in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 01-02-2015 5:25 AM by leonmccalla. 6 replies.
Page 1 of 1 (7 items)
Sort Posts: Previous Next
  • 01-02-2015 1:23 AM

    Task 4.2 DMVPN Overlay Connectivity

    Hi I set the IPSec on the DMVPN on HUb and Spokes as per the solution guide, But I get the Error on All DMVPN end points.

    I am using CSR1000v on a rack rentals site.

    R18(config-if)#

    *Jan  2 02:18:24.458: %ACE-3-TRANSERR: IOSXE-ESP(11): IKEA trans 0x63; opcode 0x60; param 0x2F; error 0x5; retry cnt 0

    *Jan  2 02:18:24.459: %ACE-3-TRANSERR: IOSXE-ESP(11): IKEA trans 0x65; opcode 0x60; param 0x30; error 0x5; retry cnt 0

    R18(config-if)#

     

    EIGRP does not come up. But removing The IPsec profile from the Tunn1l 100 interfaces brings the EIGRP up and DMVPN works fine.

    Any suggestions ?

     

    Regards,

    Sal 

     

     

     

     

    • Post Points: 50
  • 01-02-2015 2:03 AM In reply to

    Re: Task 4.2 DMVPN Overlay Connectivity

    Please post your ipsec config.

    Leon

    • Post Points: 5
  • 01-02-2015 3:58 AM In reply to

    • JoeM
    • Top 10 Contributor
    • Joined on 04-15-2012
    • Guadalajara, Mexico
    • Elite
    • Points 31,265

    Re: Task 4.2 DMVPN Overlay Connectivity

    Hi Sal,

    I am not familiar with this output.  Maybe someone can shed some light on this.

    From a troubleshooting perspective, this is a great opportunity to use the show/debug commands, as well as understand the process.

    First, it is good to know that the tunnels work without ipsec.   So we need to know where in the isakmp/ipsec process this is being stopped.

    show crypto session

    show crypto isakmp sa 
    debug crypto isakmp  <-- are the policy attributes accepted

    show crypto ipsec sa  <--  this does not matter until we get isakmp working
    debug crypto ipsec

     

    If you want to post only the crypto configs, we may be able to spot the issue quickly.   But I am willing to go throught the TS process from the show/debug commands.

    • Post Points: 20
  • 01-02-2015 5:03 AM In reply to

    Re: Task 4.2 DMVPN Overlay Connectivity

    Hi JoeM,

     

    thanks for your interest in trouble shooting this.

     

    The configs are:

     

    R18

    ---

     

    crypto isakmp policy 18

     encr aes 192

     hash sha256

     authentication pre-share

     group 5

    crypto isakmp key DmvPn!23 address 89.211.116.16     

    crypto isakmp key DmvPn!23 address 89.211.117.17  

    crypto ipsec transform-set TRANS_SET ah-sha-hmac esp-aes esp-sha-hmac 

     mode transport

    !

    crypto ipsec profile CRY_PROFILE

     set transform-set TRANS_SET

     

    int tu 100

     tunnel protection ipsec profile CRY_PROFILE

    !

     

     

     

     

     

    R16

    ---

     

    crypto isakmp policy 16

     encr aes 192

     hash sha256

     authentication pre-share

     group 5

    !

    crypto isakmp key DmvPn!23 address 202.4.180.0   

    !

    crypto ipsec transform-set TRANS_SET ah-sha-hmac esp-aes esp-sha-hmac 

     mode transport

    !

    crypto ipsec profile CRY_PROFILE

     set transform-set TRANS_SET

     

    int tu 100

     tunnel protection ipsec profile CRY_PROFILE

    !

     

     

    R17

    --

     

    crypto isakmp policy 17

     encr aes 192

     hash sha256

     authentication pre-share

     group 5

    !

    crypto isakmp key DmvPn!23 address 202.4.180.0   

    !

    crypto ipsec transform-set TRANS_SET ah-sha-hmac esp-aes esp-sha-hmac 

     mode transport

    !

    crypto ipsec profile CRY_PROFIL

    !

    crypto ipsec profile CRY_PROFILE

     set transform-set TRANS_SET

     

    int tu 100

     tunnel protection ipsec profile CRY_PROFILE

    !

