DmVPN MM_NO_STATE ISSUE
dear all,
am trying to connect a dynamic vpn between hq with public static ip 82.114.179.120 and branch with dynamic ip 46.35.80.59.
state is varying between CONF_XAUTH and MM_NO_STATE.
please can you go through the debug files to help solving the issue. Tunnel interface is 10. show run is after the debug.
thanks for your support.
regards,
Hi Mr. Freak again,
below is the latest config with MM_NO_STATE state.
HQ which is configured to accecpt remote vpn client using crypto map is configured for dynamic vpn with branch.
HQ static public ip is 82.114.179.120, tunnel 10 ip 172.16.10.1 and local lan is 192.168.1.0
Branch has dynamic public ip ,tunnel 10 ip 172.16.10.32 and local lan is 192.168.32.0. It is also configured using tunnel 0 with another Hq which works fine.
Branch Lan(192.168.32.0) is needed to access HQ lan(192.168.1.0)....
HQ:
aaa authentication login acs local
aaa authorization network acs local
aaa session-id common
ip cef
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
redundancy
controller VDSL 0/1/0
crypto keyring ccp-dmvpn-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key users@NAMA
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 3600 5
crypto isakmp nat keepalive 3600
crypto isakmp xauth timeout 60
crypto isakmp client configuration group NAMA
key namanama
pool mypool
acl 101
save-password
crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0
crypto ipsec transform-set test esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
mode transport
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-AES-MD5
set isakmp-profile ccp-dmvpn-isakmprofile
crypto dynamic-map map 10
set transform-set test
reverse-route
crypto map i-map client authentication list acs
crypto map i-map isakmp authorization list acs
crypto map i-map client configuration address respond
crypto map i-map 10 ipsec-isakmp dynamic map
interface Tunnel10
bandwidth 1000
ip address 172.16.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
delay 1000
shutdown
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface ATM0/1/0
description DSL Interface
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
interface Dialer0
no ip address
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname nama20004
ppp chap password 0 220004
ppp pap sent-username nama20004 password 0 220004
crypto map i-map
ip local pool mypool 192.168.30.1 192.168.30.100
ip forward-protocol nd
ip http server
ip http secure-server
ip nat inside source list 171 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.32.0 255.255.255.0 172.16.10.32
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 171 permit ip any any
dialer-list 2 protocol ip permit
HQ#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
82.114.179.120 78.137.84.92 CONF_XAUTH 1486 ACTIVE
82.114.179.120 78.137.84.92 MM_NO_STATE 1483 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 1482 ACTIVE (deleted)
Branch show run:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key users@NAMA address 82.114.179.105
crypto isakmp key users@NAMA address 82.114.179.120
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
mode transport
crypto ipsec transform-set To-Taiz esp-aes esp-md5-hmac comp-lzs
mode transport
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-AES-MD5
crypto ipsec profile To-Taiz-Profile
set transform-set To-Taiz
interface Tunnel0
bandwidth 1000
ip address 172.16.0.32 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 172.16.0.1 82.114.179.105
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.16.0.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel destination 82.114.179.105
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
interface Tunnel10
bandwidth 1000
ip address 172.16.10.32 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 172.16.10.1 82.114.179.120
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.16.10.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel destination 82.114.179.120
tunnel key 22334455
tunnel protection ipsec profile To-Taiz-Profile
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
description ## CONNECT TO LAN ##
no ip address
interface FastEthernet1
description ## CONNECT TO LAN ##
no ip address
interface FastEthernet2
description ## CONNECT TO LAN ##
no ip address
interface FastEthernet3
description ## CONNECT TO LAN ##
no ip address
interface Vlan1
description ## LAN INTERFACE ##
ip dhcp client hostname none
ip address 192.168.32.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname mohammadaa
ppp chap password 0 123456
ppp pap sent-username mohammadaa password 0 123456
ip forward-protocol nd
ip http server
ip http access-class 10
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.255.0 172.16.0.1
ip route 192.168.1.0 255.255.255.0 172.16.10.1
ip sla auto discovery
dialer-list 1 protocol ip permit
access-list 1 permit 192.168.32.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.0.255
Branch#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
82.114.179.120 78.137.84.92 MM_NO_STATE 2061 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 2060 ACTIVE (deleted)
Similar Messages
-
I have a phase 2 DMVPN network with approx 40 spoke routers and dual hub routers. 90% of this is working very well. However I have 3 or 4 spoke routers that are unable to communicate with each other directly (traffic goes via the hub router between these specific sites) however they are able to coomunicate directly with the other 35 or so routers. I think this is an NHRP issue as when I do show ip nhrp detail on one of these 4 routers, the other 3 routers display a (no socket) entry. I am able to clear this "sometimes" by clear ip nhrp. Whenever the (no scoket) entry is there spoke to spoke communication does not work. Any help would be greatly appreciated.
pradeepde,
Thank you very much for your response. I think you may be right, I have upgraded the IOS to a maintenance release 12.4.15T9 and this does appear to have fixed the problem.
Thanks again -
DMVPN split tunnling issue, not able to by pass http traffic at spoke end.
Dear all,
I would appreciate please help me out to resolve following issue.
I have been using DMVPN setup (Routing protocol EIGRP) for 20 site no issue at all and everything is perfectly working.
Now I received one request that I would need to split corporate legitimate traffic and internet traffic at spoke end, so all internet traffic has to forward via local ADSL connection , but I tried to resolve it but spoke router is continuously forwarding all traffic to tunnel.
Moreover I found on internet that DMVPN has limitation that split tunneling is not possible.
Please can you suggest me how can I forward internet traffic (HTTP) via local ADSL connection
thanks and regards,I agree with Marcin.
At the spoke you would need to add a static default route for the internet traffic. You are also, most likely, injecting a default route into the EIGRP process at the hub, but the static route at the spokes will override this as it has a lower metric. Depending on your setup, if the ADSL line is on a different interface than that of the DMVPN you could leave the EIGRP default route and use it as a backup incase the ADSL goes down. But if they are both located off the same interface then there is no point in keeping the injected default route.
Please remember to rate and select a correct answer -
Hello All
I have a strange occurence where a Router 2800 series had to be rebooted as the DMVPN session through it went down and the Router had to be rebooted in order to restore the VPN session. Initially, I thought this was due to an IOS issue.
Then another Router this time 2900 series router had the same problem and again needed a reboot to restore the DMVPN tunnel.
Anybody has faced this before and can provide some insight / advice on this.
Please let me know if you need any information on this
Many Thanks in advance.Hi,
Were you able to capture the syslogs?
Was this on a spoke or hub router?
Sent from Cisco Technical Support iPhone App -
Hi All,
I am currently trying to configure DMVPN for the first time. I have been following the cisco config guide and googling a few other bits however I seem to have hit a brick wall.
The setup is in a lab environment so i can post up as much info as required but here are the important bits:
I have 3 Cisco 2821 routers running IOS 12.4(15) with a Layer 3 switch in the middle connecting the "wan" ports together. the routing is working fine, I can ping each router from each other router.
A few snippets from the hub router config:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac!crypto ipsec profile DMVPN_PRJ set transform-set DMVPN_SET!interface Tunnel0 bandwidth 10000 ip address 172.17.100.1 255.255.255.0 no ip redirects ip mtu 1500 ip nhrp authentication secretid ip nhrp map multicast dynamic ip nhrp network-id 101 ip nhrp holdtime 450 ip tcp adjust-mss 1460 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 10101 tunnel protection ipsec profile DMVPN_PRJ!interface GigabitEthernet0/0 description HQ WAN ip address 1.1.1.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto!
and heres the config on the first spoke router:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac!crypto ipsec profile DMVPN_PRJ set transform-set DMVPN_SET!interface Tunnel0 bandwidth 3000 ip address 172.17.100.10 255.255.255.0 no ip redirects ip mtu 1500 ip nhrp authentication secretid ip nhrp map 172.17.100.1 1.1.1.1 ip nhrp map multicast 1.1.1.1 ip nhrp network-id 101 ip nhrp holdtime 450 ip nhrp nhs 172.17.100.1 ip tcp adjust-mss 1460 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 10101 tunnel protection ipsec profile DMVPN_PRJ!interface GigabitEthernet0/0 description Site 1 WAN ip address 11.11.11.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto!
if I shut/no shut the tunnel0 interface on spoke 1, I get the following error on the hub router:
Mar 30 13:41:17.075: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /1.1.1.1, src_addr= 11.11.11.1, prot= 47
so I feel im missing some config on the spoke side to encrypt the traffic but im not sure what.
the following are outputs from the spoke router:
RTR_SITE1#sh dmvpn detailLegend: Attrb --> S - Static, D - Dynamic, I - Incompletea N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer -------------- Interface Tunnel0 info: --------------Intf. is up, Line Protocol is up, Addr. is 172.17.100.10 Source addr: 11.11.11.1, Dest addr: MGRE Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PRJ",Tunnel VRF "", ip vrf forwarding ""NHRP Details: NHS: 172.17.100.1 EType:Spoke, NBMA Peers:1# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network----- --------------- --------------- ----- -------- ----- ----------------- 1 1.1.1.1 172.17.100.1 IKE never S 172.17.100.1/32 Interface: Tunnel0Session: [0x48E31B98] Crypto Session Status: DOWN fvrf: (none), IPSEC FLOW: permit 47 host 11.11.11.1 host 1.1.1.1 Active SAs: 0, origin: crypto map Outbound SPI : 0x 0, transform : Socket State: ClosedPending DMVPN Sessions:
RTR_SITE1#sh ip nhrp detail172.17.100.1/32 via 172.17.100.1, Tunnel0 created 00:33:44, never expire Type: static, Flags: used NBMA address: 1.1.1.1
RTR_SITE1#sh crypto ipsec sainterface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 11.11.11.1 protected vrf: (none) local ident (addr/mask/prot/port): (11.11.11.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0) current_peer 1.1.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 46, #recv errors 0 local crypto endpt.: 11.11.11.1, remote crypto endpt.: 1.1.1.1 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas:
All of these commands show up as blank when i run them on the hub router.
Any help appreciated.
ThanksThanks for the help
I was following this guide: http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN.html#wp1118625
I am using NAT, g0/1 on the routers in the LAN interface with a difference 10.x.x.x/24 on each router.
isakmp policy solved my issue, fixed the MTU as well.
What do i need to add to allow the 10.x.x.x networks to use the tunnels to communicate? I can now ping each end of the tunnel from both routers but not the LAN interfaces.
Thanks -
Hi all,
We have configured a DMVPN from our headquarter to our branch offices (let's say BR1-BR3) .
We have noticed that sometime we cannot access some of our branch office, the scenario is like this:
- sometime, BR1 and BR2 are down but BR3 is working fine
- sometime, BR2 and BR3 are down but BR1 is working fine
- sometime, BR1 and BR3 are down but BR2 is working fine
- sometime, only one branch office is down and others are working fine
the hub is a cisco 3845, the IOS is c3845-advipservicesk9-mz.124-5c.bin
from the log, we have
*Sep 7 11:28:59.260: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 7: Neighbor x.x.x.x (Tunnel100) is down: stuck in active
*Sep 7 11:29:01.052: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 7: Neighbor x.x.x.x (Tunnel100) is up: new adjacency
we do not know why it is down, there is no problem on the connection between the headquarter and branche offices.
Any suggestion are appreciated.Hi Portu,
please, find below the answer:
Are you able to ping from tunnel interface to tunnel interface?
yes, we are able to ping tunnel interface to tunnel interface
Does the IPsec tunnel come down (show crypto isakmp sa)?
no, we see the status is ACTIVE
Does the tunnel interface come down (show interface tunnel x or show ip interface brief)?
the tunnel is UP
Any ISAKMP / IPsec related logs during the failure?
How often does it happen?
sometimes, many times in one day
sometimes, every 1 or 2 days
Does it recover by itself?
yes, it does
but after rebooting devices, it works fine again
Please, let us know if you need more information. -
Hello,
I am getting packet loss if I ping of tunnel interface IP address & when I remove the IPSEC profile, I don't get packet loss. Tunnel is configured as DMVPN SPOKE.
==============
sh run int tu2
Building configuration...
Current configuration : 561 bytes
interface Tunnel2
bandwidth 6000
ip address 11.242.81.94 255.255.240.0 >>>>>>>>>>>>>>>>>> get packet loss if I ping this IP
no ip redirects
ip mtu 1400
ip flow egress
ip nhrp authentication silver
ip nhrp map multicast dynamic
ip nhrp map multicast X.X.X.X
ip nhrp map 11.242.X.X X.X.X.X
ip nhrp map multicast X.X.X.X
ip nhrp map 11.242.X.X X.X.X.X
ip nhrp network-id 60436
ip nhrp holdtime 600
ip nhrp nhs 11.242.X.X
ip nhrp nhs 11.242.X.X
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN shared >>>>>>>>>>>>>>>>>>>>>>> IPSEC Profile
endHello,
See below similar thread.
https://supportforums.cisco.com/discussion/11192611/packet-loss-dmvpn-tunnel-not-across-wan
HTH.
Please rate helpful post. -
I have over 250 sites in a hub-and-spoke desing, each remote site has a frame-relay and an IPSec tunnel to the office, we are running Eigrp but ever since we deployed DMVPN we've been getting many SIA messages...is this a normal behavior for a DMVPN design? should I just decrease how often EIGRP queries are sent or increase EIGRP timers, or should I just leave it alone...has anyone seen DMVPN in over 200 sites working flawlessly using eigrp? just curious...
GTS = Generic Traffic Shaping.
We just use the easier to use, traffic-shape rate command, but the likely cisco answer would be to create policy-map/class-maps for the tunnel interfaces.
Our Tunnel interfaces have the following additional commands. cut-edited-paste.
Site with a T1
interface Tunnel111
description VPN sitea to siteb
bandwidth 1536
ip unnumbered Loopback0
ip access-group whattoblockin in
ip access-group whattoblockout out
ip mtu 1600
ip hello-interval eigrp 111 2
ip hold-time eigrp 111 8
ip pim sparse-mode
ip route-cache flow
ip tcp adjust-mss 1280
load-interval 30
delay 1001
traffic-shape rate 1536000 8192 8192 2048
cdp enable
tunnel source a.a.a.a
tunnel destination b.b.b.b
end
The traffic-shape command is just there to keep the outside interface from being over run and dropping packets after encryption. This isn't "QOS" by Cisco's book, but when we implemented this, Cisco didn't have a pre-qualify that worked properly with DMVPN.
If we start having problems with a site having heavy utilization, we'll change the traffic-shape statement to smooth out the traffic and control the heavy users. (refer to effects of WFQ).
Do a search for WFQ and GTS on Cisco.com
(oh, and if anyone tells you that the ip mtu command is a bad idea, tell 'em to stick it in their ear...)
Rob -
Hi,
I may be a million miles off but i'm trying to route all traffic at our spoke sites through to our hub site and subsequently through a firewall etc. so I obviously need the gateway to change when a dmvpn is established. I am considering using policy based routing to pickup internal traffic and change the next hop to the hub site. However how will this affect the spoke to spoke routing of the dmvpn? will nhrp take precedence over the PBR to ensure that spoke to spoke communication happens directly?
thanksJust to follow up, here's a sample configuration of what I'm talking about for the spoke.
ip vrf VRF_LAN
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key {pre-shared-key} address 0.0.0.0 0.0.0.0 no-xauth
crypto ipsec transform-set IPSec_TS_AES256SHA1ESP_T esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile IPSec_Profile_VPN
set transform-set IPSec_TS_AES256SHA1ESP_T
interface Tunnel0
ip vrf forwarding VRF_LAN
ip address 172.31.255.10 255.255.255.0
ip nhrp authentication 31240
ip nhrp map 172.31.255.1 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id 31240
ip nhrp holdtime 600
ip nhrp nhs 172.31.255.1
ip nhrp shortcut
ip nhrp redirect
cdp enable
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile IPSec_Profile_VPN
interface FastEthernet0/0
ip vrf forwarding VRF_LAN
ip address 172.31.128.1 255.255.255.0
interface FastEthernet0/1
ip address dhcp
router eigrp 1
passive-interface default
no passive-interface Tunnel0
no auto-summary
address-family ipv4 vrf VRF_LAN
network 172.31.128.1.0 0.0.0.0.0
network 172.31.255.10.0 0.0.0.0.0
no auto-summary
autonomous-system 1
eigrp router-id 172.31.255.10
eigrp stub connected summary
exit-address-family
As you can see, this works almost identically to a standard DMVPN setup, except that the tunnel interface, the LAN (FastEthernet0/0) interface and EIGRP processes all run in the VRF_LAN virtual routing and forwarding instance.
The primary routing table gets its default route from DHCP in this case, though it could just as easily be static. The VRF, on the other hand, gets a default route from the DMVPN hub and shortcut switches for spoke-to-spoke communications. At no point does the default route in the global routing table factor into the DMVPN network's routing table or vice versa, eliminating the need for PBR entirely. -
DMVPN phase I fails when migrating from PSK to RSIG
I am currently is the process of migrating my DMVPN network from pre-share key to certificates. Most of the spokes have come up and are working without any issues but there are several that are not making it past phase I. I have included the isakmp debugging from the hub and one of the spokes that are failing. I see that the hub is going QM_IDLE after receiving the certificate from the spoke but it does not look like the spoke ever receives the cert from the hub. I suspect an issue with the ISP but it's not as simple as filtering 500 as all the messages except the cert seem to make it. If I move the spoke back to PSK it works fine. Has anyone seen this issue before and what was the resolution?
DMVPN Hub
Oct 7 19:38:36.213: ISAKMP: local port 500, remote port 500
Oct 7 19:38:36.213: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 7F1AA7CC5920
Oct 7 19:38:36.213: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.213: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Oct 7 19:38:36.214: ISAKMP:(0): processing SA payload. message ID = 0
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T v7
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v3
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v2
Oct 7 19:38:36.214: ISAKMP:(0):found peer pre-shared key matching 2.8.51.58
Oct 7 19:38:36.214: ISAKMP:(0): local preshared key found
Oct 7 19:38:36.214: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
Oct 7 19:38:36.214: ISAKMP: encryption 3DES-CBC
Oct 7 19:38:36.214: ISAKMP: hash MD5
Oct 7 19:38:36.214: ISAKMP: default group 1
Oct 7 19:38:36.214: ISAKMP: auth RSA sig
Oct 7 19:38:36.214: ISAKMP: life type in seconds
Oct 7 19:38:36.214: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 7 19:38:36.214: ISAKMP:(0):atts are acceptable. Next payload is 3
Oct 7 19:38:36.214: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 7 19:38:36.214: ISAKMP:(0):Acceptable atts:life: 0
Oct 7 19:38:36.214: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 7 19:38:36.214: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 7 19:38:36.214: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 7 19:38:36.214: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T v7
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v3
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v2
Oct 7 19:38:36.214: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.214: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Oct 7 19:38:36.214: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 7 19:38:36.214: ISAKMP:(0): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_SA_SETUP
Oct 7 19:38:36.214: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.214: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.214: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Oct 7 19:38:36.240: ISAKMP (0): received packet from 2.8.51.58 dport 500 sport 500 Global (R) MM_SA_SETUP
Oct 7 19:38:36.240: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.240: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Oct 7 19:38:36.240: ISAKMP:(0): processing KE payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(38618): processing CERT_REQ payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(38618): peer wants a CT_X509_SIGNATURE cert
Oct 7 19:38:36.242: ISAKMP:(38618): peer wants cert issued by cn=Tetra Pak Root CA - G1
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID is DPD
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): speaking to another IOS box!
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID seems Unity/DPD but major 209 mismatch
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID is XAUTH
Oct 7 19:38:36.242: ISAKMP:received payload type 20
Oct 7 19:38:36.242: ISAKMP (38618): His hash no match - this node outside NAT
Oct 7 19:38:36.242: ISAKMP:received payload type 20
Oct 7 19:38:36.242: ISAKMP (38618): No NAT Found for self or peer
Oct 7 19:38:36.242: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.242: ISAKMP:(38618):Old State = IKE_R_MM3 New State = IKE_R_MM3
Oct 7 19:38:36.243: ISAKMP:(38618): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP (38618): constructing CERT_REQ for issuer cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.243: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 7 19:38:36.243: ISAKMP:(38618):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.243: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.243: ISAKMP:(38618):Old State = IKE_R_MM3 New State = IKE_R_MM4
Oct 7 19:38:36.484: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) MM_KEY_EXCH
Oct 7 19:38:36.484: ISAKMP:(38618):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.484: ISAKMP:(38618):Old State = IKE_R_MM4 New State = IKE_R_MM5
Oct 7 19:38:36.484: ISAKMP:(38618): processing ID payload. message ID = 0
Oct 7 19:38:36.484: ISAKMP (38618): ID payload
next-payload : 6
type : 2
FQDN name : lvrirt-s2s-01.nvv.net.company.com
protocol : 17
port : 500
length : 42
Oct 7 19:38:36.484: ISAKMP:(38618): processing CERT payload. message ID = 0
Oct 7 19:38:36.484: ISAKMP:(38618): processing a CT_X509_SIGNATURE cert
Oct 7 19:38:36.484: ISAKMP:(38618): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): peer's pubkey is cached
Oct 7 19:38:36.485: ISAKMP:(38618): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): Unable to get DN from certificate!
Oct 7 19:38:36.485: ISAKMP:(38618): processing SIG payload. message ID = 0
Oct 7 19:38:36.486: ISAKMP:received payload type 17
Oct 7 19:38:36.486: ISAKMP:(38618): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x7F1AA7CC5920
Oct 7 19:38:36.486: ISAKMP:(38618):SA authentication status:
authenticated
Oct 7 19:38:36.486: ISAKMP:(38618):SA has been authenticated with 2.8.51.58
Oct 7 19:38:36.486: ISAKMP:(38618):SA authentication status:
authenticated
Oct 7 19:38:36.486: ISAKMP:(38618): Process initial contact,
bring down existing phase 1 and 2 SA's with local 15.18.1.1 remote 2.8.51.58 remote port 500
Oct 7 19:38:36.486: ISAKMP:(38617):received initial contact, deleting SA
Oct 7 19:38:36.486: ISAKMP:(38617):peer does not do paranoid keepalives.
Oct 7 19:38:36.486: ISAKMP:(38617):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.486: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.486: ISAKMP:(38618):Old State = IKE_R_MM5 New State = IKE_R_MM5
Oct 7 19:38:36.487: ISAKMP: set new node 2177251913 to QM_IDLE
Oct 7 19:38:36.487: ISAKMP:(38617): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
Oct 7 19:38:36.487: ISAKMP:(38617):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.487: ISAKMP:(38617):purging node 2177251913
Oct 7 19:38:36.487: ISAKMP:(38617):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 7 19:38:36.487: ISAKMP:(38617):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618):My ID configured as IPv4 Addr, but Addr not in Cert!
