[c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels

Luan M Nguyen luan at t3technology.com
Wed Aug 27 12:18:40 EDT 2008


You need to use the Zone Base Firewall to be able to catch outbound packets
generated by the router itself.
Wonder if anyone use control plane policy outbound to monitor what the
router is sending...
It turns out that the hub router has a bad onboard encryption card.   Using
software encryption, everything is fine.
Thanks for the suggestion Aaron.

-Luan

-----Original Message-----
From: Nic Tjirkalli [mailto:nic.tjirkalli at za.verizonbusiness.com] 
Sent: Wednesday, August 27, 2008 12:53 AM
To: Aaron
Cc: Luan M Nguyen; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to
tunnels

Howdy ho,

> How about putting on the outbound to make sure that you are sending it the
> the hub?
good idea - add this to the hub router :-

adsl-nhrp-hub#show access-lists  check_packets_in
Extended IP access list check_packets_in
     10 permit ahp any any
     20 permit esp any any
     30 permit udp any eq isakmp any eq isakmp
     40 permit ip any any

interface Virtual-PPP1
ip access-group check_packets_in out

just to make sure all was reset and applied, I reloaded the hub router and
both spoke routers and looking at the ACL after a few minutes of all the
routers coming up :-
adsl-nhrp-hub#show access-lists  check_packets_in
Extended IP access list check_packets_in
     10 permit ahp any any
     20 permit esp any any
     30 permit udp any eq isakmp any eq isakmp
     40 permit ip any any

no matches ..... I doubut this can be accurate - at least there should be
IP matches as NHRP is up :-
10.0.0.2/32 via 10.0.0.2, Tunnel0 created 00:01:15, expire 00:00:44
   Type: dynamic, Flags: authoritative unique registered used
   NBMA address: 41.195.37.174
10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:05:20, expire 00:00:45
   Type: dynamic, Flags: authoritative unique registered
   NBMA address: 41.195.37.191

from routing table on hub, traffic to NHRP neihbours should be going out
of Virtual-PPP1

adsl-nhrp-hub#show ip route 
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

      196.30.121.0/32 is subnetted, 1 subnets
S       196.30.121.42 is directly connected, Dialer1
      172.16.0.0/32 is subnetted, 1 subnets
C       172.16.1.1 is directly connected, Loopback0
      196.47.0.0/32 is subnetted, 1 subnets
C       196.47.0.204 is directly connected, Virtual-PPP1
      10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Tunnel0
      41.0.0.0/32 is subnetted, 2 subnets
C       41.195.37.199 is directly connected, Dialer1
C       41.195.37.129 is directly connected, Dialer1
S*   0.0.0.0/0 is directly connected, Virtual-PPP1


thanx

>
>
> On Tue, Aug 26, 2008 at 1:37 AM, Nic Tjirkalli <
> nic.tjirkalli at za.verizonbusiness.com> wrote:
>
>> Howdy ho,
>>
>>
>>  Maybe try to put in an ACL or could use netflow for this as well...
>>> ip access-list extend check_packets_in
>>> permit esp any any
>>> permit udp any eq isakmp any eq isakmp
>>> permit ip any any
>>> interface dialer 1
>>> ip access-group check_packets_in in
>>>
>>> To see if ESP coming in to your spoke router.
>>>
>> good suggestion but now I am even more c0onfused
>>
>> created acl as follows and applied to dialer 1 in :-
>> interface Dialer1
>>  ip access-group check_packets_in in
>>
>> but there ar no matches at all - not even IP nhrp-spoke-2#show
access-lists
>> check_packets_in
>> Extended IP access list check_packets_in
>>    10 permit ahp any any
>>    20 permit esp any any
>>    30 permit udp any eq isakmp any eq isakmp
>>    40 permit ip any any
>>
>>
>> `:wq``
>>
>>
>>
>>
>>> -Luan
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net
>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nic Tjirkalli
>>> Sent: Monday, August 25, 2008 3:40 AM
>>> To: cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to
>>> tunnels
>>>
>>> howdy ho all,
>>>
>>> thanx to thise who sent through suggestions to how to get the IPSEC to
>>> work
>>> - the ideas were :- try mode transport
>>>                 :- dont use wilcard for the secret
>>>
>>> so i changed the hub and spoke as follows :-
>>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
>>>  mode transport
>>>
>>> crypto isakmp key CISCO address 41.195.37.0 255.255.255.0
>>> crypto isakmp key CISCO address 196.47.0.204 255.255.255.0
>>>
>>>
>>> alss same symptons
>>> - crypto comes up
>>> - hub reports IPSEC encaps and decaps
>>> - spoke sites report 0 decaps for IPSEC and no errors
>>>
>>>
>>> any other ideas?
>>>
>>> thanx
>>>
>>>
>>>>
>>>> howdy ho all,
>>>>
>>>> Was hoping I could use this forum to get some direction on resolving a
>>>> strange issue I have with a DMVPN setup.
>>>>
>>>> All works 100% if I do not protect the tunnels with IPSEC. As soon as I
>>>> enable IPSEC the tunnels stop passing traffic.
>>>>
>>>>
>>>> The setup :-
>>>> ============
>>>>
>>>> All routers are CISCO 1841 platforms. the IOS image is :-
>>>> C1841-ADVIPSERVICESK9-M
>>>> c1841-advipservicesk9-mz.124-21.bin
>>>>
>>>>
>>>> HUB Router
>>>> ----------
>>>> HUB router connects via ADSL (a PPPOE session over ethernet) and then
>>>>
>>> fires
>>>
>>>> up an L2TP tunnel to obtain a static IP address.
>>>>
>>>> The IP address allocated to the L2TP interface is 196.47.0.204
>>>>
>>> (Virtual-PPP1)
>>>
>>>> This IP address is the NHS. All connections to/from the hub
>>>> use the address of 196.47.0.204.
>>>>
>>>> Tunnel interface on the hub router is 10.0.0.1
>>>>
>>>>
>>>> Spoke Router
>>>> ------------
>>>> the Spoke router (there are 2 I am just showing one) connects via ADSL
>>>> (a PPPOE session over ethernet) and obtains a dynamic IP address. the
>>>>
>>> spoke
>>>
>>>> routers use Dialer1 as their interface into the NHRP cloud.
>>>>
>>>> NHRP comes up and if I do not use IPSEC encryption on the Tunnel
>>>> interface
>>>> ie do not add the command tunnel protection ipsec profile DMVPN
>>>> on Tunnel0
>>>>
>>>> Tunnel interface on the hub router is 10.0.0.3