     

     

     

     

    R18

    ---

     

    interface Tunnel100

     ip address 172.100.123.18 255.255.255.0

     no ip redirects

     ip mtu 1400

     ip nhrp authentication NHRPKEY

     ip nhrp map multicast dynamic

     ip nhrp network-id 123

     ip nhrp holdtime 300

     ip tcp adjust-mss 1360

     tunnel source 202.4.180.0

     tunnel mode gre multipoint

     tunnel key 123

     tunnel protection ipsec profile CRY_PROFILE

     

     

     

    R16

    --

     

    interface Tunnel100

     ip address 172.100.123.16 255.255.255.0

     no ip redirects

     ip mtu 1400

     ip nhrp authentication NHRPKEY

     ip nhrp map 172.100.123.18 202.4.180.0

     ip nhrp map multicast 202.4.180.0

     ip nhrp nhs 172.100.123.18

     ip nhrp network-id 123

     ip nhrp holdtime 300

     ip tcp adjust-mss 1360

     tunnel source 89.211.116.16

     tunnel mode gre multipoint

     tunnel key 123

     tunnel protection ipsec profile CRY_PROFIL

     

    !

     

     

    R17

    --

     

    interface Tunnel100

     ip address 172.100.123.17 255.255.255.0

     no ip redirects

     ip mtu 1400

     ip nhrp authentication NHRPKEY

     ip nhrp map 172.100.123.18 202.4.180.0

     ip nhrp map multicast 202.4.180.0

     ip nhrp nhs 172.100.123.18

     ip nhrp network-id 123

     ip nhrp holdtime 300

     ip tcp adjust-mss 1360

     tunnel source 89.211.117.17

     tunnel mode gre multipoint

     tunnel key 123

     tunnel protection ipsec profile CRY_PROFIL

     

    • Post Points: 20
  • 01-02-2015 5:25 AM In reply to

    Re: Task 4.2 DMVPN Overlay Connectivity

    try using an ESP only transform set of "esp-aes esp-sha-hmac".  i've seen bugs discussed on the internet when AH and ESP are used together.

     

    Leon

    • Post Points: 5
  • 01-02-2015 5:57 AM In reply to

    • JoeM
    • Top 10 Contributor
    • Joined on 04-15-2012
    • Guadalajara, Mexico
    • Elite
    • Points 31,265

    Re: Task 4.2 DMVPN Overlay Connectivity

    No problem.  I have not looked at the workbook task, so I am just looking at your config.  Good practice.  ;-)

     

    I do not see anything wrong in the crypto configs. Everything matches, and the isakmp key/addresses seem correct.  Have you shut and no shut the tunnels, especially the spokes?   A reboot would be a last resort, as BrianM has suggested that this can resolve any order-of-operations issues.

    I would really like to see the output for the following two show commands.   This would be the very first step for me before moving on to the ipsec stage or doing a debug.   We need to piece together the story.  Where is the process stopped.

           show crypto session
           show crypto isakmp sa

     

    I am also wondering about the policy numbers that you are using.   I think that these are taken in order, and you have them set as 16-18.  So are there any other straggler policies?        An isakmp debug (debug crypto isakmp) will tell us if there are any issues with the attributes.  The debug will clearly say if they are acceptable or not.

     

    I am concentrating on R18-R16.  After we resolved this connection, we can apply the fix to R17.

    R18 (hub) ================================
    crypto isakmp policy 18
           encr aes 192
           hash sha256
           authentication pre-share
           group 5
    crypto isakmp key DmvPn!23 address 89.211.116.16    
    crypto isakmp key DmvPn!23 address 89.211.117.17 

    crypto ipsec transform-set TRANS_SET ah-sha-hmac esp-aes esp-sha-hmac
           mode transport
    crypto ipsec profile CRY_PROFILE
           set transform-set TRANS_SET

    interface Tunnel100
           ip address 172.100.123.18 255.255.255.0
           ip mtu 1400
           ip tcp adjust-mss 1360
           tunnel source 202.4.180.0
           tunnel protection ipsec profile CRY_PROFILE


     R16 (spoke)================================
    crypto isakmp policy 16
           encr aes 192
           hash sha256
           authentication pre-share
           group 5
    crypto isakmp key DmvPn!23 address 202.4.180.0  

    crypto ipsec transform-set TRANS_SET ah-sha-hmac esp-aes esp-sha-hmac
           mode transport
    crypto ipsec profile CRY_PROFILE
           set transform-set TRANS_SET

    interface Tunnel100
           ip address 172.100.123.16 255.255.255.0
           ip mtu 1400
           ip tcp adjust-mss 1360
           tunnel source 89.211.116.16
           tunnel protection ipsec profile CRY_PROFILE

     

    note:  in your config, I believe that the tun protection profile is just a typo.  PROFILE vs PROFIL

    • Post Points: 5
  • 01-02-2015 6:20 AM In reply to

    • JoeM
    • Top 10 Contributor
    • Joined on 04-15-2012
    • Guadalajara, Mexico
    • Elite
    • Points 31,265

    Re: Task 4.2 DMVPN Overlay Connectivity

    Sal,   bounce the tunnels and/or reboot the routers.

    I just applied your config to a two router setup, and the tunnel immediately came up.   I only changed the IP addressing for two facing routers.

    • Post Points: 5
Page 1 of 1 (7 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved