[c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels
Nic Tjirkalli
nic.tjirkalli at za.verizonbusiness.com
Wed Aug 27 00:53:27 EDT 2008
Howdy ho,
> How about putting on the outbound to make sure that you are sending it the
> the hub?
good idea - add this to the hub router :-
adsl-nhrp-hub#show access-lists check_packets_in
Extended IP access list check_packets_in
10 permit ahp any any
20 permit esp any any
30 permit udp any eq isakmp any eq isakmp
40 permit ip any any
interface Virtual-PPP1
ip access-group check_packets_in out
just to make sure all was reset and applied, I reloaded the hub router and
both spoke routers and looking at the ACL after a few minutes of all the
routers coming up :-
adsl-nhrp-hub#show access-lists check_packets_in
Extended IP access list check_packets_in
10 permit ahp any any
20 permit esp any any
30 permit udp any eq isakmp any eq isakmp
40 permit ip any any
no matches ..... I doubut this can be accurate - at least there should be
IP matches as NHRP is up :-
10.0.0.2/32 via 10.0.0.2, Tunnel0 created 00:01:15, expire 00:00:44
Type: dynamic, Flags: authoritative unique registered used
NBMA address: 41.195.37.174
10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:05:20, expire 00:00:45
Type: dynamic, Flags: authoritative unique registered
NBMA address: 41.195.37.191
from routing table on hub, traffic to NHRP neihbours should be going out
of Virtual-PPP1
adsl-nhrp-hub#show ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
196.30.121.0/32 is subnetted, 1 subnets
S 196.30.121.42 is directly connected, Dialer1
172.16.0.0/32 is subnetted, 1 subnets
C 172.16.1.1 is directly connected, Loopback0
196.47.0.0/32 is subnetted, 1 subnets
C 196.47.0.204 is directly connected, Virtual-PPP1
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
41.0.0.0/32 is subnetted, 2 subnets
C 41.195.37.199 is directly connected, Dialer1
C 41.195.37.129 is directly connected, Dialer1
S* 0.0.0.0/0 is directly connected, Virtual-PPP1
thanx
>
>
> On Tue, Aug 26, 2008 at 1:37 AM, Nic Tjirkalli <
> nic.tjirkalli at za.verizonbusiness.com> wrote:
>
>> Howdy ho,
>>
>>
>> Maybe try to put in an ACL or could use netflow for this as well...
>>> ip access-list extend check_packets_in
>>> permit esp any any
>>> permit udp any eq isakmp any eq isakmp
>>> permit ip any any
>>> interface dialer 1
>>> ip access-group check_packets_in in
>>>
>>> To see if ESP coming in to your spoke router.
>>>
>> good suggestion but now I am even more c0onfused
>>
>> created acl as follows and applied to dialer 1 in :-
>> interface Dialer1
>> ip access-group check_packets_in in
>>
>> but there ar no matches at all - not even IP nhrp-spoke-2#show access-lists
>> check_packets_in
>> Extended IP access list check_packets_in
>> 10 permit ahp any any
>> 20 permit esp any any
>> 30 permit udp any eq isakmp any eq isakmp
>> 40 permit ip any any
>>
>>
>> `:wq``
>>
>>
>>
>>
>>> -Luan
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net
>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nic Tjirkalli
>>> Sent: Monday, August 25, 2008 3:40 AM
>>> To: cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to
>>> tunnels
>>>
>>> howdy ho all,
>>>
>>> thanx to thise who sent through suggestions to how to get the IPSEC to
>>> work
>>> - the ideas were :- try mode transport
>>> :- dont use wilcard for the secret
>>>
>>> so i changed the hub and spoke as follows :-
>>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
>>> mode transport
>>>
>>> crypto isakmp key CISCO address 41.195.37.0 255.255.255.0
>>> crypto isakmp key CISCO address 196.47.0.204 255.255.255.0
>>>
>>>
>>> alss same symptons
>>> - crypto comes up
>>> - hub reports IPSEC encaps and decaps
>>> - spoke sites report 0 decaps for IPSEC and no errors
>>>
>>>
>>> any other ideas?
>>>
>>> thanx
>>>
>>>
>>>>
>>>> howdy ho all,
>>>>
>>>> Was hoping I could use this forum to get some direction on resolving a
>>>> strange issue I have with a DMVPN setup.
>>>>
>>>> All works 100% if I do not protect the tunnels with IPSEC. As soon as I
>>>> enable IPSEC the tunnels stop passing traffic.
>>>>
>>>>
>>>> The setup :-
>>>> ============
>>>>
>>>> All routers are CISCO 1841 platforms. the IOS image is :-
>>>> C1841-ADVIPSERVICESK9-M
>>>> c1841-advipservicesk9-mz.124-21.bin
>>>>
>>>>
>>>> HUB Router
>>>> ----------
>>>> HUB router connects via ADSL (a PPPOE session over ethernet) and then
>>>>
>>> fires
>>>
>>>> up an L2TP tunnel to obtain a static IP address.
>>>>
>>>> The IP address allocated to the L2TP interface is 196.47.0.204
>>>>
>>> (Virtual-PPP1)
>>>
>>>> This IP address is the NHS. All connections to/from the hub
>>>> use the address of 196.47.0.204.
>>>>
>>>> Tunnel interface on the hub router is 10.0.0.1
>>>>
>>>>
>>>> Spoke Router
>>>> ------------
>>>> the Spoke router (there are 2 I am just showing one) connects via ADSL
>>>> (a PPPOE session over ethernet) and obtains a dynamic IP address. the
>>>>
>>> spoke
>>>
>>>> routers use Dialer1 as their interface into the NHRP cloud.
>>>>
>>>> NHRP comes up and if I do not use IPSEC encryption on the Tunnel
>>>> interface
>>>> ie do not add the command tunnel protection ipsec profile DMVPN
>>>> on Tunnel0
>>>>
>>>> Tunnel interface on the hub router is 10.0.0.3
>>>> all works perfectly.
>>>>
>>>>
>>>> The Problem
>>>> ===========
>>>>
>>>> When I enable IPSEC encryption on the tunnel interfaces on all routers
>>>> then things break. I have tried with both 3DES and AES and same issue.
>>>>
>>>> All the crypto sessions seem correct - correct SAs come up. The
>>>>
>>> dynamically
>>>
>>>> created crypto-maps seem correct.
>>>>
>>>> BUT. on the spoke routers, IPSEC reports that no packets are being
>>>> de-encapsulated but no errors are reported.
>>>>
>>>> nhrp-spoke-2#show crypto ipsec sa
>>>>
>>>> interface: Tunnel0
>>>> local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0
>>>> )
>>>> remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>>>> current_peer 196.47.0.204 port 500
>>>> PERMIT, flags={origin_is_acl,}
>>>> #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410
>>>> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
>>>> #pkts compressed: 0, #pkts decompressed: 0
>>>> #pkts not compressed: 0, #pkts compr. failed: 0
>>>> #pkts not decompressed: 0, #pkts decompress failed: 0
>>>> #send errors 3, #recv errors 0
>>>>
>>>>
>>>> But on the HUB. all is well
>>>> protected vrf: (none)
>>>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>>>> remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0
>>>> )
>>>> current_peer 41.195.37.191 port 500
>>>> PERMIT, flags={origin_is_acl,}
>>>> #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153
>>>> #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
>>>> #pkts compressed: 0, #pkts decompressed: 0
>>>> #pkts not compressed: 0, #pkts compr. failed: 0
>>>> #pkts not decompressed: 0, #pkts decompress failed: 0
>>>> #send errors 1, #recv errors 0
>>>>
>>>>
>>>> Any ideas/thoughts would be greatly appreciated.
>>>>
>>>> The configuration's and some useful output are below
>>>>
>>>>
>>>>
>>>> HUB Configuration
>>>> =================
>>>>
>>>> hostname adsl-nhrp-hub
>>>> !
>>>> boot-start-marker
>>>> boot-end-marker
>>>> !
>>>> logging buffered 4096 debugging
>>>> !
>>>> no aaa new-model
>>>> ip cef
>>>> !
>>>> !
>>>> !
>>>> !
