DMVPN Phase 2/3 does not works with IPSec Profile


I have experienced this behaviour which without IPSec
Profile applied to the tunnel interface, DMVPN Phase 2 and 3 works where
direct spoke-to-spoke communication is possible. However, when IPSec
Profile is applied to the tunnel interface, there is no direct
spoke-to-spoke communication. It falls back to DMVPN Phase 1 behaviour
where all traffic is routed to the hub then to the destination spoke.
Anyone has experienced this as well?

I'm using  v15.2(4)M5 and  v15.2(4)M7 images and both gave the same behaviour.

Not sure if this behaviour is observed on the physical router as well. Appreciate if you could share some thoughts into it. Thanks.


  • It worked for me....check your config well... make sure you use transport mode

  • It's running in transport mode.


    crypto isakmp policy 10
     encr aes
     hash sha256
     authentication pre-share
     group 16
    crypto isakmp key DMVPN_PSK address 

    crypto ipsec transform-set ESP-AES256-SHA512 esp-aes 256 esp-sha512-hmac
     mode transport

    crypto ipsec profile DMVPN_PROFILE
     set transform-set ESP-AES256-SHA512

  • Do the spokes have keys for each other?

  • JoeMJoeM ✭✭✭

    Since you know it works without IPsec, then the first thing I would check would be the ISAKMP keys/addresses.

               crypto isakmp key <password> address <x.x.x.x>


    Also this might be a good time to practice the debugs.

         debug dmvpn <all> <all>  <-- or more specifc

         debug crypto iskmp    

         debug crypto ipsec

         show crypto isakmp sa

         show crypto ipsec sa

  • Thanks everyone for your advice!!!

    Indeed the issue is the missing preshared key between the spokes that I have overlooked [:S]

  • Saab Ek se badkaar Ek.......!!! welldone guyss

Sign In or Register to comment.