Oct 7 19:38:36.487: ISAKMP:(38618):Using FQDN as My ID
Oct 7 19:38:36.487: ISAKMP:(38618):SA is doing RSA signature authentication using id type ID_FQDN
Oct 7 19:38:36.487: ISAKMP (38618): ID payload
next-payload : 6
type : 2
FQDN name : selurt-dmvpn-01.nvv.net.company.com
protocol : 17
port : 500
length : 44
Oct 7 19:38:36.487: ISAKMP:(38618):Total payload length: 44
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.488: ISAKMP:(38618): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.489: ISAKMP (38618): constructing CERT payload for hostname=selurt-dmvpn-01.nvv.net.company.com,serialNumber=4279180096
Oct 7 19:38:36.489: ISAKMP (38618): constructing CERT payload for cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.489: ISAKMP:(38618): using the TP_NAD_CA trustpoint's keypair to sign
Oct 7 19:38:36.494: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 7 19:38:36.494: ISAKMP:(38618):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.494: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.494: ISAKMP:(38618):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Oct 7 19:38:36.494: ISAKMP:(38617):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38617):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.494: ISAKMP:(38617):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Oct 7 19:38:36.494: ISAKMP:(38618):IKE_DPD is enabled, initializing timers
Oct 7 19:38:36.494: ISAKMP:(38618): IKE->PKI End PKI Session state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38618): PKI->IKE Ended PKI session state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
selurt-dmvpn-01#
Oct 7 19:38:36.494: ISAKMP:(38618):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
selurt-dmvpn-01#
Oct 7 19:38:46.492: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:38:46.492: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:38:46.492: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:38:46.992: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:38:46.992: ISAKMP (38618): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 7 19:38:46.992: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:38:46.992: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:38:46.992: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:38:56.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:38:56.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:38:56.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:38:56.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:38:56.981: ISAKMP (38618): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 7 19:38:56.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:38:56.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:38:56.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:06.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:06.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:06.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:06.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:39:06.981: ISAKMP (38618): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct 7 19:39:06.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:06.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:06.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:09.880: ISAKMP:(38616):purging SA., sa=7F1AA7721158, delme=7F1AA7721158
selurt-dmvpn-01#
Oct 7 19:39:16.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:16.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:16.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:16.980: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:39:16.980: ISAKMP (38618): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 7 19:39:16.980: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:16.980: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:16.980: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:26.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:26.482: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:26.482: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:26.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:39:26.981: ISAKMP (38618): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 7 19:39:26.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:26.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:26.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:36.493: ISAKMP:(38617):purging SA., sa=7F1AA79AD9E0, delme=7F1AA79AD9E0
DMVPN Spoke
Oct 7 19:38:36.181: ISAKMP:(0): SA request profile is (NULL)
Oct 7 19:38:36.181: ISAKMP: Created a peer struct for 15.18.1.1, peer port 500
Oct 7 19:38:36.181: ISAKMP: New peer created peer = 0x2B1F480C peer_handle = 0x80001DF4
Oct 7 19:38:36.181: ISAKMP: Locking peer struct 0x2B1F480C, refcount 1 for isakmp_initiator
Oct 7 19:38:36.181: ISAKMP: local port 500, remote port 500
Oct 7 19:38:36.181: ISAKMP: set new node 0 to QM_IDLE
Oct 7 19:38:36.181: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2B16C9FC
Oct 7 19:38:36.181: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct 7 19:38:36.181: ISAKMP:(0):found peer pre-shared key matching 15.18.1.1
Oct 7 19:38:36.181: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.181: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 7 19:38:36.181: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 7 19:38:36.181: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Oct 7 19:38:36.181: ISAKMP:(0): beginning Main Mode exchange
Oct 7 19:38:36.181: ISAKMP:(0): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 7 19:38:36.181: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.205: ISAKMP (0): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 7 19:38:36.205: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.205: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Oct 7 19:38:36.205: ISAKMP:(0): processing SA payload. message ID = 0
Oct 7 19:38:36.205: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.205: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.205: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.205: ISAKMP:(0):found peer pre-shared key matching 15.18.1.1
Oct 7 19:38:36.205: ISAKMP:(0): local preshared key found
Oct 7 19:38:36.205: ISAKMP : Scanning profiles for xauth ...
Oct 7 19:38:36.205: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
Oct 7 19:38:36.205: ISAKMP: encryption 3DES-CBC
Oct 7 19:38:36.205: ISAKMP: hash MD5
Oct 7 19:38:36.205: ISAKMP: default group 1
Oct 7 19:38:36.205: ISAKMP: auth RSA sig
Oct 7 19:38:36.205: ISAKMP: life type in seconds
Oct 7 19:38:36.205: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 7 19:38:36.205: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 7 19:38:36.205: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 7 19:38:36.205: ISAKMP:(0):Acceptable atts:life: 0
Oct 7 19:38:36.205: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 7 19:38:36.205: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 7 19:38:36.205: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 7 19:38:36.205: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 7 19:38:36.205: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.205: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.205: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.205: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.205: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Oct 7 19:38:36.209: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP (0): constructing CERT_REQ for issuer cn=Tetra Pak Root CA - G1
Oct 7 19:38:36.209: ISAKMP:(0): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 7 19:38:36.209: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.209: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.209: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Oct 7 19:38:36.233: ISAKMP (0): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 7 19:38:36.233: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.233: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Oct 7 19:38:36.233: ISAKMP:(0): processing KE payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(8329): processing CERT_REQ payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(8329): peer wants a CT_X509_SIGNATURE cert
Oct 7 19:38:36.245: ISAKMP:(8329): peer wants cert issued by cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.249: Choosing trustpoint TP_NAD_CA as issuer
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): vendor ID is Unity
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): vendor ID is DPD
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): speaking to another IOS box!
Oct 7 19:38:36.249: ISAKMP:received payload type 20
Oct 7 19:38:36.249: ISAKMP (8329): His hash no match - this node outside NAT
Oct 7 19:38:36.249: ISAKMP:received payload type 20
Oct 7 19:38:36.249: ISAKMP (8329): No NAT Found for self or peer
Oct 7 19:38:36.249: ISAKMP:(8329):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.249: ISAKMP:(8329):Old State = IKE_I_MM4 New State = IKE_I_MM4
Oct 7 19:38:36.249: ISAKMP:(8329):Send initial contact
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get SubjectName state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): PKI->IKE Got SubjectName state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329):My ID configured as IPv4 Addr, but Addr not in Cert!
Oct 7 19:38:36.249: ISAKMP:(8329):Using FQDN as My ID
Oct 7 19:38:36.249: ISAKMP:(8329):SA is doing RSA signature authentication using id type ID_FQDN
Oct 7 19:38:36.249: ISAKMP (8329): ID payload
next-payload : 6
type : 2
FQDN name : lvrirt-s2s-01.nvv.net.company.com
protocol : 17
port : 500
length : 42
Oct 7 19:38:36.249: ISAKMP:(8329):Total payload length: 42
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.253: ISAKMP:(8329): PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.253: ISAKMP (8329): constructing CERT payload for hostname=lvrirt-s2s-01.nvv.net.company.com,serialNumber=FCZ163860KW
Oct 7 19:38:36.253: ISKAMP: growing send buffer from 1024 to 3072
Oct 7 19:38:36.253: ISAKMP:(8329): using the TP_NAD_CA trustpoint's keypair to sign
Oct 7 19:38:36.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:36.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.449: ISAKMP:(8329):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.449: ISAKMP:(8329):Old State = IKE_I_MM4 New State = IKE_I_MM5
Oct 7 19:38:36.481: ISAKMP (8328): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 7 19:38:46.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:38:46.449: ISAKMP (8329): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 7 19:38:46.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:38:46.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:46.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:38:54.709: ISAKMP:(8327):purging node 1841056658
Oct 7 19:38:54.709: ISAKMP:(8327):purging node -57107868
Oct 7 19:38:56.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:38:56.449: ISAKMP (8329): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 7 19:38:56.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:38:56.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:56.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:04.709: ISAKMP:(8327):purging SA., sa=3169E824, delme=3169E824
Oct 7 19:39:06.181: ISAKMP: set new node 0 to QM_IDLE
Oct 7 19:39:06.181: ISAKMP:(8329):SA is still budding. Attached new ipsec request to it. (local 2.8.51.58, remote 15.18.1.1)
Oct 7 19:39:06.181: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct 7 19:39:06.181: ISAKMP: Error while processing KMI message 0, error 2.
Oct 7 19:39:06.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:06.449: ISAKMP (8329): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct 7 19:39:06.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:06.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:06.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:10.261: ISAKMP:(8328):purging node -1445247076
Oct 7 19:39:16.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:16.449: ISAKMP (8329): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 7 19:39:16.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:16.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:16.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:20.261: ISAKMP:(8328):purging SA., sa=2AD85BD0, delme=2AD85BD0
Oct 7 19:39:26.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:26.449: ISAKMP (8329): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 7 19:39:26.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:26.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:26.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:36.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:36.449: ISAKMP:(8329):peer does not do paranoid keepalives.
Oct 7 19:39:36.449: ISAKMP:(8329):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:39:36.449: ISAKMP:(8329):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 15.18.1.1)Mike,
Hub sends its cert but spoke never recives that, this is typically a problem with fragmentation handling in transit networks.
Sniff both end you control and check whether you're not missing any fragments on spoke end.
Could be as simple as an MTU problem on your end or could be something in the path attempting reassambly.
Multiple ways to go, check your end, if fragments are missing in transit - start investigating with ISP(s).
M. -
EAZYVPN and DMVPN on the same router,same interface
Hi all,
First of all, thanks in advance for the help. I have setup DMVPN and EAZYVPN on one router. Tunnel interface on Spoke one and Spoke two are up/up and show crypto ISakmp sa shows both tunnels are in idle. However, tunnel to Spoke one(10.10.1.1) keep bouncing on and off(see below). Every 30 sec or so, the tunnel gone back to IKE phase while tunnel for spoke two(5.5.5.1) still leave active. THe configuration on the HUB side is the same for both spoke!! show crypto ipsec sec shows both side has the same life time(IOS default). Could that be an IOS debug on the spoke one?
Hub :
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)
HUB#sh crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
Spoke one:
Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(8), RELEASE SOFTWARE (fc1)
SPOKE1#sh crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
HUB#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
5.5.5.1 5.5.5.2 QM_IDLE 1002 ACTIVE
10.10.1.1 10.10.1.2 MM_NO_STATE 1134 ACTIVE (deleted)
10.10.1.1 1.1.1.10 QM_IDLE 1126 ACTIVE
10.10.1.1 1.1.1.10 QM_IDLE 1076 ACTIVE
HUB#sh crypto se
HUB#sh crypto session
Crypto session current status
Interface: Serial0/1/1
Username: testuser
Profile: AccountingPro
Group: Accounting
Assigned address: 20.20.20.1
Session status: UP-ACTIVE
Peer: 1.1.1.10 port 60201
IKEv1 SA: local 10.10.1.1/500 remote 1.1.1.10/60201 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.20.20.1
Active SAs: 2, origin: dynamic crypto map
Interface: Serial0/1/1
Username: testuser
Profile: AccountingPro
Group: Accounting
Assigned address: 20.20.20.2
Session status: UP-ACTIVE
Peer: 1.1.1.10 port 49768
IKEv1 SA: local 10.10.1.1/500 remote 1.1.1.10/49768 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.20.20.2
Active SAs: 2, origin: dynamic crypto map
Interface: FastEthernet0/1
Profile: DMVPN
Session status: UP-IDLE
Peer: 5.5.5.2 port 500
IKEv1 SA: local 5.5.5.1/500 remote 5.5.5.2/500 Active
Interface: Serial0/1/1
Profile: DMVPN
Session status: DOWN-NEGOTIATING
Peer: 10.10.1.2 port 500
IKEv1 SA: local 10.10.1.1/500 remote 10.10.1.2/500 Inactive
HUB#
2. My second issue is, I use the same interface(s0/1/1=10.10.1.1) for eazyvpn access. The client from eazyvpn is connected fine,but does not receive traffric back(statics window show no decrypted=0 and reeiced=0). The eazy vpn can't even ping the IP address assigned to the vpn client(20.20.20.2), and the client can only pin 10.10.1.1 address. Reverse router is able but the 20.20.20.0/24 network didn't show up in the ip table of the HUB router!!!
DMVPN AND EAZYVPN SERVER config..
crypto keyring dmvpnkey
pre-shared-key address 0.0.0.0 0.0.0.0 key DMVPNLAB
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
crypto isakmp policy 30
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp policy 40
authentication pre-share
crypto isakmp keepalive 30
crypto isakmp xauth timeout 90
crypto isakmp client configuration group Accounting
key eazypvn
dns 4.2.2.2
wins 4.2.2.2
domain bigBois.com
pool dmAccouting
crypto isakmp profile AccountingPro
match identity group Accounting
client authentication list access_in
isakmp authorization list my_vpn
client configuration address respond
crypto isakmp profile DMVPN
keyring dmvpnkey
match identity address 0.0.0.0
crypto ipsec transform-set DMVPN ah-sha-hmac esp-aes
mode transport
crypto ipsec transform-set EAZYVPN esp-3des esp-md5-hmac
crypto ipsec profile dmvpnlab
set transform-set DMVPN
set isakmp-profile AccountingPro
crypto dynamic-map Remote_Acc 20
set transform-set EAZYVPN
set isakmp-profile AccountingPro
reverse-route
crypto map RemoteAcc client authentication list access_in
crypto map Remote_Acc client authentication list my_vpn
crypto map Remote_Acc 20 ipsec-isakmp dynamic Remote_Acc
interface Loopback0
ip address 192.168.200.1 255.255.255.0
interface Loopback2
ip address 172.16.10.1 255.255.255.0
interface Loopback3
ip address 172.16.15.1 255.255.255.0
interface Tunnel1
bandwidth 10000
ip address 4.4.4.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 10
ip nhrp authentication DMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 7940
ip nhrp registration timeout 10
ip tcp adjust-mss 1360
tunnel source Serial0/1/1
tunnel mode gre multipoint
tunnel key 7940
tunnel protection ipsec profile dmvpnlab
interface FastEthernet0/0
description OUTSIDE
ip address 1.1.1.1 255.255.255.0
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
description INSIDE
ip address 5.5.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
interface Serial0/1/1
description to SPOKE1
ip address 10.10.1.1 255.255.255.0
crypto map Remote_Acc
interface Serial0/3/0
no ip address
shutdown
router eigrp 10
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
network 10.0.0.0
network 10.10.10.0 0.0.0.3
network 172.16.0.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 172.16.10.0 0.0.0.255
network 172.16.15.0 0.0.0.255
network 192.168.200.0
ip local pool dmAccouting 20.20.20.1 20.20.20.10
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
THanks a bunch for the help,
ErnestAny ideas why devices keep renewing phase 1?
Thanks, -
Problem running DMVPN and IPSec VPN at the same time
I have a hub-spoke VPN network: 2 hub routers are 7206 VXR and remote routers are 2800. Each hub router has had number of point-to-point IPSec+GRE tunnels configured and running with remote sites. I'm now adding DMVPN between each hub router and a few other remote sites. The DMVPN is running fine between hub and spokes, but somehow it caused all the eixsting point-to-point IPSec tunnels drop. Here are some details:
1) Hub DMVPN config:
crypto isakmp key MYKEY address 12.12.12.12
crypto ipsec profile DMVPN
set transform-set DM
interface Tunnel1
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
tunnel source G0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
no passive-interface Tunnel1
2) Spoke DMVPN config:
crypto ipsec profile DMVPN
set transform-set DM
crypto isakmp key MYKEY address 14.14.14.14
interface Tunnel1
ip address 192.168.1.2 255.255.255.0
ip mtu 1400
ip nhrp map 192.168.1.1 14.14.14.14
ip nhrp map multicast 14.14.14.14
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 192.168.1.1
tunnel source G0/0
tunnel destination 14.14.14.14
tunnel protection ipsec profile DMVPN
3) When DMVPN is up, hub router existing IPSec tunnels are shown ISAKMP failure.