>>>> no ip domain lookup
>>>> ip auth-proxy max-nodata-conns 3
>>>> ip admission max-nodata-conns 3
>>>> vpdn enable
>>>> !
>>>> l2tp-class l2tpclass1
>>>> authentication
>>>> password 7 03070E0C2E572B6A1719
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> pseudowire-class pwclass1
>>>> encapsulation l2tpv2
>>>> protocol l2tpv2 l2tpclass1
>>>> ip local interface Dialer1
>>>> !
>>>> !
>>>> !
>>>> crypto isakmp policy 10
>>>> encr aes
>>>> hash md5
>>>> authentication pre-share
>>>> group 2
>>>> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0
>>>> !
>>>> !
>>>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
>>>> !
>>>> crypto ipsec profile DMVPN
>>>> set transform-set 3DES_MD5
>>>> !
>>>> !
>>>> !
>>>> !
>>>> interface Loopback0
>>>> ip address 172.16.1.1 255.255.255.255
>>>> !
>>>> interface Tunnel0
>>>> ip address 10.0.0.1 255.255.255.0
>>>> no ip redirects
>>>> ip mtu 1400
>>>> no ip next-hop-self eigrp 1
>>>> ip nhrp authentication xxxxxxxxxx
>>>> ip nhrp map multicast dynamic
>>>> ip nhrp network-id 1
>>>> ip nhrp holdtime 60
>>>> ip nhrp registration timeout 30
>>>> ip tcp adjust-mss 1360
>>>> no ip split-horizon eigrp 1
>>>> tunnel source Virtual-PPP1
>>>> tunnel mode gre multipoint
>>>> tunnel key 1
>>>> tunnel protection ipsec profile DMVPN
>>>> !
>>>> interface Null0
>>>> no ip unreachables
>>>> !
>>>> interface FastEthernet0/0
>>>> no ip address
>>>> speed 100
>>>> full-duplex
>>>> pppoe enable group global
>>>> pppoe-client dial-pool-number 1
>>>> !
>>>> interface FastEthernet0/1
>>>> no ip address
>>>> duplex auto
>>>> speed auto
>>>> !
>>>> interface Virtual-PPP1
>>>> ip address negotiated
>>>> ip mtu 1452
>>>> ip virtual-reassembly
>>>> no logging event link-status
>>>> no peer neighbor-route
>>>> no cdp enable
>>>> ppp chap hostname XXXXX
>>>> ppp chap password 7 XXXXXX
>>>> ppp pap sent-username XXXX password 7 XXXXX
>>>> pseudowire 196.30.121.42 10 pw-class pwclass1
>>>> !
>>>> interface Dialer1
>>>> mtu 1492
>>>> ip address negotiated
>>>> ip virtual-reassembly
>>>> encapsulation ppp
>>>> ip tcp adjust-mss 1452
>>>> dialer pool 1
>>>> dialer-group 1
>>>> ppp chap hostname XXX
>>>> ppp chap password 7 XXXX
>>>> ppp pap sent-username XXXX password 7 XXXX
>>>> !
>>>> router eigrp 1
>>>> redistribute connected route-map to-eigrp
>>>> redistribute static
>>>> passive-interface Dialer1
>>>> network 10.0.0.0 0.0.0.255
>>>> no auto-summary
>>>> !
>>>> no ip forward-protocol nd
>>>> ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
>>>> ip route 196.30.121.42 255.255.255.255 Dialer1
>>>> !
>>>> !
>>>> ip http server
>>>> no ip http secure-server
>>>> !
>>>> !
>>>> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32
>>>> ip prefix-list local seq 10 permit 196.47.0.0/16 le 32
>>>> access-list 1 permit any
>>>> access-list 2 deny any
>>>> access-list 3 permit 10.0.0.2
>>>> access-list 3 permit 10.222.0.1
>>>> access-list 3 permit 10.222.0.2
>>>> access-list 3 permit 10.244.0.2
>>>> no cdp run
>>>> !
>>>> route-map to-eigrp deny 10
>>>> match ip address prefix-list local
>>>> !