>>>> all works perfectly.
>>>>
>>>>
>>>> The Problem
>>>> ===========
>>>>
>>>> When I enable IPSEC encryption on the tunnel interfaces on all routers
>>>> then things break. I have tried with both 3DES and AES and same issue.
>>>>
>>>> All the crypto sessions seem correct - correct SAs come up. The
>>>>
>>> dynamically
>>>
>>>> created crypto-maps seem correct.
>>>>
>>>> BUT. on the spoke routers, IPSEC reports that no packets are being
>>>> de-encapsulated but no errors are reported.
>>>>
>>>> nhrp-spoke-2#show crypto ipsec sa
>>>>
>>>> interface: Tunnel0
>>>>  local  ident (addr/mask/prot/port):
(41.195.37.191/255.255.255.255/47/0
>>>> )
>>>>  remote ident (addr/mask/prot/port):
(196.47.0.204/255.255.255.255/47/0)
>>>>  current_peer 196.47.0.204 port 500
>>>>    PERMIT, flags={origin_is_acl,}
>>>>   #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410
>>>>   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
>>>>   #pkts compressed: 0, #pkts decompressed: 0
>>>>   #pkts not compressed: 0, #pkts compr. failed: 0
>>>>   #pkts not decompressed: 0, #pkts decompress failed: 0
>>>>   #send errors 3, #recv errors 0
>>>>
>>>>
>>>> But on the HUB. all is well
>>>>  protected vrf: (none)
>>>>  local  ident (addr/mask/prot/port):
(196.47.0.204/255.255.255.255/47/0)
>>>>  remote ident (addr/mask/prot/port):
(41.195.37.191/255.255.255.255/47/0
>>>> )
>>>>  current_peer 41.195.37.191 port 500
>>>>    PERMIT, flags={origin_is_acl,}
>>>>   #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153
>>>>   #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
>>>>   #pkts compressed: 0, #pkts decompressed: 0
>>>>   #pkts not compressed: 0, #pkts compr. failed: 0
>>>>   #pkts not decompressed: 0, #pkts decompress failed: 0
>>>>   #send errors 1, #recv errors 0
>>>>
>>>>
>>>> Any ideas/thoughts would be greatly appreciated.
>>>>
>>>> The configuration's and some useful output are  below
>>>>
>>>>
>>>>
>>>> HUB Configuration
>>>> =================
>>>>
>>>> hostname adsl-nhrp-hub
>>>> !
>>>> boot-start-marker
>>>> boot-end-marker
>>>> !
>>>> logging buffered 4096 debugging
>>>> !
>>>> no aaa new-model
>>>> ip cef
>>>> !
>>>> !
>>>> !
>>>> !
>>>> no ip domain lookup
>>>> ip auth-proxy max-nodata-conns 3
>>>> ip admission max-nodata-conns 3
>>>> vpdn enable
>>>> !
>>>> l2tp-class l2tpclass1
>>>> authentication
>>>> password 7 03070E0C2E572B6A1719
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> !
>>>> pseudowire-class pwclass1
>>>> encapsulation l2tpv2
>>>> protocol l2tpv2 l2tpclass1
>>>> ip local interface Dialer1
>>>> !
>>>> !
>>>> !
>>>> crypto isakmp policy 10
>>>> encr aes
>>>> hash md5
>>>> authentication pre-share
>>>> group 2
>>>> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0
>>>> !
>>>> !
>>>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
>>>> !
>>>> crypto ipsec profile DMVPN
>>>> set transform-set 3DES_MD5
>>>> !
>>>> !
>>>> !
>>>> !
>>>> interface Loopback0
>>>> ip address 172.16.1.1 255.255.255.255
>>>> !
>>>> interface Tunnel0
>>>> ip address 10.0.0.1 255.255.255.0
>>>> no ip redirects
>>>> ip mtu 1400
>>>> no ip next-hop-self eigrp 1
>>>> ip nhrp authentication xxxxxxxxxx
>>>> ip nhrp map multicast dynamic
>>>> ip nhrp network-id 1
>>>> ip nhrp holdtime 60
