Task 4.2 DMVPN Overlay Connectivity

Hi I set the IPSec on the DMVPN on HUb and Spokes as per the solution guide, But I get the Error on All DMVPN end points.

I am using CSR1000v on a rack rentals site.

R18(config-if)#

*Jan  2 02:18:24.458: %ACE-3-TRANSERR: IOSXE-ESP(11): IKEA trans 0x63; opcode 0x60; param 0x2F; error 0x5; retry cnt 0

*Jan  2 02:18:24.459: %ACE-3-TRANSERR: IOSXE-ESP(11): IKEA trans 0x65; opcode 0x60; param 0x30; error 0x5; retry cnt 0

R18(config-if)#

 

EIGRP does not come up. But removing The IPsec profile from the Tunn1l 100 interfaces brings the EIGRP up and DMVPN works fine.

Any suggestions ?

 

Regards,

Sal 

 

 

 

 

Comments

  • Please post your ipsec config.

    Leon

  • JoeMJoeM ✭✭✭

    Hi Sal,

    I am not familiar with this output.  Maybe someone can shed some light on this.

    From a troubleshooting perspective, this is a great opportunity to use the show/debug commands, as well as understand the process.

    First, it is good to know that the tunnels work without ipsec.   So we need to know where in the isakmp/ipsec process this is being stopped.

    show crypto session

    show crypto isakmp sa 
    debug crypto isakmp  <-- are the policy attributes accepted

    show crypto ipsec sa  <--  this does not matter until we get isakmp working
    debug crypto ipsec

     

    If you want to post only the crypto configs, we may be able to spot the issue quickly.   But I am willing to go throught the TS process from the show/debug commands.

  • Hi JoeM,

     

    thanks for your interest in trouble shooting this.

     

    The configs are:

     

    R18

    ---

     

    crypto isakmp policy 18

     encr aes 192

     hash sha256

     authentication pre-share

     group 5

    crypto isakmp key DmvPn!23 address 89.211.116.16     

    crypto isakmp key DmvPn!23 address 89.211.117.17  

    crypto ipsec transform-set TRANS_SET ah-sha-hmac esp-aes esp-sha-hmac 

     mode transport

    !

    crypto ipsec profile CRY_PROFILE

     set transform-set TRANS_SET

     

    int tu 100

     tunnel protection ipsec profile CRY_PROFILE

    !

     

     

     

     

     

    R16

    ---

     

    crypto isakmp policy 16

     encr aes 192

     hash sha256

     authentication pre-share

     group 5

    !

    crypto isakmp key DmvPn!23 address 202.4.180.0   

    !

    crypto ipsec transform-set TRANS_SET ah-sha-hmac esp-aes esp-sha-hmac 

     mode transport

    !

    crypto ipsec profile CRY_PROFILE

     set transform-set TRANS_SET

     

    int tu 100

     tunnel protection ipsec profile CRY_PROFILE

    !

     

     

    R17

    --

     

    crypto isakmp policy 17

     encr aes 192

     hash sha256

     authentication pre-share

     group 5

    !

    crypto isakmp key DmvPn!23 address 202.4.180.0   

    !

    crypto ipsec transform-set TRANS_SET ah-sha-hmac esp-aes esp-sha-hmac 

     mode transport

    !

    crypto ipsec profile CRY_PROFIL

    !

    crypto ipsec profile CRY_PROFILE

     set transform-set TRANS_SET

     

    int tu 100

     tunnel protection ipsec profile CRY_PROFILE

    !

     

     

     

     

    R18

    ---

     

    interface Tunnel100

     ip address 172.100.123.18 255.255.255.0

     no ip redirects

     ip mtu 1400

     ip nhrp authentication NHRPKEY

     ip nhrp map multicast dynamic

     ip nhrp network-id 123

     ip nhrp holdtime 300

     ip tcp adjust-mss 1360

     tunnel source 202.4.180.0

     tunnel mode gre multipoint

     tunnel key 123

     tunnel protection ipsec profile CRY_PROFILE

     

     

     

    R16

    --

     

    interface Tunnel100

     ip address 172.100.123.16 255.255.255.0

     no ip redirects

     ip mtu 1400

     ip nhrp authentication NHRPKEY

     ip nhrp map 172.100.123.18 202.4.180.0

     ip nhrp map multicast 202.4.180.0

     ip nhrp nhs 172.100.123.18

     ip nhrp network-id 123

     ip nhrp holdtime 300

     ip tcp adjust-mss 1360

     tunnel source 89.211.116.16

     tunnel mode gre multipoint

     tunnel key 123

     tunnel protection ipsec profile CRY_PROFIL

     

    !