>>>> route-map to-eigrp permit 1000
>>>>
>>>>
>>>> adsl-nhrp-hub#show ip nhrp
>>>> 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 03:19:00, expire 00:00:57
>>>> Type: dynamic, Flags: authoritative unique registered used
>>>> NBMA address: 41.195.37.174
>>>> 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:04:56, expire 00:00:33
>>>> Type: dynamic, Flags: authoritative unique registered used
>>>> NBMA address: 41.195.37.191
>>>>
>>>> adsl-nhrp-hub#show crypto ipsec sa
>>>>
>>>> interface: Tunnel0
>>>> Crypto map tag: Tunnel0-head-0, local addr 196.47.0.204
>>>>
>>>> protected vrf: (none)
>>>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>>>> remote ident (addr/mask/prot/port): (41.195.37.174/255.255.255.255/47/0
>>>> )
>>>> current_peer 41.195.37.174 port 500
>>>> PERMIT, flags={origin_is_acl,}
>>>> #pkts encaps: 5764, #pkts encrypt: 5764, #pkts digest: 5764
>>>> #pkts decaps: 3484, #pkts decrypt: 3484, #pkts verify: 3484
>>>> #pkts compressed: 0, #pkts decompressed: 0
>>>> #pkts not compressed: 0, #pkts compr. failed: 0
>>>> #pkts not decompressed: 0, #pkts decompress failed: 0
>>>> #send errors 0, #recv errors 0
>>>>
>>>> local crypto endpt.: 196.47.0.204, remote crypto endpt.:
>>>> 41.195.37.174
>>>> path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1
>>>> current outbound spi: 0xD9D819B1(3654818225)
>>>>
>>>> inbound esp sas:
>>>> spi: 0x8AD878CD(2329442509)
>>>> transform: esp-aes esp-md5-hmac ,
>>>> in use settings ={Tunnel, }
>>>> conn id: 3006, flow_id: FPGA:6, crypto map: Tunnel0-head-0
>>>> sa timing: remaining key lifetime (k/sec): (4437499/1923)
>>>> IV size: 16 bytes
>>>> replay detection support: Y
>>>> Status: ACTIVE
>>>>
>>>> inbound ah sas:
>>>>
>>>> inbound pcp sas:
>>>>
>>>> outbound esp sas:
>>>> spi: 0xD9D819B1(3654818225)
>>>> transform: esp-aes esp-md5-hmac ,
>>>> in use settings ={Tunnel, }
>>>> conn id: 3005, flow_id: FPGA:5, crypto map: Tunnel0-head-0
>>>> sa timing: remaining key lifetime (k/sec): (4437454/1923)
>>>> IV size: 16 bytes
>>>> replay detection support: Y
>>>> Status: ACTIVE
>>>>
>>>> outbound ah sas:
>>>>
>>>> outbound pcp sas:
>>>>
>>>> protected vrf: (none)
>>>> local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>>>> remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0
>>>> )
>>>> current_peer 41.195.37.191 port 500
>>>> PERMIT, flags={origin_is_acl,}
>>>> #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153
>>>> #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
>>>> #pkts compressed: 0, #pkts decompressed: 0
>>>> #pkts not compressed: 0, #pkts compr. failed: 0
>>>> #pkts not decompressed: 0, #pkts decompress failed: 0
>>>> #send errors 1, #recv errors 0
>>>>
>>>> local crypto endpt.: 196.47.0.204, remote crypto endpt.:
>>>> 41.195.37.191
>>>> path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1
>>>> current outbound spi: 0x6E27D1C2(1848103362)
>>>>
>>>> inbound esp sas:
>>>> spi: 0xEE9B0E5D(4003139165)
>>>> transform: esp-aes esp-md5-hmac ,
>>>> in use settings ={Tunnel, }
>>>> conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
>>>> sa timing: remaining key lifetime (k/sec): (4478781/3289)
>>>> IV size: 16 bytes
>>>> replay detection support: Y
>>>> Status: ACTIVE
>>>>
>>>> inbound ah sas:
>>>>
>>>> inbound pcp sas:
>>>>
>>>> outbound esp sas:
>>>> spi: 0x6E27D1C2(1848103362)
>>>> transform: esp-aes esp-md5-hmac ,
>>>> in use settings ={Tunnel, }
>>>> conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
>>>> sa timing: remaining key lifetime (k/sec): (4478771/3289)
>>>> IV size: 16 bytes
>>>> replay detection support: Y
>>>> Status: ACTIVE
>>>>
>>>> outbound ah sas:
>>>>
>>>> outbound pcp sas:
>>>>
>>>> adsl-nhrp-hub#show crypto map
>>>> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
>>>> Profile name: DMVPN
>>>> Security association lifetime: 4608000 kilobytes/3600 seconds
>>>> PFS (Y/N): N
>>>> Transform sets={
>>>> 3DES_MD5,
>>>> }
>>>>
>>>> Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp
>>>> Map is a PROFILE INSTANCE.
>>>> Peer = 41.195.37.174
>>>> Extended IP access list
>>>> access-list permit gre host 196.47.0.204 host 41.195.37.174
>>>> Current peer: 41.195.37.174
>>>> Security association lifetime: 4608000 kilobytes/3600 seconds
>>>> PFS (Y/N): N
>>>> Transform sets={
>>>> 3DES_MD5,
>>>> }
>>>>
>>>> Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp
>>>> Map is a PROFILE INSTANCE.
>>>> Peer = 41.195.37.191
>>>> Extended IP access list
>>>> access-list permit gre host 196.47.0.204 host 41.195.37.191
>>>> Current peer: 41.195.37.191
>>>> Security association lifetime: 4608000 kilobytes/3600 seconds
>>>> PFS (Y/N): N
>>>> Transform sets={
>>>> 3DES_MD5,
>>>> }
>>>> Interfaces using crypto map Tunnel0-head-0:
>>>> Tunnel0
>>>>
>>>> adsl-nhrp-hub#show crypto engine connections active
>>>>
>>>> ID Interface IP-Address State Algorithm
>>>>
>>> Encrypt
>>>
>>>> Dt
>>>> 16 Virtual-PPP1 196.47.0.204 set HMAC_MD5+AES_CBC
>>>>
>>> 0
>>>
>>>> 0
>>>> 18 Tunnel0 10.0.0.1 set HMAC_MD5+AES_CBC
>>>>
>>> 0
>>>
>>>> 0
>>>> 3003 Tunnel0 196.47.0.204 set AES+MD5
>>>>
>>> 169
>>>
>>>> 0
>>>> 3004 Tunnel0 196.47.0.204 set AES+MD5
>>>>
>>> 0
>>>
>>>> 8
>>>> 3005 Virtual-PPP1 196.47.0.204 set AES+MD5
>>>>
>>> 818
>>>
>>>> 0
>>>> 3006 Virtual-PPP1 196.47.0.204 set AES+MD5
>>>>
>>> 0
>>>
>>>> 1
>>>>
>>>>
>>>> Spoke Configuration
>>>> ===================
>>>>
>>>> ip cef
>>>> !
>>>> no ip domain lookup
>>>> ip auth-proxy max-nodata-conns 3
>>>> ip admission max-nodata-conns 3
>>>> vpdn enable
>>>> !
>>>> l2tp-class l2tpclass1
>>>> authentication
>>>> password 7 xxxx
>>>> !
>>>> !
>>>> pseudowire-class pwclass1
>>>> encapsulation l2tpv2
>>>> protocol l2tpv2 l2tpclass1
>>>> ip local interface Dialer1
>>>> !
>>>> !
>>>> crypto isakmp policy 10
>>>> encr aes
>>>> hash md5
>>>> authentication pre-share
>>>> group 2
>>>> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0
>>>> !
>>>> !
>>>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
>>>> !
>>>> crypto ipsec profile DMVPN
>>>> set transform-set 3DES_MD5
>>>> !
>>>> !
>>>> !
>>>> !
>>>> interface Loopback0
>>>> ip address 172.16.1.3 255.255.255.255
>>>> !