>>>> ip nhrp registration timeout 30
>>>> ip tcp adjust-mss 1360
>>>> no ip split-horizon eigrp 1
>>>> tunnel source Virtual-PPP1
>>>> tunnel mode gre multipoint
>>>> tunnel key 1
>>>> tunnel protection ipsec profile DMVPN
>>>> !
>>>> interface Null0
>>>> no ip unreachables
>>>> !
>>>> interface FastEthernet0/0
>>>> no ip address
>>>> speed 100
>>>> full-duplex
>>>> pppoe enable group global
>>>> pppoe-client dial-pool-number 1
>>>> !
>>>> interface FastEthernet0/1
>>>> no ip address
>>>> duplex auto
>>>> speed auto
>>>> !
>>>> interface Virtual-PPP1
>>>> ip address negotiated
>>>> ip mtu 1452
>>>> ip virtual-reassembly
>>>> no logging event link-status
>>>> no peer neighbor-route
>>>> no cdp enable
>>>> ppp chap hostname XXXXX
>>>> ppp chap password 7 XXXXXX
>>>> ppp pap sent-username XXXX password 7 XXXXX
>>>> pseudowire 196.30.121.42 10 pw-class pwclass1
>>>> !
>>>> interface Dialer1
>>>> mtu 1492
>>>> ip address negotiated
>>>> ip virtual-reassembly
>>>> encapsulation ppp
>>>> ip tcp adjust-mss 1452
>>>> dialer pool 1
>>>> dialer-group 1
>>>> ppp chap hostname XXX
>>>> ppp chap password 7 XXXX
>>>> ppp pap sent-username XXXX password 7 XXXX
>>>> !
>>>> router eigrp 1
>>>> redistribute connected route-map to-eigrp
>>>> redistribute static
>>>> passive-interface Dialer1
>>>> network 10.0.0.0 0.0.0.255
>>>> no auto-summary
>>>> !
>>>> no ip forward-protocol nd
>>>> ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
>>>> ip route 196.30.121.42 255.255.255.255 Dialer1
>>>> !
>>>> !
>>>> ip http server
>>>> no ip http secure-server
>>>> !
>>>> !
>>>> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32
>>>> ip prefix-list local seq 10 permit 196.47.0.0/16 le 32
>>>> access-list 1 permit any
>>>> access-list 2 deny   any
>>>> access-list 3 permit 10.0.0.2
>>>> access-list 3 permit 10.222.0.1
>>>> access-list 3 permit 10.222.0.2
>>>> access-list 3 permit 10.244.0.2
>>>> no cdp run
>>>> !
>>>> route-map to-eigrp deny 10
>>>> match ip address prefix-list local
>>>> !
>>>> route-map to-eigrp permit 1000
>>>>
>>>>
>>>> adsl-nhrp-hub#show ip nhrp
>>>> 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 03:19:00, expire 00:00:57
>>>>  Type: dynamic, Flags: authoritative unique registered used
>>>>  NBMA address: 41.195.37.174
>>>> 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:04:56, expire 00:00:33
>>>>  Type: dynamic, Flags: authoritative unique registered used
>>>>  NBMA address: 41.195.37.191
>>>>
>>>> adsl-nhrp-hub#show crypto ipsec sa
>>>>
>>>> interface: Tunnel0
>>>>   Crypto map tag: Tunnel0-head-0, local addr 196.47.0.204
>>>>
>>>>  protected vrf: (none)
>>>>  local  ident (addr/mask/prot/port):
(196.47.0.204/255.255.255.255/47/0)
>>>>  remote ident (addr/mask/prot/port):
(41.195.37.174/255.255.255.255/47/0
>>>> )
>>>>  current_peer 41.195.37.174 port 500
>>>>    PERMIT, flags={origin_is_acl,}
>>>>   #pkts encaps: 5764, #pkts encrypt: 5764, #pkts digest: 5764
>>>>   #pkts decaps: 3484, #pkts decrypt: 3484, #pkts verify: 3484
>>>>   #pkts compressed: 0, #pkts decompressed: 0
>>>>   #pkts not compressed: 0, #pkts compr. failed: 0
>>>>   #pkts not decompressed: 0, #pkts decompress failed: 0
>>>>   #send errors 0, #recv errors 0
>>>>
>>>>    local crypto endpt.: 196.47.0.204, remote crypto endpt.:
>>>> 41.195.37.174
>>>>    path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1
>>>>    current outbound spi: 0xD9D819B1(3654818225)
>>>>
>>>>    inbound esp sas:
>>>>     spi: 0x8AD878CD(2329442509)
>>>>       transform: esp-aes esp-md5-hmac ,
>>>>       in use settings ={Tunnel, }
>>>>       conn id: 3006, flow_id: FPGA:6, crypto map: Tunnel0-head-0
>>>>       sa timing: remaining key lifetime (k/sec): (4437499/1923)
>>>>       IV size: 16 bytes
>>>>       replay detection support: Y
>>>>       Status: ACTIVE
>>>>
>>>>    inbound ah sas:
>>>>
>>>>    inbound pcp sas:
>>>>
>>>>    outbound esp sas:
>>>>     spi: 0xD9D819B1(3654818225)
>>>>       transform: esp-aes esp-md5-hmac ,
>>>>       in use settings ={Tunnel, }
>>>>       conn id: 3005, flow_id: FPGA:5, crypto map: Tunnel0-head-0
>>>>       sa timing: remaining key lifetime (k/sec): (4437454/1923)
>>>>       IV size: 16 bytes
>>>>       replay detection support: Y
>>>>       Status: ACTIVE
>>>>
>>>>    outbound ah sas:
>>>>
>>>>    outbound pcp sas:
>>>>
>>>>  protected vrf: (none)
>>>>  local  ident (addr/mask/prot/port):
(196.47.0.204/255.255.255.255/47/0)
>>>>  remote ident (addr/mask/prot/port):
(41.195.37.191/255.255.255.255/47/0
>>>> )
>>>>  current_peer 41.195.37.191 port 500
>>>>    PERMIT, flags={origin_is_acl,}
>>>>   #pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153
>>>>   #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
>>>>   #pkts compressed: 0, #pkts decompressed: 0
>>>>   #pkts not compressed: 0, #pkts compr. failed: 0
>>>>   #pkts not decompressed: 0, #pkts decompress failed: 0
>>>>   #send errors 1, #recv errors 0
>>>>
>>>>    local crypto endpt.: 196.47.0.204, remote crypto endpt.:
>>>> 41.195.37.191
>>>>    path mtu 1452, ip mtu 1452, ip mtu idb Virtual-PPP1
>>>>    current outbound spi: 0x6E27D1C2(1848103362)
>>>>
>>>>    inbound esp sas:
>>>>     spi: 0xEE9B0E5D(4003139165)
>>>>       transform: esp-aes esp-md5-hmac ,
>>>>       in use settings ={Tunnel, }
>>>>       conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
>>>>       sa timing: remaining key lifetime (k/sec): (4478781/3289)
>>>>       IV size: 16 bytes
>>>>       replay detection support: Y
>>>>       Status: ACTIVE
>>>>
>>>>    inbound ah sas:
>>>>
>>>>    inbound pcp sas:
>>>>
>>>>    outbound esp sas:
>>>>     spi: 0x6E27D1C2(1848103362)
>>>>       transform: esp-aes esp-md5-hmac ,
>>>>       in use settings ={Tunnel, }
>>>>       conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
>>>>       sa timing: remaining key lifetime (k/sec): (4478771/3289)
>>>>       IV size: 16 bytes
>>>>       replay detection support: Y
>>>>       Status: ACTIVE
>>>>
>>>>    outbound ah sas:
>>>>
>>>>    outbound pcp sas:
>>>>
>>>> adsl-nhrp-hub#show crypto map
>>>> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
>>>>       Profile name: DMVPN
>>>>       Security association lifetime: 4608000 kilobytes/3600 seconds
>>>>       PFS (Y/N): N
>>>>       Transform sets={
>>>>               3DES_MD5,
>>>>       }
>>>>
>>>> Crypto Map "Tunnel0-head-0" 65540 ipsec-isakmp
>>>>       Map is a PROFILE INSTANCE.
>>>>       Peer = 41.195.37.174
>>>>       Extended IP access list
>>>>           access-list  permit gre host 196.47.0.204 host 41.195.37.174
>>>>       Current peer: 41.195.37.174
>>>>       Security association lifetime: 4608000 kilobytes/3600 seconds
>>>>       PFS (Y/N): N
>>>>       Transform sets={
>>>>               3DES_MD5,
>>>>       }
>>>>
>>>> Crypto Map "Tunnel0-head-0" 65541 ipsec-isakmp
>>>>       Map is a PROFILE INSTANCE.
>>>>       Peer = 41.195.37.191
>>>>       Extended IP access list
>>>>           access-list  permit gre host 196.47.0.204 host 41.195.37.191
>>>>       Current peer: 41.195.37.191
>>>>       Security association lifetime: 4608000 kilobytes/3600 seconds
>>>>       PFS (Y/N): N
>>>>       Transform sets={
>>>>               3DES_MD5,
>>>>       }
>>>>       Interfaces using crypto map Tunnel0-head-0:
>>>>               Tunnel0
>>>>
>>>> adsl-nhrp-hub#show crypto engine connections active
>>>>
>>>>  ID Interface            IP-Address      State  Algorithm
>>>>
>>> Encrypt
>>>
>>>> Dt
>>>>  16 Virtual-PPP1         196.47.0.204    set    HMAC_MD5+AES_CBC
>>>>
>>> 0
>>>
>>>> 0
>>>>  18 Tunnel0              10.0.0.1        set    HMAC_MD5+AES_CBC
>>>>
>>> 0
>>>
>>>> 0
>>>> 3003 Tunnel0              196.47.0.204    set    AES+MD5
>>>>
>>> 169
>>>
>>>> 0
>>>> 3004 Tunnel0              196.47.0.204    set    AES+MD5
>>>>
>>> 0
>>>
>>>> 8
>>>> 3005 Virtual-PPP1         196.47.0.204    set    AES+MD5
>>>>
>>> 818
>>>
>>>> 0
>>>> 3006 Virtual-PPP1         196.47.0.204    set    AES+MD5
>>>>
>>> 0
>>>
>>>> 1
>>>>
>>>>
>>>> Spoke Configuration
>>>> ===================
>>>>
>>>> ip cef
>>>> !
>>>> no ip domain lookup
>>>> ip auth-proxy max-nodata-conns 3
>>>> ip admission max-nodata-conns 3
>>>> vpdn enable
>>>> !
>>>> l2tp-class l2tpclass1
>>>> authentication
>>>> password 7 xxxx
>>>> !
>>>> !
>>>> pseudowire-class pwclass1
>>>> encapsulation l2tpv2
>>>> protocol l2tpv2 l2tpclass1
>>>> ip local interface Dialer1
>>>> !
>>>> !
>>>> crypto isakmp policy 10
>>>> encr aes
>>>> hash md5
>>>> authentication pre-share
>>>> group 2
>>>> crypto isakmp key XXXXX address 0.0.0.0 0.0.0.0
>>>> !
>>>> !
>>>> crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
>>>> !
>>>> crypto ipsec profile DMVPN
>>>> set transform-set 3DES_MD5
>>>> !
>>>> !
>>>> !
>>>> !
>>>> interface Loopback0
>>>> ip address 172.16.1.3 255.255.255.255
>>>> !
>>>> interface Tunnel0
>>>> ip address 10.0.0.3 255.255.255.0
>>>> no ip redirects
>>>> ip mtu 1400
>>>> ip nhrp authentication xxxxxxxxxx
>>>> ip nhrp map 10.0.0.1 196.47.0.204
>>>> ip nhrp map multicast 196.47.0.204
>>>> ip nhrp network-id 1
>>>> ip nhrp holdtime 60
>>>> ip nhrp nhs 10.0.0.1
>>>> ip nhrp registration timeout 30
>>>> ip tcp adjust-mss 1360
>>>> tunnel source Dialer1
>>>> tunnel mode gre multipoint
>>>> tunnel key 1
>>>> tunnel protection ipsec profile DMVPN
>>>> !
>>>> interface FastEthernet0/0
>>>> ip address dhcp
>>>> speed 100
>>>> full-duplex
>>>> pppoe enable group global
>>>> pppoe-client dial-pool-number 1
>>>> !
>>>> interface FastEthernet0/1
>>>> ip address 10.222.0.1 255.255.255.0
>>>> speed 100
>>>> full-duplex
>>>> !
>>>> !
>>>> interface Dialer1
>>>> mtu 1492
>>>> ip address negotiated
>>>> ip virtual-reassembly
>>>> encapsulation ppp
>>>> ip tcp adjust-mss 1452
>>>> dialer pool 1
>>>> ppp chap hostname XXXX
>>>> ppp chap password 0 XXXX
>>>> ppp pap sent-username XXXX password 0 XXXXX
>>>> !
>>>> router eigrp 1
