41.195.37.191 port 500
>>> PERMIT, flags={origin_is_acl,}
>>> #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153
>>> #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
>>> #pkts compressed: 0, #pkts decompressed: 0
>>> #pkts not compressed: 0, #pkts compr. failed: 0
>>> #pkts not decompressed: 0, #pkts decompress failed: 0
>>> #send errors 1, #recv errors 0
>>>
>>>
>>> Any ideas/thoughts would be greatly appreciated.
>>>
>>> The configuration's and some useful output are below
>>>
>>>
>>>
>>> HUB Configuration
>>> =================
>>>
>>> hostname adsl-nhrp-hub
>>> !
>>> boot-start-marker
>>> boot-end-marker
>>> !
>>> logging buffered 4096 debugging
>>> !
>>> no aaa new-model
>>> ip cef
>>> !
>>> !
>>> !
>>> !
>>> no ip domain lookup
>>> ip auth-proxy max-nodata-conns 3
>>> ip admission max-nodata-conns 3
>>> vpdn enable
>>> !
>>> l2tp-class l2tpclass1
>>> authentication
>>> password 7 03070E0C2E572B6A1719
>>> !
>>> !
>>> !
>>> !
>>> !
>>> !
>>> pseudowire-class pwclass1
>>> encapsulation l2tpv2
>>> protocol l2tpv2 l2tpclass1
>>> ip local interface Dialer1
>>> !
>>> !
>>> !
>>> crypto isakmp policy 10
>>> encr aes
>>> hash md5
>>> authentication pre-share
>>> group 2
>>> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0
>>> !
>>> !
>>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
>>> !
>>> crypto ipsec profile DMVPN
>>> set transform-set 3DES_MD5
>>> !
>>> !
>>> !
>>> !
>>> interface Loopback0
>>> ip address 172.16.1.1 255.255.255.255
>>> !
>>> interface Tunnel0
>>> ip address 10.0.0.1 255.255.255.0
>>> no ip redirects
>>> ip mtu 1400
>>> no ip next-hop-self eigrp 1
>>> ip nhrp authentication xxxxxxxxxx
>>> ip nhrp map multicast dynamic
>>> ip nhrp network-id 1
>>> ip nhrp holdtime 60
>>> ip nhrp registration timeout 30
>>> ip tcp adjust-mss 1360
>>> no ip split-horizon eigrp 1
>>> tunnel source Virtual-PPP1
>>> tunnel mode gre multipoint
>>> tunnel key 1
>>> tunnel protection ipsec profile DMVPN
>>> !
>>> interface Null0
>>> no ip unreachables
>>> !
>>> interface FastEthernet0/0
>>> no ip address
>>> speed 100
>>> full-duplex
>>> pppoe enable group global
>>> pppoe-client dial-pool-number 1
>>> !
>>> interface FastEthernet0/1
>>> no ip address
>>> duplex auto
>>> speed auto
>>> !
>>> interface Virtual-PPP1
>>> ip address negotiated
>>> ip mtu 1452
>>> ip virtual-reassembly
>>> no logging event link-status
>>> no peer neighbor-route
>>> no cdp enable
>>> ppp chap hostname XXXXX
>>> ppp chap password 7 XXXXXX
>>> ppp pap sent-username XXXX password 7 XXXXX
>>> pseudowire 196.30.121.42 10 pw-class pwclass1
>>> !
>>> interface Dialer1
>>> mtu 1492
>>> ip address negotiated
>>> ip virtual-reassembly
>>> encapsulation ppp
>>> ip tcp adjust-mss 1452
>>> dialer pool 1
>>> dialer-group 1
>>> ppp chap hostname XXX
>>> ppp chap password 7 XXXX
>>> ppp pap sent-username XXXX password 7 XXXX
>>> !
>>> router eigrp 1
>>> redistribute connected route-map to-eigrp
>>> redistribute static
>>> passive-interface Dialer1
>>> network 10.0.0.0 0.0.0.255
>>> no auto-summary
>>> !