>>>> interface Tunnel0
>>>> ip address 10.0.0.3 255.255.255.0
>>>> no ip redirects
>>>> ip mtu 1400
>>>> ip nhrp authentication xxxxxxxxxx
>>>> ip nhrp map 10.0.0.1 196.47.0.204
>>>> ip nhrp map multicast 196.47.0.204
>>>> ip nhrp network-id 1
>>>> ip nhrp holdtime 60
>>>> ip nhrp nhs 10.0.0.1
>>>> ip nhrp registration timeout 30
>>>> ip tcp adjust-mss 1360
>>>> tunnel source Dialer1
>>>> tunnel mode gre multipoint
>>>> tunnel key 1
>>>> tunnel protection ipsec profile DMVPN
>>>> !
>>>> interface FastEthernet0/0
>>>> ip address dhcp
>>>> speed 100
>>>> full-duplex
>>>> pppoe enable group global
>>>> pppoe-client dial-pool-number 1
>>>> !
>>>> interface FastEthernet0/1
>>>> ip address 10.222.0.1 255.255.255.0
>>>> speed 100
>>>> full-duplex
>>>> !
>>>> !
>>>> interface Dialer1
>>>> mtu 1492
>>>> ip address negotiated
>>>> ip virtual-reassembly
>>>> encapsulation ppp
>>>> ip tcp adjust-mss 1452
>>>> dialer pool 1
>>>> ppp chap hostname XXXX
>>>> ppp chap password 0 XXXX
>>>> ppp pap sent-username XXXX password 0 XXXXX
>>>> !
>>>> router eigrp 1
>>>> redistribute connected route-map to-eigrp
>>>> redistribute static
>>>> passive-interface FastEthernet0/1
>>>> passive-interface Dialer1
>>>> network 10.0.0.0 0.0.0.255
>>>> no auto-summary
>>>> eigrp stub connected
>>>> !
>>>> ip forward-protocol nd
>>>> ip route 0.0.0.0 0.0.0.0 Dialer1
>>>> !
>>>> !
>>>> ip http server
>>>> no ip http secure-server
>>>> !
>>>> !
>>>> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32
>>>> access-list 1 permit any
>>>> access-list 2 deny any
>>>> access-list 3 permit 10.222.0.1
>>>> access-list 3 permit 10.222.0.2
>>>> access-list 3 permit 10.244.0.2
>>>> access-list 3 permit 10.244.0.1
>>>> !
>>>> route-map clear-df permit 10
>>>> set ip df 0
>>>> !
>>>> route-map to-eigrp deny 10
>>>> match ip address prefix-list local
>>>> !
>>>> route-map to-eigrp permit 1000
>>>>
>>>>
>>>> Some Debugs
>>>> ===========
>>>>
>>>> nhrp-spoke-2#show ip nhrp
>>>> 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 23:59:15, never expire
>>>> Type: static, Flags: authoritative used
>>>> NBMA address: 196.47.0.204
>>>>
>>>>
>>>> nhrp-spoke-2#show crypto ipsec sa
>>>>
>>>> interface: Tunnel0
>>>> Crypto map tag: Tunnel0-head-0, local addr 41.195.37.191
>>>>
>>>> protected vrf: (none)
>>>> local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0
>>>> )
>>>> remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
>>>> current_peer 196.47.0.204 port 500
>>>> PERMIT, flags={origin_is_acl,}
>>>> #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410
>>>> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
>>>> #pkts compressed: 0, #pkts decompressed: 0
>>>> #pkts not compressed: 0, #pkts compr. failed: 0
>>>> #pkts not decompressed: 0, #pkts decompress failed: 0
>>>> #send errors 3, #recv errors 0
>>>>
>>>> local crypto endpt.: 41.195.37.191, remote crypto endpt.:
>>>> 196.47.0.204
>>>> path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
>>>> current outbound spi: 0xEE9B0E5D(4003139165)
>>>>
>>>> inbound esp sas:
>>>> spi: 0x6E27D1C2(1848103362)
>>>> transform: esp-aes esp-md5-hmac ,
>>>> in use settings ={Tunnel, }
>>>> conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
>>>> sa timing: remaining key lifetime (k/sec): (4530791/3584)
>>>> IV size: 16 bytes
>>>> replay detection support: Y
>>>> Status: ACTIVE
>>>>
>>>> inbound ah sas:
>>>>
>>>> inbound pcp sas:
>>>>
>>>> outbound esp sas:
>>>> spi: 0xEE9B0E5D(4003139165)
>>>> transform: esp-aes esp-md5-hmac ,
>>>> in use settings ={Tunnel, }
>>>> conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
