DMVPN + PKI AAA
Hi all
I have a question about the DMVPN hub double and rays on the public internet scenario.
I'm going to use PKI AAA authentication and I understand that to register a ray that has never been connected to our office LAN and just be deployed remotely at the remote location that I would need to have my CA server be exposed to the internet and the public of the CA server ip address must be configured under "list URLs" on the rays.
To work around this problem, I could get all rays unpacked and registered with their automatic certificates to the office first and then get deployed to remote locations.
But another question, is that if the rays will still require access to the CA server before they do authentication to establish VPN tunnels.
Thus, the VPN tunnel do not settle until that queries of speaking CA and ensure that the certificate of the HUB is always ok, is this correct understanding?
If this is true, then I wonder what is the workaround not to expose the CA server to the public internet and authentication PKI AAA on the spokes and the hub.
Thank you!
.
There are different ways to solve the mentioned problems:
Initial enlistment:
It would be best to do before sending the routers remote site. But of course this is not always possible.
You can expose your internal certification authority to the internet for registration and don't allow the talk-IP access to the server. You only need tcp/80 for PRACTICE because it is based on HTTP. Another way is to have an additional tunnel in your network who is authenticated with PSK. This tunel must of course use a very strict access control and could even be arrested when is not necessary. This tunnel can also be used for the renewal if your certificate is not valid for some reason (anyone here on the forum who have never made the mistake to note an incorrect expiration date in outlook and lost its VPN the days when autoenrollment was not available?)
After registration, the rays don't need to reach the CA server more until the certificate must be refreshed. But (and that's what you're referring to): the Department must check the list of revoked CRLs. And the LCR is controlled by the CA. But the LCR should not be stored on the CA. It can also be published for example on a publicly accessible Web server.
Sent by Cisco Support technique iPad App
Tags: Cisco Security
Similar Questions
-
Changes of State DMVPN intermittent dmvpn
We run a double DMVPN hub and spoke configuration using the router ASR for hubs and 2811 routers for the spoke routers. Have passed us recently 3000 remote sites and discovered a problem in which we struggle with. On some routers spoke (we don't know for sure how much), we see that the show in some cases dmvpn responds with IKE or PNDH with one of the peers hub (see below)
Ro1-13349 #sho dmvpn
Legend: Attrb--> S - static, D - dynamic, I - incomplete
Local N - using a NAT, L-, X - no Socket
# Ent--> entries number of the PNDH with same counterpart NBMA
State of the NHS: E--> RSVPs, R--> answer
UpDn time--> upward or down time for a Tunnel
==========================================================================Interface: Tunnel1, IPv4 PNDH details
IPv4 recording timer: 30 secondsIPv4 NHS: 10.1.0.1 RE
Type: talk, Total NBMA peers (v4/v6): 1# Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb target network
----- --------------- --------------- ----- -------- ----- -----------------
1 A.B.C.D 10.1.0.1 UP 6d14h S 10.1.0.1/32Interface: Tunnels2, IPv4 PNDH details
IPv4 recording timer: 30 secondsIPv4 NHS: 10.2.0.1 E
Type: talk, Total NBMA peers (v4/v6): 1# Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb target network
----- --------------- --------------- ----- -------- ----- -----------------
1 A.B.C.D 10.2.0.1 IKE 3w6d S 10.2.0.1/32The State gets between IKE and PNDH and upward. We captured the data from our 3000 connections 3 times + and we saw about 15 to 20 on each capture data with 1 location that was on every list.
Is there an extra logging that can help determine the cause? We have recently added dmvpn logging on 32 branches and the typical message we see is as follows
Apr 4 10:34:29.619 CDT: % DMVPN-5-NHRP_NHS: tunnels2 10.2.0.1 is DOWN
Apr 4 10:35:53.048 CDT: % DMVPN-3-NHRP_ERROR: registration failed for on tunnels2 10.2.0.1In some cases, we get the following
Apr 4 14:28:40.558 CDT: % DMVPN-7-CRYPTO_SS: tunnels2 - A.B.C.D socket is BROKEN
Compensation crypto sessions or a tap continuously on the tunnel has rarely solves the problem. If the problem returns. We use a mixture of pre-shared key and CA cryptographic authentication. We use Version 12.4 (24) T1 as IOS based on other issues.
Please provide any idea that you may have on this type of problem. I'll add more as discover us more information and has no relevant data to add.
ERP,
I'm afraid that my expertiese lies in troubleshooting, rather than surveillance.
SNMP is an option? (I don't think there's much tagetted for DMVPN)
I thought something similar to this:
(although not sure how well ASR suppoorts this)
Regarding conditional debugging and debugging at all.
There is a debugging, you can generally activate "debug crypto isa err" which displays only the parts of the IKE negotiation error without risk.
For conditional debugging. We can narrown down particular peer VRF interfaces or even particular debugging connections - this however would require that we already know if / what specific rays are affected more than others.
PINGER#debug nhrp condition ?
interface based on the interface
peer based on the peer
vrf based on the vrfand
PINGER#debug crypto condi ?
connid IKE/IPsec connection-id filter
fvrf Front-door VRF filter
isakmp Isakmp profile filter
ivrf Inside VRF filter
local IKE local address filter
peer IKE peer filter
reset Delete all debug filters and turn off conditional debug
spi SPI (Security Policy Index) filter
unmatched Output debugs even if no context available
username Xauth or Pki-aaa username filterI trust mainly "debug crypto condition homologous ipv4.
Marcin
-
Server cerificate PKI in the network script: EEM DMVPN
Hi all
Before to jump in the topic, I have two questions:
(1) when the root certificate expire it is possibe to renew automatically?
(2) when a ray is certificate renew speak it will save the new certificate in NVRAM?
----------------------------------------------------------------------------------------------------------------------------------
What I'm looking for is a solution that might send a log/mail to our customer 2 days (for example) until the certificate expires the certificate authority ROOT/a TALK. It could be a script TCL or EEM.
All people ideas on how he could do better?
Thanks in advance.
Kind regards
Laurent
Laurent,
If you registered via the CEP, as I remember, timers for bearing cert CA indetitiy are kept (you can check in 'See the timer crypto pki').
We gradin not not automatically the certificate to the running configuration, you must perform a manual "wri" what registration or re-registration is made, it is to be able to recover if things don't go your way.
I have never created such a script, but depends strongly on your current deployment/configuration scenario.
Marcin
-
Hello
I was wondering if it was possible to use CRYPTOGRAPHY even for both: DMVPN and CLIENT IPsec?
To make it work, I have to use 1 crypto for the DMVPN and 1 crypto for IPsec, both systems operate on the same router, my router TALK can connect to my HUB router and my computer can connect to the router "HUB" via an IPsec tunnel.
Is their any way to make it easier, instead of doing configs in a single router for more or less the same work?
My stitching question may be stupid, sorry for that, I'm still learning, and I love it
Here below the full work DMVPN + IPsec:
Best regards
Didier
ROUTER1841 #sh run
Building configuration...
Current configuration: 9037 bytes
!
! Last configuration change to 21:51:39 gmt + 1 Monday February 7, 2011 by admin
! NVRAM config last updated at 21:53:07 gmt + 1 Monday February 7, 2011 by admin
!
version 12.4
horodateurs service debug datetime localtime
Log service timestamps datetime msec
encryption password service
!
hostname ROUTER1841
!
boot-start-marker
boot-end-marker
!
forest-meter operation of syslog messages
logging buffered 4096 notifications
enable password 7 05080F1C2243
!
AAA new-model
!
!
AAA authentication banner ^ C
THIS SYSTEM IS ONLY FOR THE USE OF AUTHORIZED FOR OFFICIAL USERS
^ C
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
!
AAA - the id of the joint session
clock time zone gmt + 1 1 schedule
clock daylight saving time gmt + 2 recurring last Sun Mar 02:00 last Sun Oct 03:00
dot11 syslog
no ip source route
!
!
No dhcp use connected vrf ip
DHCP excluded-address IP 192.168.10.1
DHCP excluded-address IP 192.168.20.1
DHCP excluded-address IP 192.168.30.1
DHCP excluded-address IP 192.168.100.1
IP dhcp excluded-address 192.168.1.250 192.168.1.254
!
IP dhcp pool vlan10
import all
network 192.168.10.0 255.255.255.0
default router 192.168.10.1
lease 5
!
IP dhcp pool vlan20
import all
network 192.168.20.0 255.255.255.0
router by default - 192.168.20.1
lease 5
!