Hub# show crypto isakmp sa
14.14.14.14 20.20.20.20 MM_NO_STATE 1508 0 ACTIVE (deleted)
4) After I shut down interface Tunnel1, existing IPSec tunnels are coming back. ISAKMP SA shows QM_IDLE state.
Have anyone seen similar issues between DMVPN and traditional point-to-point IPSec+GRE tunnels on the same router?
Thanks a lotI have a hub-spoke VPN network: 2 hub routers are 7206 VXR and remote routers are 2800. Each hub router has had number of point-to-point IPSec+GRE tunnels configured and running with remote sites. I'm now adding DMVPN between each hub router and a few other remote sites. The DMVPN is running fine between hub and spokes, but somehow it caused all the eixsting point-to-point IPSec tunnels drop. Here are some details:
1) Hub DMVPN config:
crypto isakmp key MYKEY address 12.12.12.12
crypto ipsec profile DMVPN
set transform-set DM
interface Tunnel1
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
tunnel source G0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
no passive-interface Tunnel1
2) Spoke DMVPN config:
crypto ipsec profile DMVPN
set transform-set DM
crypto isakmp key MYKEY address 14.14.14.14
interface Tunnel1
ip address 192.168.1.2 255.255.255.0
ip mtu 1400
ip nhrp map 192.168.1.1 14.14.14.14
ip nhrp map multicast 14.14.14.14
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 192.168.1.1
tunnel source G0/0
tunnel destination 14.14.14.14
tunnel protection ipsec profile DMVPN
3) When DMVPN is up, hub router existing IPSec tunnels are shown ISAKMP failure.
Hub# show crypto isakmp sa
14.14.14.14 20.20.20.20 MM_NO_STATE 1508 0 ACTIVE (deleted)
4) After I shut down interface Tunnel1, existing IPSec tunnels are coming back. ISAKMP SA shows QM_IDLE state.
Have anyone seen similar issues between DMVPN and traditional point-to-point IPSec+GRE tunnels on the same router?
Thanks a lot -
DMVPN-Why received packet doesn't use UDP port 4500 but 500?
Hello everyone
I got a problem with my DMVPN. Spoke is behind a NAT device. x.x.x.x is an public IP address which hub uses. I don't know why it discovered that the hub is also inside a NAT device. And after it sends a packet using port 4500, the received packet from hub was not using port 4500 but 500. I'm confused now. Any advise would be much appreciated.
*Sep 10 08:56:02 UTC: ISAKMP:(0): beginning Main Mode exchange
*Sep 10 08:56:02 UTC: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 10 08:56:02 UTC: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing SA payload. message ID = 0
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 10 08:56:02 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 10 08:56:02 UTC: ISAKMP:(0):found peer pre-shared key matching
*Sep 10 08:56:02 UTC: ISAKMP:(0): local preshared key found
*Sep 10 08:56:02 UTC: ISAKMP : Scanning profiles for xauth ...
*Sep 10 08:56:02 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Sep 10 08:56:02 UTC: ISAKMP: encryption 3DES-CBC
*Sep 10 08:56:02 UTC: ISAKMP: hash MD5
*Sep 10 08:56:02 UTC: ISAKMP: default group 1
*Sep 10 08:56:02 UTC: ISAKMP: auth pre-share
*Sep 10 08:56:02 UTC: ISAKMP: life type in seconds
*Sep 10 08:56:02 UTC: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Sep 10 08:56:02 UTC: ISAKMP:(0):atts are acceptable. Next payload is 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):Acceptable atts:actual life: 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):Acceptable atts:life: 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
*Sep 10 08:56:02 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Sep 10 08:56:02 UTC: ISAKMP:(0):Returning Actual lifetime: 86400
*Sep 10 08:56:02 UTC: ISAKMP:(0)::Started lifetime timer: 86400.
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 10 08:56:02 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Sep 10 08:56:02 UTC: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_SA_SETUP
*Sep 10 08:56:02 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Sep 10 08:56:02 UTC: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_SA_SETUP
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing KE payload. message ID = 0
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):found peer pre-shared key matching x.x.x.x
*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(2746): vendor ID is Unity
*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(2746): vendor ID is DPD
*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(2746): speaking to another IOS box!
*Sep 10 08:56:02 UTC: ISAKMP:received payload type 20
*Sep 10 08:56:02 UTC: ISAKMP (2746): NAT found, both nodes inside NAT
*Sep 10 08:56:02 UTC: ISAKMP:received payload type 20
*Sep 10 08:56:02 UTC: ISAKMP (2746): My hash no match - this node inside NAT
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Send initial contact
*Sep 10 08:56:02 UTC: ISAKMP:(2746):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Sep 10 08:56:02 UTC: ISAKMP (2746): ID payload
next-payload : 8
type : 1
address : 192.168.1.101
protocol : 17
port : 0
length : 12
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Total payload length: 12
*Sep 10 08:56:02 UTC: ISAKMP:(2746): sending packet to x.x.x.x my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Sending an IKE IPv4 Packet.
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Sep 10 08:56:03 UTC: ISAKMP (2746): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH
*Sep 10 08:56:03 UTC: ISAKMP:(2746): phase 1 packet is a duplicate of a previous packet.
*Sep 10 08:56:03 UTC: ISAKMP:(2746): retransmitting due to retransmit phase 1
*Sep 10 08:56:04 UTC: ISAKMP:(2746): retransmitting phase 1 MM_KEY_EXCH...
*Sep 10 08:56:04 UTC: ISAKMP (2746): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Sep 10 08:56:04 UTC: ISAKMP:(2746): retransmitting phase 1 MM_KEY_EXCH
*Sep 10 08:56:04 UTC: ISAKMP:(2746): sending packet to x.x.x.x my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Sep 10 08:56:04 UTC: ISAKMP:(2746):Sending an IKE IPv4 Packet.This could be because the port 4500 packet that is being sent is not being received by the peer side or it is ignoring that packet.
Since the port 500 packet that you are receiving is a duplicate of the previous packet it is definitely not a reply packet for the port 4500 packet.
If you can get the debugs from the other end, then you could see if the peer side is receiving the udp port 4500 packets.
If not that then this could be a UDP port 4500 block with the ISP. -
Issue with multiple crypto isakmp policies
Hey folks,
I'm having an issue setting up multiple crypto isakmp policies on my 1921 router. Whenever I have only one crypto isakmp policy set up like so:
crypto isakmp policy 1
encr aes 256
group 5
It works perfectly fine with my certificate tunnel group in my ASA. When I debug crypto ipsec & debug crypto isakmp and watch the connection, I see this:
ISAKMP transform 1 against priority 1 policy
*Oct 7 20:04:09.263: ISAKMP: encryption AES-CBC
*Oct 7 20:04:09.263: ISAKMP: keylength of 256
*Oct 7 20:04:09.263: ISAKMP: hash SHA
*Oct 7 20:04:09.263: ISAKMP: default group 5
*Oct 7 20:04:09.263: ISAKMP: auth RSA sig
*Oct 7 20:04:09.263: ISAKMP: life type in seconds
*Oct 7 20:04:09.263: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 7 20:04:09.263: ISAKMP:(0):atts are acceptable. Next payload is 0
This is showing me that the handshake is verifying the policy with the "auth RSA sig" type, which is what I expected and is what I want.
Here is where my issue actually comes up. When I add another crypto isakmp policy (2) the "authorization pre-share" over rides the "authorization rsa-sig" of policy 1. Here is what I have set up:
crypto isakmp policy 1
encr aes 256
group 5
crypto isakmp policy 2
encr aes 256
authorization pre-share
group 5
This is showing me that crypto isakmp policy 1 is set with the default authorization type of rsa-sig (in fact if I manually enter that command under the policy 1 configuration mode and it doesn't print in the show run output), and the crypto isakmp policy 2 is set to authorization pre-share.
When I debug crypto ipsec & debug crypto isakmp with this configuration, this is what I'm getting:
56:46.259: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 199.46.128.5)
*Oct 7 19:56:46.263: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 7 19:56:46.263: ISAKMP: encryption AES-CBC
*Oct 7 19:56:46.263: ISAKMP: keylength of 256
*Oct 7 19:56:46.263: ISAKMP: hash SHA
*Oct 7 19:56:46.263: ISAKMP: default group 5
*Oct 7 19:56:46.263: ISAKMP: auth pre-share
*Oct 7 19:56:46.263: ISAKMP: life type in seconds
*Oct 7
19:56:46.263: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 7 19:56:46.263: ISAKMP:(0):Authentication method offered does not match policy!
*Oct 7 19:56:46.263: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 7 19:56:46.263: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 7 19:56:46.263: ISAKMP: encryption AES-CBC
*Oct 7 19:56:46.263: ISAKMP: keylength of 256
*Oct 7 19:56:46.263: ISAKMP: hash SHA
*Oct 7 19:56:46.263: ISAKMP:
default group 5
*Oct 7 19:56:46.263: ISAKMP: auth pre-share
*Oct 7 19:56:46.263: ISAKMP: life type in seconds
*Oct 7 19:56:46.263: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
It looks like the first policy is being verified against "auth pre-share" and fails because "Authentication method offered does not match policy!". My question is, does anyone know how to correct this so that the first policy is set to authenticate via rsa-sig and the second policy is authenticated via pre-shared keys? Is there a bug that will not differentiate the authorization types between the two policies?
Just an FYI, here is the version information of the router:
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 26-Feb-13 02:11 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
System returned to ROM by power-on
System image file is "usbflash0:c1900-universalk9-mz.SPA.152-4.M3.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO1921/K9 (revision 1.0) with 491520K/32768K bytes of memory.
Processor board ID FTX171385L4
2 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
249840K bytes of USB Flash usbflash0 (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 CISCO1921/K9
Technology Package License Information for Module:'c1900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
data None None None
Configuration register is 0x2102Thanks for the input Walter. That isn't it though. I have plenty of sites with crypto map <name> 1 which map to crypto isakmp policy 2 settings. The debug is showing that the behavior is to try to authenticate through policy 1 first, and then progress to any other policies until there is a match. Since there is a match with policy 2 settings, the tunnel comes up.
My real question is, why would it change from "auth RSA sig" in the first debug out put to the "auth pre-share" in the second debug output. Judging by the config on the router, it appears to me that the line for "authorization pre-share" under policy 2 SHOULD only apply to policy 2 and SHOULD NOT override the "authorization rsa-sig" of policy 1.
Again, when I debug crypto ipsec & debug crypto isakmp, it shows clearly that the first policy is being verified, however the "auth" is now "pre-share" and no longer "RSA sig":
56:46.259: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 199.46.128.5)
*Oct 7 19:56:46.263: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 7 19:56:46.263: ISAKMP: encryption AES-CBC
*Oct 7 19:56:46.263: ISAKMP: keylength of 256
*Oct 7 19:56:46.263: ISAKMP: hash SHA
*Oct 7 19:56:46.263: ISAKMP: default group 5
*Oct 7 19:56:46.263: ISAKMP: auth pre-share <---This should read "auth RSA sig"
*Oct 7 19:56:46.263: ISAKMP: life type in seconds
*Oct 7
19:56:46.263: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 7 19:56:46.263: ISAKMP:(0):Authentication method offered does not match policy!
*Oct 7 19:56:46.263: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 7 19:56:46.263: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 7 19:56:46.263: ISAKMP: encryption AES-CBC
*Oct 7 19:56:46.263: ISAKMP: keylength of 256
*Oct 7 19:56:46.263: ISAKMP: hash SHA
*Oct 7 19:56:46.263: ISAKMP:
default group 5
*Oct 7 19:56:46.263: ISAKMP: auth pre-share
*Oct 7 19:56:46.263: ISAKMP: life type in seconds
*Oct 7 19:56:46.263: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 -
Why wont my DMVPN get phased 1 isakmp?
I’m trying to setup a DMVPN solution with the hub behind a firewall using a static 1 to 1 NAT.
I can get the DMVPN to work fine, but once I add the ipsec policy it doesn’t go passed ISAKMP phase 1.
I have put rules in the firewall to allow NAT-T, GRE tunnels, ESP and AH, I have also put in a allow any any rule just in case I missed something! I was getting a NAT-T issue but then put in the command line no crypto ipsec nat-transparency udp-encapsulation and this solved the issue and ISAKMP phase 1 completed. I have also tried changing the mode from tunnel to transport and back again.
I have tried crypto maps as I wasn’t sure if it was a UDP header issue due to the NAT’ing
My setup is as follows:
Cisco 1941--------JUNIPER SXR-------CLOUD--------Cisco 382
(HUB) (FIREWALL) (SW 3750) (SPOKE)
(STATIC 1 2 1 NAT)
--------------HUB--------------------------
Cisco 1941 - HUB
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
version 15.2
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 12345
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
interface GigabitEthernet0/0
description LINK TO FW ON VLAN 1960
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.20.254 255.255.255.0
duplex auto
speed auto
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 192.168.10.254
----------------------Spoke--------------------------
cisco 3825 - Spoke
Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)
version 15.1
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.2 255.255.255.0
no ip redirects
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 12345
ip nhrp nhs 10.10.10.1
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
interface GigabitEthernet0/0
description LINK TO INTERNET
ip address 2.2.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
ip address 192.168.30.1 255.255.255.0
duplex auto
speed auto
media-type rj45
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 2.2.2.3
------------------------FIREWALL---------------------------
[edit]
Admin@UK_FIREWALL# show
## Last changed: 2014-07-23 19:54:53 UTC
version 10.4R6.5;
system {
host-name FIREWALL;
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
https {
system-generated-certificate;
interface vlan.0;
dhcp {
router {
192.168.20.254;
pool 192.168.20.0/24 {
address-range low 192.168.20.20 high 192.168.20.250;
default-lease-time 3600;
propagate-settings vlan.1960;
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/24;
ge-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan1960;
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
unit 1960 {
family inet {
address 192.168.10.254/24;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
protocols {
stp;
security {
nat {
static {
rule-set STATIC_NAT_RS1 {
from zone untrust;
rule NAT_RULE {
match {
destination-address 1.1.1.1/32;
then {
static-nat prefix 192.168.10.10/32;
screen {
ids-option untrust-screen {
icmp {
ping-death;
ip {
source-route-option;
tear-drop;
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
land;
zones {
security-zone trust {
address-book {
address SERVER-1 192.168.10.10/32;
host-inbound-traffic {
system-services {
all;
protocols {
all;
interfaces {
vlan.1960 {
host-inbound-traffic {
system-services {
dhcp;
all;
ike;
protocols {
all;
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
ike;
protocols {
all;
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
all;
ike;
protocols {
all;
policies {
from-zone trust to-zone untrust {
policy PERMIT_ALL {
match {
source-address SERVER-1;
destination-address any;
application any;
then {
permit;
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application ESP;
then {
permit;
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
then {
permit;
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application junos-icmp-ping;
then {
permit;
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
then {
permit;
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
then {
permit;
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
then {
permit;
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
then {
permit;
from-zone untrust to-zone trust {
policy ACCESS {
match {
source-address any;
destination-address SERVER-1;
application any;
then {
permit;
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application any;
then {
permit;
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
then {
permit;
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application any;
then {
permit;
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
then {
permit;
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
then {
permit;
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
then {
permit;
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
then {
permit;
applications {
application ESP protocol esp;
application AH_PO_51 protocol ah;
vlans {
vlan-trust {
vlan-id 3;
vlan1960 {
vlan-id 1960;
interface {
ge-0/0/7.0;
l3-interface vlan.1960;
------------------------------DEBUG------------------------------
-----------Cisco 1941-----------------
HUB#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.10.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
UK_HUB#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
UK_HUB# debug dm al al
