[c-nsp] DMVPN and IPsec on 6509

Prabhu Gurumurthy pgurumu at gmail.com
Fri Apr 23 04:03:26 EDT 2010 

Hello all -

I have 6509E with SPA and am trying to run DMVPN (as HUB) and as a  
IPsec concentrator using crypto connect mode. I am having trouble in  
that DMVPN does not stay up and goes down and when IPsec (plain  
vanilla L2L IPsec) comes up, DMVPN drops off completely. I am running  
12.2(33) SXI3. Any ideas?

System profile:

6509 chassis
SUP 720 3CXL
6748
SPA

DMVPN  and IPsec config

crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
!
crypto isakmp policy 2
  encr aes
  authentication pre-share
  group 2
!
crypto isakmp policy 3
  encr 3des
  authentication pre-share
  group 2

crypto isakmp key u9xRAAoBJ1rkXXmj4uWf$/#pnm address 2.0.0.2
crypto isakmp key fM6zoD2bZCFljk5kZA456abwe address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set AES256_SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set TR_AES256_SHA esp-aes 256 esp-sha-hmac
  mode transport
crypto ipsec transform-set TR_AES_SHA esp-aes esp-sha-hmac
  mode transport
crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TR_3DES_SHA esp-3des esp-sha-hmac
  mode transport
crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac
!
crypto ipsec profile VPN_PRF
  description "DMVPN IPsec profile"
  set security-association lifetime seconds 28800
  set transform-set TR_AES_SHA
!
!
!
crypto map VPN_MAP 1 ipsec-isakmp
  set peer 2.0.0.2
  set security-association lifetime seconds 86400
  set transform-set TR_AES_SHA TR_AES256_SHA
  match address LAS_SFO_TRAFFIC

crypto ipsec profile VPN_PRF
  description "DMVPN IPsec profile"
  set security-association lifetime seconds 28800
  set transform-set TR_AES_SHA
!

interface Tunnel3
  ip address 10.82.2.2 255.255.254.0
  no ip redirects
  ip nhrp authentication HTt5twWV
  ip nhrp map multicast dynamic
  ip nhrp network-id 173146626
  tunnel source Loopback0
  tunnel mode gre multipoint
  tunnel protection ipsec profile VPN_PRF
  crypto engine slot 4/0

interface Tunnel1
  description "GRE IP/IPv6 tunnel to SFO"
  ip address 10.82.5.1 255.255.255.252
  ipv6 address FDA0:C946:7758:120::2/64
  tunnel source Vlan113
  tunnel destination 2.0.0.2

interface Loopback0
  ip address 1.1.1.1 255.255.255.255

interface GigabitEthernet5/3
  description "GigE P2P link to LAS-AGG7S1-2"
  no ip address
  no cdp enable
  crypto connect vlan 113

interface Vlan113
  ip address 2.1.1.2 255.255.255.252
  ip access-group INTERNET_IN in
  crypto map VPN_MAP
  crypto engine slot 4/0


Prabhu
-

More information about the cisco-nsp mailing list