IP dhcp pool vlan30
import all
network 192.168.30.0 255.255.255.0
default router 192.168.30.1
!
IP TEST dhcp pool
the host 192.168.100.20 255.255.255.0
0100.2241.353f.5e client identifier
!
internal IP dhcp pool
network 192.168.100.0 255.255.255.0
Server DNS 192.168.100.1
default router 192.168.100.1
!
IP dhcp pool vlan1
network 192.168.1.0 255.255.255.0
Server DNS 8.8.8.8
default router 192.168.1.1
lease 5
!
dhcp MAC IP pool
the host 192.168.10.50 255.255.255.0
0100.2312.1c0a.39 client identifier
!
IP PRINTER dhcp pool
the host 192.168.10.20 255.255.255.0
0100.242b.4d0c.5a client identifier
!
MLGW dhcp IP pool
the host 192.168.10.10 255.255.255.0
address material 0004.f301.58b3
!
pool of dhcp IP pc-vero
the host 192.168.10.68 255.255.255.0
0100.1d92.5982.24 client identifier
!
IP dhcp pool vlan245
import all
network 192.168.245.0 255.255.255.0
router by default - 192.168.245.1
!
dhcp VPN_ROUTER IP pool
0100.0f23.604d.a0 client identifier
!
dhcp QNAP_NAS IP pool
the host 192.168.10.100 255.255.255.0
0100.089b.ad17.8f client identifier
name of the client QNAP_NAS
!
!
IP cef
no ip bootp Server
IP domain name dri
host IP SW12 192.168.1.252
host IP SW24 192.168.1.251
IP host tftp 192.168.10.50
host IP of Router_A 192.168.10.5
host IP of Router_B 10.0.1.1
IP ddns update DynDNS method
HTTP
Add http://dri66: [email protected] / * *//nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=[email protected] / * //nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=
maximum interval 1 0 0 0
minimum interval 1 0 0 0
!
NTP 66.27.60.10 Server
!
Authenticated MultiLink bundle-name Panel
!
!
Flow-Sampler-map mysampler1
Random mode one - out of 100
!
Crypto pki trustpoint TP-self-signed-2996752687
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2996752687
revocation checking no
rsakeypair TP-self-signed-2996752687
!
!
VTP version 2
username Admin privilege 15 secret 5 $1$ gAFQ$ 2ecAHSYEU9g7b6WYuTY9G.
username cisco password 7 02050D 480809
Archives
The config log
hidekeys
!
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0
!
ISAKMP crypto client configuration group 3000client
key cisco123
DNS 8.8.8.8
dri.eu field
pool VPNpool
ACL 150
!
!
Crypto ipsec transform-set strong esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Profile cisco ipsec crypto
define security-association life seconds 120
transformation-strong game
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
IP port ssh 8096 Rotary 1
property intellectual ssh version 2
!
!
!
interface Loopback0
IP 192.66.66.66 255.255.255.0
!
interface Tunnel0
172.16.0.1 IP address 255.255.255.0
no ip redirection
IP mtu 1440
no ip next-hop-self eigrp 90
property intellectual PNDH authentication cisco123
dynamic multicast of IP PNDH map
PNDH network IP-1 id
No eigrp split horizon ip 90
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
0 button on tunnel
Cisco ipsec protection tunnel profile
!
interface FastEthernet0/0
DMZ description
IP ddns update hostname mlgw.dyndns.info
IP ddns update DynDNS
DHCP IP address
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
interface FastEthernet0/0,241
Description VLAN 241
encapsulation dot1Q 241
DHCP IP address
IP access-group dri-acl-in in
NAT outside IP
IP virtual-reassembly
No cdp enable
!
interface FastEthernet0/0.245
encapsulation dot1Q 245
DHCP IP address
IP access-group dri-acl-in in
NAT outside IP
IP virtual-reassembly
No cdp enable
!
interface FastEthernet0/1
Description INTERNAL ETH - LAN$
IP 192.168.100.1 address 255.255.255.0
no ip proxy-arp
IP nat inside
IP virtual-reassembly
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet0/0/0
switchport access vlan 10
spanning tree portfast
!
interface FastEthernet0/0/1
switchport access vlan 245
spanning tree portfast
!
interface FastEthernet0/0/2
switchport access vlan 30
spanning tree portfast
!
interface FastEthernet0/0/3
switchport mode trunk
!
interface Vlan1
IP address 192.168.1.250 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Vlan10
IP 192.168.10.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Vlan20
address 192.168.20.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
Vlan30 interface
192.168.30.1 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Vlan245
IP 192.168.245.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
Router eigrp 90
network 172.16.0.0
network 192.168.10.0
No Auto-resume
!