     

     

    R17

    --

     

    interface Tunnel100

     ip address 172.100.123.17 255.255.255.0

     no ip redirects

     ip mtu 1400

     ip nhrp authentication NHRPKEY

     ip nhrp map 172.100.123.18 202.4.180.0

     ip nhrp map multicast 202.4.180.0

     ip nhrp nhs 172.100.123.18

     ip nhrp network-id 123

     ip nhrp holdtime 300

     ip tcp adjust-mss 1360

     tunnel source 89.211.117.17

     tunnel mode gre multipoint

     tunnel key 123

     tunnel protection ipsec profile CRY_PROFIL

     

  • try using an ESP only transform set of "esp-aes esp-sha-hmac".  i've seen bugs discussed on the internet when AH and ESP are used together.

     

    Leon

  • JoeMJoeM ✭✭✭

    No problem.  I have not looked at the workbook task, so I am just looking at your config.  Good practice.  ;-)

     

    I do not see anything wrong in the crypto configs. Everything matches, and the isakmp key/addresses seem correct.  Have you shut and no shut the tunnels, especially the spokes?   A reboot would be a last resort, as BrianM has suggested that this can resolve any order-of-operations issues.

    I would really like to see the output for the following two show commands.   This would be the very first step for me before moving on to the ipsec stage or doing a debug.   We need to piece together the story.  Where is the process stopped.

           show crypto session
           show crypto isakmp sa

     

    I am also wondering about the policy numbers that you are using.   I think that these are taken in order, and you have them set as 16-18.  So are there any other straggler policies?        An isakmp debug (debug crypto isakmp) will tell us if there are any issues with the attributes.  The debug will clearly say if they are acceptable or not.

     

    I am concentrating on R18-R16.  After we resolved this connection, we can apply the fix to R17.

    R18 (hub) ================================
    crypto isakmp policy 18
           encr aes 192
           hash sha256
           authentication pre-share
           group 5
    crypto isakmp key DmvPn!23 address 89.211.116.16    
    crypto isakmp key DmvPn!23 address 89.211.117.17 

    crypto ipsec transform-set TRANS_SET ah-sha-hmac esp-aes esp-sha-hmac
           mode transport
    crypto ipsec profile CRY_PROFILE
           set transform-set TRANS_SET

    interface Tunnel100
           ip address 172.100.123.18 255.255.255.0
           ip mtu 1400
           ip tcp adjust-mss 1360
           tunnel source 202.4.180.0
           tunnel protection ipsec profile CRY_PROFILE


     R16 (spoke)================================
    crypto isakmp policy 16
           encr aes 192
           hash sha256
           authentication pre-share
           group 5
    crypto isakmp key DmvPn!23 address 202.4.180.0  

    crypto ipsec transform-set TRANS_SET ah-sha-hmac esp-aes esp-sha-hmac
           mode transport
    crypto ipsec profile CRY_PROFILE
           set transform-set TRANS_SET

    interface Tunnel100
           ip address 172.100.123.16 255.255.255.0
           ip mtu 1400
           ip tcp adjust-mss 1360
           tunnel source 89.211.116.16
           tunnel protection ipsec profile CRY_PROFILE
     

    note:  in your config, I believe that the tun protection profile is just a typo.  PROFILE vs PROFIL

  • JoeMJoeM ✭✭✭

    Sal,   bounce the tunnels and/or reboot the routers.

    I just applied your config to a two router setup, and the tunnel immediately came up.   I only changed the IP addressing for two facing routers.

Sign In or Register to comment.