>>> no ip forward-protocol nd
>>> ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
>>> ip route 196.30.121.42 255.255.255.255 Dialer1
>>> !
>>> !
>>> ip http server
>>> no ip http secure-server
>>> !
>>> !
>>> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32
>>> ip prefix-list local seq 10 permit 196.47.0.0/16 le 32
>>> access-list 1 permit any
>>> access-list 2 deny any
>>> access-list 3 permit 10.0.0.2
>>> access-list 3 permit 10.222.0.1
>>> access-list 3 permit 10.222.0.2
>>> access-list 3 permit 10.244.0.2
>>> no cdp run
>>> !
>>> route-map to-eigrp deny 10
>>> match ip address prefix-list local
>>> !
>>> route-map to-eigrp permit 1000
>>>
>>>
>>> adsl-nhrp-hub#show ip nhrp
>>> 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 03:19:00, expire 00:00:57
>>> Type: dynamic, Flags: authoritative unique registered used
>>> NBMA address: 41.195.37.174
>>> 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:04:56, expire 00:00:33
>>> Type: dynamic, Flags: authoritative unique registered used
>>> NBMA address: 41.195.37.191
>>>
>>> adsl-nhrp-hub#show crypto ipsec sa
>>>
>>> interface: Tunnel0
>>> Crypto map tag: Tunnel0-head-0, local addr 196.47.0.204
>>>
>>> protected vrf: (none)
>>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>>> remote ident (addr/mask/prot/port): (41.195.37.174/255.255.255.255/47/0
>>> )
>>> current_peer 41.195.37.174 port 500
>>> PERMIT, flags={origin_is_acl,}
>>> #pkts encaps: 5764, #pkts encrypt: 5764, #pkts digest: 5764
>>> #pkts decaps: 3484, #pkts decrypt: 3484, #pkts verify: 3484
>>> #pkts compressed: 0, #pkts decompressed: 0
>>> #pkts not compressed: 0, #pkts compr. failed: 0
>>> #pkts not decompressed: 0, #pkts decompress failed: 0
>>> #send errors 0, #recv errors 0
>>>
>>> local crypto endpt.: 196.47.0.204, remote crypto endpt.:
>>> 41.195.37.174
>>> path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1
>>> current outbound spi: 0xD9D819B1(3654818225)
>>>
>>> inbound esp sas:
>>> spi: 0x8AD878CD(2329442509)
>>> transform: esp-aes esp-md5-hmac ,
>>> in use settings ={Tunnel, }
>>> conn id: 3006, flow_id: FPGA:6, crypto map: Tunnel0-head-0
>>> sa timing: remaining key lifetime (k/sec): (4437499/1923)
>>> IV size: 16 bytes
>>> replay detection support: Y
>>> Status: ACTIVE
>>>
>>> inbound ah sas:
>>>
>>> inbound pcp sas:
>>>
>>> outbound esp sas:
>>> spi: 0xD9D819B1(3654818225)
>>> transform: esp-aes esp-md5-hmac ,
>>> in use settings ={Tunnel, }
>>> conn id: 3005, flow_id: FPGA:5, crypto map: Tunnel0-head-0
>>> sa timing: remaining key lifetime (k/sec): (4437454/1923)
>>> IV size: 16 bytes
>>> replay detection support: Y
>>> Status: ACTIVE
>>>
>>> outbound ah sas:
>>>
>>> outbound pcp sas:
>>>
>>> protected vrf: (none)
>>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>>> remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0
>>> )
>>> current_peer 41.195.37.191 port 500
>>> PERMIT, flags={origin_is_acl,}
>>> #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153
>>> #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
>>> #pkts compressed: 0, #pkts decompressed: 0
>>> #pkts not compressed: 0, #pkts compr. failed: 0
>>> #pkts not decompressed: 0, #pkts decompress failed: 0
>>> #send errors 1, #recv errors 0
>>>
>>> local crypto endpt.: 196.47.0.204, remote crypto endpt.:
>>> 41.195.37.191
>>> path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1
>>> current outbound spi: 0x6E27D1C2(1848103362)
>>>
>>> inbound esp sas:
>>> spi: 0xEE9B0E5D(4003139165)
>>> transform: esp-aes esp-md5-hmac ,
>>> in use settings ={Tunnel, }
>>> conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
>>> sa timing: remaining key lifetime (k/sec): (4478781/3289)
>>> IV size: 16 bytes
>>> replay detection support: Y
>>> Status: ACTIVE
>>>
>>> inbound ah sas:
>>>
>>> inbound pcp sas:
>>>
>>> outbound esp sas:
>>> spi: 0x6E27D1C2(1848103362)
>>> transform: esp-aes esp-md5-hmac ,
>>> in use settings ={Tunnel, }
>>> conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
>>> sa timing: remaining key lifetime (k/sec): (4478771/3289)
>>> IV size: 16 bytes
>>> replay detection support: Y
>>> Status: ACTIVE
>>>
>>> outbound ah sas:
>>>
>>> outbound pcp sas:
>>>
>>> adsl-nhrp-hub#show crypto map
>>> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
>>> Profile name: DMVPN
>>> Security association lifetime: 4608000 kilobytes/3600 seconds
>>> PFS (Y/N): N
>>> Transform sets={
>>> 3DES_MD5,
>>> }
>>>
>>> Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp
>>> Map is a PROFILE INSTANCE.
>>> Peer = 41.195.37.174
>>> Extended IP access list
>>> access-list permit gre host 196.47.0.204 host 41.195.37.174
>>> Current peer: 41.195.37.174
>>> Security association lifetime: 4608000 kilobytes/3600 seconds
>>> PFS (Y/N): N
>>> Transform sets={
>>> 3DES_MD5,
>>> }
>>>
>>> Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp
>>> Map is a PROFILE INSTANCE.
>>> Peer = 41.195.37.191
>>> Extended IP access list
>>> access-list permit gre host 196.47.0.204 host 41.195.37.191
>>> Current peer: 41.195.37.191
>>> Security association lifetime: 4608000 kilobytes/3600 seconds
>>> PFS (Y/N): N
>>> Transform sets={
>>> 3DES_MD5,
>>> }
>>> Interfaces using crypto map Tunnel0-head-0:
>>> Tunnel0
>>>
>>> adsl-nhrp-hub#show crypto engine connections active
>>>
>>> ID Interface IP-Address State Algorithm
>>>
>> Encrypt
>>
>>> Dt
>>> 16 Virtual-PPP1 196.47.0.204 set HMAC_MD5+AES_CBC
>>>
>> 0
>>
>>> 0
>>> 18 Tunnel0 10.0.0.1 set HMAC_MD5+AES_CBC
>>>
>> 0
>>
>>> 0
>>> 3003 Tunnel0 196.47.0.204 set AES+MD5
>>>
>> 169
>>
>>> 0
>>> 3004 Tunnel0 196.47.0.204 set AES+MD5
>>>
>> 0
>>
>>> 8
>>> 3005 Virtual-PPP1 196.47.0.204 set AES+MD5
>>>
>> 818
>>
>>> 0
>>> 3006 Virtual-PPP1 196.47.0.204 set AES+MD5
>>>
>> 0
>>
>>> 1
>>>
>>>
>>> Spoke Configuration
>>> ===================
>>>
>>> ip cef
>>> !
>>> no ip domain lookup
>>> ip auth-proxy max-nodata-conns 3
>>> ip admission max-nodata-conns 3
>>> vpdn enable
>>> !
>>> l2tp-class l2tpclass1
>>> authentication
>>> password 7 xxxx
>>> !
>>> !
>>> pseudowire-class pwclass1
>>> encapsulation l2tpv2
>>> protocol l2tpv2 l2tpclass1
>>> ip local interface Dialer1
>>> !
>>> !
>>> crypto isakmp policy 10
>>> encr aes
>>> hash md5
>>> authentication pre-share
>>> group 2
>>> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0
>>> !
>>> !
>>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
>>> !
>>> crypto ipsec profile DMVPN
>>> set transform-set 3DES_MD5
>>> !
>>> !
>>> !
>>> !
>>> interface Loopback0
>>> ip address 172.16.1.3 255.255.255.255
>>> !
>>> interface Tunnel0
>>> ip address 10.0.0.3 255.255.255.0
>>> no ip redirects
>>> ip mtu 1400
>>> ip nhrp authentication xxxxxxxxxx
>>> ip nhrp map 10.0.0.1 196.47.0.204
>>> ip nhrp map multicast 196.47.0.204
>>> ip nhrp network-id 1
>>> ip nhrp holdtime 60
>>> ip nhrp nhs 10.0.0.1
>>> ip nhrp registration timeout 30
>>> ip tcp adjust-mss 1360
>>> tunnel source Dialer1
>>> tunnel mode gre multipoint
>>> tunnel key 1
>>> tunnel protection ipsec profile DMVPN
>>> !
>>> interface FastEthernet0/0
>>> ip address dhcp
>>> speed 100
>>> full-duplex
>>> pppoe enable group global
>>> pppoe-client dial-pool-number 1
>>> !
>>> interface FastEthernet0/1
>>> ip address 10.222.0.1 255.255.255.0
>>> speed 100
>>> full-duplex
>>> !
>>> !
>>> interface Dialer1
>>> mtu 1492
>>> ip address negotiated
>>> ip virtual-reassembly
>>> encapsulation ppp
>>> ip tcp adjust-mss 1452
>>> dialer pool 1
>>> ppp chap hostname XXXX
>>> ppp chap password 0 XXXX
>>> ppp pap sent-username XXXX password 0 XXXXX
>>> !
>>> router eigrp 1
>>> redistribute connected route-map to-eigrp
>>> redistribute static
>>> passive-interface FastEthernet0/1
>>> passive-interface Dialer1
>>> network 10.0.0.0 0.0.0.255
>>> no auto-summary
>>> eigrp stub connected
>>> !
>>> ip forward-protocol nd
>>> ip route 0.0.0.0 0.0.0.0 Dialer1
>>> !
>>> !
>>> ip http server
>>> no ip http secure-server
>>> !
>>> !
>>> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32
>>> access-list 1 permit any
>>> access-list 2 deny any
>>> access-list 3 permit 10.222.0.1
>>> access-list 3 permit 10.222.0.2
>>> access-list 3 permit 10.244.0.2
>>> access-list 3 permit 10.244.0.1
>>> !
>>> route-map clear-df permit 10
>>> set ip df 0
>>> !
>>> route-map to-eigrp deny 10
>>> match ip address prefix-list local
>>> !
>>> route-map to-eigrp permit 1000
>>>
>>>
>>> Some Debugs
>>> ===========
>>>
>>> nhrp-spoke-2#show ip nhrp
>>> 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 23:59:15, never expire
>>> Type: static, Flags: authoritative used
>>> NBMA address: 196.47.0.204
>>>
>>>
>>> nhrp-spoke-2#show crypto ipsec sa
>>>
>>> interface: Tunnel0
>>> Crypto map tag: Tunnel0-head-0, local addr 41.195.37.191
>>>
>>> protected vrf: (none)
>>> local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0
>>> )
>>> remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>>> current_peer 196.47.0.204 port 500
>>> PERMIT, flags={origin_is_acl,}
>>> #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410
>>> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
>>> #pkts compressed: 0, #pkts decompressed: 0
>>> #pkts not compressed: 0, #pkts compr. failed: 0
>>> #pkts not decompressed: 0, #pkts decompress failed: 0
>>> #send errors 3, #recv errors 0
>>>
>>> local crypto endpt.: 41.195.37.191, remote crypto endpt.:
>>> 196.47.0.204
>>> path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
>>> current outbound spi: 0xEE9B0E5D(4003139165)
>>>
>>> inbound esp sas:
>>> spi: 0x6E27D1C2(1848103362)
>>> transform: esp-aes esp-md5-hmac ,
>>> in use settings ={Tunnel, }
>>> conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
>>> sa timing: remaining key lifetime (k/sec): (4530791/3584)
>>> IV size: 16 bytes
>>> replay detection support: Y
>>> Status: ACTIVE
>>>
>>> inbound ah sas:
>>>
>>> inbound pcp sas:
>>>
>>> outbound esp sas:
>>> spi: 0xEE9B0E5D(4003139165)
>>> transform: esp-aes esp-md5-hmac ,
>>> in use settings ={Tunnel, }
>>> conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
>>> sa timing: remaining key lifetime (k/sec): (4530789/3584)
>>> IV size: 16 bytes
>>> replay detection support: Y
>>> Status: ACTIVE
>>>
>>> outbound ah sas:
>>>
>>> outbound pcp sas:
>>>
>>> nhrp-spoke-2#show crypto engine connections active
>>>
>>> ID Interface IP-Address State Algorithm
>>>
>> Encrypt
>>
>>> Decrypt
>>> 13 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC
>>>
>> 0
>>
>>> 0
>>> 14 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC
>>>
>> 0
>>
>>> 0
>>> 3003 Dialer1 41.195.37.191 set AES+MD5
>>>
>> 15
>>
>>> 0
>>> 3004 Dialer1 41.195.37.191 set AES+MD5
>>>
>> 0
>>
>>> 0
>>>
>>> nhrp-spoke-2#show crypto map
>>> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
>>> Profile name: DMVPN
>>> Security association lifetime: 4608000 kilobytes/3600 seconds
>>> PFS (Y/N): N
>>> Transform sets={
>>> 3DES_MD5,
>>> }
>>>
>>> Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
>>> Map is a PROFILE INSTANCE.
>>> Peer = 196.47.0.204
>>> Extended IP access list
>>> access-list permit gre host 41.195.37.191 host 196.47.0.204
>>> Current peer: 196.47.0.204
>>> Security association lifetime: 4608000 kilobytes/3600 seconds
>>> PFS (Y/N): N
>>> Transform sets={
>>> 3DES_MD5,
>>> }
>>> Interfaces using crypto map Tunnel0-head-0:
>>> Tunnel0
>>>
>>>
>>> ---------------------------------------------------------------------
>>> A feature is a bug with seniority.
>>>
>>> Nic Tjirkalli
>>> Verizon Business South Africa
>>> Network Strategy Team
>>>
>>> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This
>>> e-mail
>>> is strictly confidential and intended only for use by the addressee
>>> unless
>>> otherwise indicated.
>>>
>>> Company Information:http:// www.verizonbusiness.com/za/contact/legal/
>>>
>>> This e-mail is strictly confidential and intended only for use by the
>>> addressee unless otherwise indicated.
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> Some days you're the pigeon, and some days you're the statue.
>>
>> Nic Tjirkalli
>> Verizon Business South Africa
>> Network Strategy Team
>>
>> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
>> is strictly confidential and intended only for use by the addressee unless
>> otherwise indicated.
>>
>> Company Information:http:// www.verizonbusiness.com/za/contact/legal/
>>
>> This e-mail is strictly confidential and intended only for use by the
>> addressee unless otherwise indicated.
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>
> ---------------------------------------------------------------------
> A feature is a bug with seniority.
>
> Nic Tjirkalli
> Verizon Business South Africa
> Network Strategy Team
>
> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
> is strictly confidential and intended only for use by the addressee unless
> otherwise indicated.
>
> Company Information:http:// www.verizonbusiness.com/za/contact/legal/
>
> This e-mail is strictly confidential and intended only for use by the
> addressee unless otherwise indicated.
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list