IP pool local VPNpool 172.16.1.1 172.16.1.100
IP forward-Protocol ND
no ip address of the http server
local IP http authentication
IP http secure server
!
IP flow-cache timeout idle 130
IP flow-cache timeout active 20
cache IP flow-aggregation prefix
cache timeout idle 400
active cache expiration time 25
!
!
overload of IP nat inside source list 170 interface FastEthernet0/0
overload of IP nat inside source list interface FastEthernet0/0.245 NAT1
IP nat inside source static tcp 192.168.10.10 80 interface FastEthernet0/0 8095
!
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 170 permit ip 192.168.10.0 0.0.0.255 any
access-list 180 deny ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 180 permit ip 192.168.10.0 0.0.0.255 any
not run cdp
!
!
!
route NAT allowed 10 map
corresponds to the IP 180
!
!
!
control plan
!
exec banner ^ C
WELCOME YOU ARE NOW LOGED IN
^ C
connection of the banner ^ C
WARNING!
IF YOU ARE NOT:
Didier Ribbens
Please leave NOW!
YOUR IP and MAC address will be LOGGED.
^ C
!
Line con 0
Speed 115200
line to 0
line vty 0 4
access-class 5
privilege level 15
Rotary 1
transport input telnet ssh
line vty 5 15
access-class 5
Rotary 1
!
Scheduler allocate 20000 1000
end
Didier,
Some time ago, I wrote a bit on VT, you should be able to find information about the server ezvpn DVTI it.
The configuartion you have right now is the way to strives for ezvpn, with the new way DMVPN (protection of tunnel).
If it is true for the most part, it is best to go on the learning curve Moose and go everythign new configuration.
With EZVPN you can always assign IP from the pool by group ezvpn or external authorization ;-)
Anyway let me know if you face any problems.
Marcin
-
I'm trying to use a "isakmp profile" with a DMVPN configuration so that we can have accounting RADIUS (which I think should be done with an isakmp profile). I can operate using pre-shared keys, but I can't make it work using certificates that I need.
Spoke it seems to be fine (it goes to IKE_P1_COMPLETE and I see no problem in debugging). It is only at the hub where the isakmp profile is set up where we have "% CRYPTO-6-IKMP_MODE_FAILURE: fast mode processing failed with the peer to 5.0.0.20.
Both devices are definitively authenticated and registered with the certification authority.
I have attached what, in my view, are the relevant config of the hub and speaks and debugging of the hub (edited to remove identifying information).
Any help appreciated,
Ray
Looks like your routers are unable to find a profile matching not ISAKMP to match peer. You could try to create a certificate mapping which refers to the OU of the cert to indicate to what IKE profile to use the router. You can do this by using one of the following ways:
1. create a certificate mapping by using the command "map of crypto pki certificate. In this command, specify a corresponding setting on (such as "name of the object OU = mgmt co"). Then, according to your profile of IKE, 'match certificate.'
2. According to your profile of IKE, simply change the command "match identity address 0.0.0.0" for "corresponds to the identity Mgmt Group."
Either way, I think that will solve your problem. In addition, it is not in your config file, but you can also change your 'ca trustpoint' config to specify that the keys are for the use of IKE only ("use ike") and which touches the pair to use ("rsakeypair").
HTH,
Aaron
-
DMVPN with digital ceritificates and Hub acts as a CA server
Hello guys,.
is there anyway to configure the DMVPN with digital certificates and change the router Hub to act as a CA server?
Thank you
Yes, you can do it, go ahead and set up your router, Hub, with the normal DMVPN configuration so that it becomes the hub. After doing that follow the link below to add public key infrastructure server features:
http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t4/feature/guide/gt_ioscs.html
And to register for the rays on the hub, use this link:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080210cdc.shtml
Remember that regardless of the router Hub being the authority of CA, you must sign up for itself to allow the IKE PKI authentication.