>>>> sa timing: remaining key lifetime (k/sec): (4530789/3584)
>>>> IV size: 16 bytes
>>>> replay detection support: Y
>>>> Status: ACTIVE
>>>>
>>>> outbound ah sas:
>>>>
>>>> outbound pcp sas:
>>>>
>>>> nhrp-spoke-2#show crypto engine connections active
>>>>
>>>> ID Interface IP-Address State Algorithm
>>>>
>>> Encrypt
>>>
>>>> Decrypt
>>>> 13 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC
>>>>
>>> 0
>>>
>>>> 0
>>>> 14 Dialer1 41.195.37.191 set HMAC_MD5+AES_CBC
>>>>
>>> 0
>>>
>>>> 0
>>>> 3003 Dialer1 41.195.37.191 set AES+MD5
>>>>
>>> 15
>>>
>>>> 0
>>>> 3004 Dialer1 41.195.37.191 set AES+MD5
>>>>
>>> 0
>>>
>>>> 0
>>>>
>>>> nhrp-spoke-2#show crypto map
>>>> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
>>>> Profile name: DMVPN
>>>> Security association lifetime: 4608000 kilobytes/3600 seconds
>>>> PFS (Y/N): N
>>>> Transform sets={
>>>> 3DES_MD5,
>>>> }
>>>>
>>>> Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
>>>> Map is a PROFILE INSTANCE.
>>>> Peer = 196.47.0.204
>>>> Extended IP access list
>>>> access-list permit gre host 41.195.37.191 host 196.47.0.204
>>>> Current peer: 196.47.0.204
>>>> Security association lifetime: 4608000 kilobytes/3600 seconds
>>>> PFS (Y/N): N
>>>> Transform sets={
>>>> 3DES_MD5,
>>>> }
>>>> Interfaces using crypto map Tunnel0-head-0:
>>>> Tunnel0
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> A feature is a bug with seniority.
>>>>
>>>> Nic Tjirkalli
>>>> Verizon Business South Africa
>>>> Network Strategy Team
>>>>
>>>> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This
>>>> e-mail
>>>> is strictly confidential and intended only for use by the addressee
>>>> unless
>>>> otherwise indicated.
>>>>
>>>> Company Information:http:// www.verizonbusiness.com/za/contact/legal/
>>>>
>>>> This e-mail is strictly confidential and intended only for use by the
>>>> addressee unless otherwise indicated.
>>>>
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> Some days you're the pigeon, and some days you're the statue.
>>>
>>> Nic Tjirkalli
>>> Verizon Business South Africa
>>> Network Strategy Team
>>>
>>> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
>>> is strictly confidential and intended only for use by the addressee unless
>>> otherwise indicated.
>>>
>>> Company Information:http:// www.verizonbusiness.com/za/contact/legal/
>>>
>>> This e-mail is strictly confidential and intended only for use by the
>>> addressee unless otherwise indicated.
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> A feature is a bug with seniority.
>>
>> Nic Tjirkalli
>> Verizon Business South Africa
>> Network Strategy Team
>>
>> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
>> is strictly confidential and intended only for use by the addressee unless
>> otherwise indicated.
>>
>> Company Information:http:// www.verizonbusiness.com/za/contact/legal/
>>
>> This e-mail is strictly confidential and intended only for use by the
>> addressee unless otherwise indicated.
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
---------------------------------------------------------------------
Beauty is in the eye of the beer holder.
Nic Tjirkalli
Verizon Business South Africa
Network Strategy Team
Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
is strictly confidential and intended only for use by the addressee unless
otherwise indicated.
Company Information:http:// www.verizonbusiness.com/za/contact/legal/
This e-mail is strictly confidential and intended only for use by the
addressee unless otherwise indicated.
More information about the cisco-nsp
mailing list