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is OFF
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is ON
*Jul 25 12:22:58.976: ISAKMP:(1006):purging node 1130853900
*Jul 25 12:23:14.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP: set new node 670880728 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006): processing HASH payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006): processing SA payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:14.708: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:14.708: ISAKMP: attributes in transform:
*Jul 25 12:23:14.708: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:14.708: ISAKMP: SA life type in seconds
*Jul 25 12:23:14.708: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:14.708: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:14.708: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:14.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:14.708: ISAKMP: key length is 128
*Jul 25 12:23:14.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:14.708: map_db_find_best did not find matching map
*Jul 25 12:23:14.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:14.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:14.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:14.708: ISAKMP: set new node 2125889339 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:14.708: ISAKMP:(1006):purging node 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006):deleting node 670880728 error TRUE reason "QM rejected"
*Jul 25 12:23:14.708: ISAKMP:(1006):Node 670880728, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:14.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
*Jul 25 12:23:28.976: ISAKMP:(1006):purging node 720369228
*Jul 25 12:23:44.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:44.704: ISAKMP: set new node -1528560613 to QM_IDLE
*Jul 25 12:23:44.704: ISAKMP:(1006): processing HASH payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006): processing SA payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:44.704: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:44.704: ISAKMP: attributes in transform:
*Jul 25 12:23:44.704: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:44.704: ISAKMP: SA life type in seconds
*Jul 25 12:23:44.704: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:44.704: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:44.704: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:44.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:44.708: ISAKMP: key length is 128
*Jul 25 12:23:44.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:44.708: map_db_find_best did not find matching map
*Jul 25 12:23:44.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:44.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:44.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:44.708: ISAKMP: set new node 1569673109 to QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:44.708: ISAKMP:(1006):purging node 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006):deleting node -1528560613 error TRUE reason "QM rejected"
*Jul 25 12:23:44.708: ISAKMP:(1006):Node 2766406683, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:44.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
---------Cisco 3825------------------
SPOKE_1#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel12345, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 1.1.1.1 10.10.10.1 IPSEC 1d22h S
SPOKE_1#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
SPOKE_1#debug dm all all
*Jul 25 12:50:23.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:23.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:23.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:23.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:23.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 1627587566
*Jul 25 12:50:23.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:23.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:23.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:23.520: ISAKMP:(1006):Node 1627587566, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:23.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:23.524: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:23.524: ISAKMP: set new node -1682318828 to QM_IDLE
*Jul 25 12:50:23.524: ISAKMP:(1006): processing HASH payload. message ID = 2612648468
*Jul 25 12:50:23.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 484617190, message ID = 2612648468, sa = 0x70B05F14
*Jul 25 12:50:23.524: ISAKMP:(1006): deleting spi 484617190 message ID = 1627587566
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node 1627587566 error TRUE reason "Delete Larval"
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node -1682318828 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:23.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:23.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 25 12:50:34.972: NHRP: Setting retrans delay to 64 for nhs dst 10.10.10.1
*Jul 25 12:50:34.972: IPSEC-IFC MGRE/Tu12345(2.2.2.2/1.1.1.1): connection lookup returned 691EDEF4
*Jul 25 12:50:34.972: NHRP: Attempting to send packet via DEST 10.10.10.1
*Jul 25 12:50:34.972: NHRP: NHRP successfully resolved 10.10.10.1 to NBMA 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Encapsulation succeeded. Tunnel IP addr 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Send Registration Request via Tunnel12345 vrf 0, packet size: 92
*Jul 25 12:50:34.972: src: 10.12.34.1, dst: 10.10.10.1
*Jul 25 12:50:34.972: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Jul 25 12:50:34.972: shtl: 4(NSAP), sstl: 0(NSAP)
*Jul 25 12:50:34.972: pktsz: 92 extoff: 52
*Jul 25 12:50:34.972: (M) flags: "unique nat ", reqid: 65537
*Jul 25 12:50:34.972: src NBMA: 2.2.2.2
*Jul 25 12:50:34.972: src protocol: 10.12.34.1, dst protocol: 10.10.10.1
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 7200
*Jul 25 12:50:34.972: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Jul 25 12:50:34.972: Responder Address Extension(3):
*Jul 25 12:50:34.972: Forward Transit NHS Record Extension(4):
*Jul 25 12:50:34.972: Reverse Transit NHS Record Extension(5):
*Jul 25 12:50:34.972: NAT address Extension(9):
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 0
*Jul 25 12:50:34.972: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Jul 25 12:50:34.972: client NBMA: 1.1.1.1
*Jul 25 12:50:34.972: client protocol: 10.10.10.1
*Jul 25 12:50:34.972: NHRP: 116 bytes out Tunnel12345
*Jul 25 12:50:34.972: NHRP-RATE: Retransmitting Registration Request for 10.10.10.1, reqid 65537, (retrans ivl 64 sec)
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 1566291204
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 742410882
*Jul 25 12:50:53.520: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 2.2.2.2:0, remote= 1.1.1.1:0,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1)
*Jul 25 12:50:53.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:53.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:53.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:53.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:53.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 2055556995
*Jul 25 12:50:53.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:53.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:53.520: ISAKMP:(1006):Node 2055556995, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:53.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:53.520: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP: set new node -1428573279 to QM_IDLE
*Jul 25 12:50:53.524: ISAKMP:(1006): processing HASH payload. message ID = 2866394017
*Jul 25 12:50:53.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2888331328, message ID = 2866394017, sa = 0x70B05F14
*Jul 25 12:50:53.524: ISAKMP:(1006): deleting spi 2888331328 message ID = 2055556995
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node 2055556995 error TRUE reason "Delete Larval"
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node -1428573279 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:53.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:53.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETESome time ago I was running a similar setup, but the firewall was an ASA, not a Juniper.
Some comments:
You shouldn't disable NAT-transparence. It should work with the default-setting which is "enabled"
The firewall only has to allow UDP/500 and UDP4500. It will never see any other traffic between the hub and spoke.
The firewall shouldn't do any inspections etc. on the traffic to the hub.
You shouldn't use wildcard-PSKs. The better solution is to use digital certificates.
You probably need some MTU/MSS-settings like "ip mtu 1400" and "ip tcp adjust mss 1360".
For running ospf through DMVPN make sure the Hub is the DR and set the network-type to broadcast.
Maybe you are looking for
-
Getting Training and Event Management Data using IT0031
Scenerio: One of the Employee Is Retired. Now we hire it again for the same role ( extending its period after posting it as retired). So the good thing that we can use the IT0031 "Reference Personnel Numbers" to get the desired ITs and found that can
-
Recent Places list under Save As...
When I do a Save or Save As..... the Mac window usually defaults to a folder location for placing the file. Maybe the last folder I was in. When you click on the Folder pop-down window you see the path to the current folder.. .But you also see a list
-
I want to pay for Creative Cloud from México, ¿how do I get an invoice valid for tax deduction?
-
Hello all, I have custom BO with these declarations In the quick create I have link MaterialID to the ProductOVS How can we get Product Description and UUID fill up automatically when the user chooses the material from the OVS? I have link the Produc
-
No Sound After Installing 10.6.2
Hey all, Have a MacBook Pro Core 2 Duo (15' Aluminum) and upgrading from 10.6.2 from 10.6.1 via Software Update killed all sound output from both speakers and headphones. No audible clicks while adjusting volume, no sound from iTunes, no sound from Q