>>>> redistribute connected route-map to-eigrp
>>>> redistribute static
>>>> passive-interface FastEthernet0/1
>>>> passive-interface Dialer1
>>>> network 10.0.0.0 0.0.0.255
>>>> no auto-summary
>>>> eigrp stub connected
>>>> !
>>>> ip forward-protocol nd
>>>> ip route 0.0.0.0 0.0.0.0 Dialer1
>>>> !
>>>> !
>>>> ip http server
>>>> no ip http secure-server
>>>> !
>>>> !
>>>> ip prefix-list local seq 5 permit 41.195.37.0/24 le 32
>>>> access-list 1 permit any
>>>> access-list 2 deny   any
>>>> access-list 3 permit 10.222.0.1
>>>> access-list 3 permit 10.222.0.2
>>>> access-list 3 permit 10.244.0.2
>>>> access-list 3 permit 10.244.0.1
>>>> !
>>>> route-map clear-df permit 10
>>>> set ip df 0
>>>> !
>>>> route-map to-eigrp deny 10
>>>> match ip address prefix-list local
>>>> !
>>>> route-map to-eigrp permit 1000
>>>>
>>>>
>>>> Some Debugs
>>>> ===========
>>>>
>>>> nhrp-spoke-2#show ip nhrp
>>>> 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 23:59:15, never expire
>>>>  Type: static, Flags: authoritative used
>>>>  NBMA address: 196.47.0.204
>>>>
>>>>
>>>> nhrp-spoke-2#show crypto ipsec sa
>>>>
>>>> interface: Tunnel0
>>>>   Crypto map tag: Tunnel0-head-0, local addr 41.195.37.191
>>>>
>>>>  protected vrf: (none)
>>>>  local  ident (addr/mask/prot/port):
(41.195.37.191/255.255.255.255/47/0
>>>> )
>>>>  remote ident (addr/mask/prot/port):
(196.47.0.204/255.255.255.255/47/0)
>>>>  current_peer 196.47.0.204 port 500
>>>>    PERMIT, flags={origin_is_acl,}
>>>>   #pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410
>>>>   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
>>>>   #pkts compressed: 0, #pkts decompressed: 0
>>>>   #pkts not compressed: 0, #pkts compr. failed: 0
>>>>   #pkts not decompressed: 0, #pkts decompress failed: 0
>>>>   #send errors 3, #recv errors 0
>>>>
>>>>    local crypto endpt.: 41.195.37.191, remote crypto endpt.:
>>>> 196.47.0.204
>>>>    path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
>>>>    current outbound spi: 0xEE9B0E5D(4003139165)
>>>>
>>>>    inbound esp sas:
>>>>     spi: 0x6E27D1C2(1848103362)
>>>>       transform: esp-aes esp-md5-hmac ,
>>>>       in use settings ={Tunnel, }
>>>>       conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
>>>>       sa timing: remaining key lifetime (k/sec): (4530791/3584)
>>>>       IV size: 16 bytes
>>>>       replay detection support: Y
>>>>       Status: ACTIVE
>>>>
>>>>    inbound ah sas:
>>>>
>>>>    inbound pcp sas:
>>>>
>>>>    outbound esp sas:
>>>>     spi: 0xEE9B0E5D(4003139165)
>>>>       transform: esp-aes esp-md5-hmac ,
>>>>       in use settings ={Tunnel, }
>>>>       conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
>>>>       sa timing: remaining key lifetime (k/sec): (4530789/3584)
>>>>       IV size: 16 bytes
>>>>       replay detection support: Y
>>>>       Status: ACTIVE
>>>>
>>>>    outbound ah sas:
>>>>
>>>>    outbound pcp sas:
>>>>
>>>> nhrp-spoke-2#show crypto engine connections active
>>>>
>>>>  ID Interface            IP-Address      State  Algorithm
>>>>
>>> Encrypt
>>>
>>>> Decrypt
>>>>  13 Dialer1              41.195.37.191   set    HMAC_MD5+AES_CBC
>>>>
>>> 0
>>>
>>>> 0
>>>>  14 Dialer1              41.195.37.191   set    HMAC_MD5+AES_CBC
>>>>
>>> 0
>>>
>>>> 0
>>>> 3003 Dialer1              41.195.37.191   set    AES+MD5
>>>>
>>> 15
>>>
>>>> 0
>>>> 3004 Dialer1              41.195.37.191   set    AES+MD5
>>>>
>>> 0
>>>
>>>> 0
>>>>
>>>> nhrp-spoke-2#show crypto map
>>>> Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
>>>>       Profile name: DMVPN
>>>>       Security association lifetime: 4608000 kilobytes/3600 seconds
>>>>       PFS (Y/N): N
>>>>       Transform sets={
>>>>               3DES_MD5,
>>>>       }
>>>>
>>>> Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
>>>>       Map is a PROFILE INSTANCE.
>>>>       Peer = 196.47.0.204
>>>>       Extended IP access list
>>>>           access-list  permit gre host 41.195.37.191 host 196.47.0.204
>>>>       Current peer: 196.47.0.204
>>>>       Security association lifetime: 4608000 kilobytes/3600 seconds
>>>>       PFS (Y/N): N
>>>>       Transform sets={
>>>>               3DES_MD5,
>>>>       }
>>>>       Interfaces using crypto map Tunnel0-head-0:
>>>>               Tunnel0
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> A feature is a bug with seniority.
>>>>
>>>> Nic Tjirkalli
>>>> Verizon Business South Africa
>>>> Network Strategy Team
>>>>
>>>> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This
>>>> e-mail
>>>> is strictly confidential and intended only for use by the addressee
>>>> unless
>>>> otherwise indicated.
>>>>
>>>> Company Information:http:// www.verizonbusiness.com/za/contact/legal/
>>>>
>>>> This e-mail is strictly confidential and intended only for use by the
>>>> addressee unless otherwise indicated.
>>>>
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> Some days you're the pigeon, and some days you're the statue.
>>>
>>> Nic Tjirkalli
>>> Verizon Business South Africa
>>> Network Strategy Team
>>>
>>> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This
e-mail
>>> is strictly confidential and intended only for use by the addressee
unless
>>> otherwise indicated.
>>>
>>> Company Information:http:// www.verizonbusiness.com/za/contact/legal/
>>>
>>> This e-mail is strictly confidential and intended only for use by the
>>> addressee unless otherwise indicated.
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> A feature is a bug with seniority.
>>
>> Nic Tjirkalli
>> Verizon Business South Africa
>> Network Strategy Team
>>
>> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This
e-mail
>> is strictly confidential and intended only for use by the addressee
unless
>> otherwise indicated.
>>
>> Company Information:http:// www.verizonbusiness.com/za/contact/legal/
>>
>> This e-mail is strictly confidential and intended only for use by the
>> addressee unless otherwise indicated.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>


---------------------------------------------------------------------
Beauty is in the eye of the beer holder.

Nic Tjirkalli
Verizon Business South Africa
Network Strategy Team

Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
is strictly confidential and intended only for use by the addressee unless
otherwise indicated.

Company Information:http:// www.verizonbusiness.com/za/contact/legal/

This e-mail is strictly confidential and intended only for use by the
addressee unless otherwise indicated.



More information about the cisco-nsp mailing list