-
DMVPN question "" change btwn CONF_XAUTH & MM_NO_STATE ".
Hi all
can you please help on below: thanks in advance.
HQ which is configured to accept remote vpn client using crypto map and also it is configured for dynamic vpn with branch.
Static public IP HQ is 82.114.179.120, tunnel 10 172.16.10.1 and local lan ip is 192.168.1.0
Branch has dynamic public ip, 10 ip 172.16.10.32 tunnel local lan is 192.168.32.0 It is also configured by using tunnel 0 with an another CA that works very well.
Directorate-General for the Lan (192.168.32.0) is required to access lan (192.168.1.0) HQ...
Debug files attached
HQ:
AAA authentication login local acs
AAA authorization network local acs
!
AAA - the id of the joint session
!
IP cef
!8.8.8.8 IP name-server
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!redundancy
!VDSL 0/1/0 controller
!cryptographic keys ccp-dmvpn-keyring keychain
pre-shared key address 0.0.0.0 0.0.0.0 key [email protected] / * /
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto 5 3600 keepalive
ISAKMP crypto nat keepalive 3600
ISAKMP xauth timeout 60 crypto!
ISAKMP crypto client configuration group NAMA
namanama key
pool mypool
ACL 101
Save-password
Profile of crypto isakmp dmvpn-ccp-isakmprofile
CCP-dmvpn-keyring keychain
function identity address 0.0.0.0
!
Crypto ipsec transform-set esp-3des esp-md5-hmac test
tunnel mode
Crypto ipsec transform-set ESP-AES-MD5-esp - aes esp-md5-hmac comp-lzs
transport mode
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-AES-MD5
define the profile of isakmp dmvpn-ccp-isakmprofile
!card dynamic crypto map 10
Set transform-set test
market arriere-route
!
the i-card card crypto client authentication list acs
card crypto i-card isakmp authorization list acs
card crypto i-map client configuration address respond
card crypto i-card 10 isakmp ipsec dynamic map!
interface Tunnel10
bandwidth 1000
address 172.16.10.1 IP 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
dynamic multicast of IP PNDH map
PNDH id network IP-100000
property intellectual PNDH holdtime 360
IP tcp adjust-mss 1360
delay of 1000
Shutdown
source of Dialer1 tunnel
multipoint gre tunnel mode
tunnel key 100000
Tunnel CiscoCP_Profile1 ipsec protection profile
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
IP 192.168.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
IP 192.168.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
ATM0/1/0 interface
DSL Interface Description
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5snap encapsulation
PPPoE-client dial-pool-number 1!
interface Dialer0
no ip address
!
interface Dialer1
the negotiated IP address
IP mtu 1492
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
PPP authentication chap callin pap
PPP chap hostname nama20004
password PPP chap 0 220004
PPP pap sent-username nama20004 password 0 220004
i-crypto map
!
IP local pool mypool 192.168.30.1 192.168.30.100
IP forward-Protocol ND
!
IP http server
IP http secure server
!
overload of IP nat inside source list 171 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1
IP route 192.168.32.0 255.255.255.0 172.16.10.32
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access ip-list 171 allow a whole
Dialer-list 2 ip protocol allow
!HQ #sh cry isa his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
82.114.179.120 78.137.84.92 CONF_XAUTH 1486 ACTIVE
82.114.179.120 78.137.84.92 MM_NO_STATE 1483 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 1482 ACTIVE (deleted)See the branch to execute:
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 11
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key [email protected] / * / address 82.114.179.105
ISAKMP crypto key [email protected] / * / address 82.114.179.120
ISAKMP crypto keepalive 10 periodicals
!
!
Crypto ipsec transform-set ESP-AES-MD5-esp - aes esp-md5-hmac comp-lzs
transport mode
Crypto ipsec transform-set esp - aes Taiz esp-md5-hmac comp-lzs
transport mode
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-AES-MD5
!
Profile of crypto ipsec to Taiz-profile-
the value of the transform-set in Taiz
!
interface Tunnel0
bandwidth 1000
IP 172.16.0.32 255.255.255.0
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
map of PNDH 172.16.0.1 IP 82.114.179.105
PNDH id network IP-100000
property intellectual PNDH holdtime 360
property intellectual PNDH nhs 172.16.0.1
IP tcp adjust-mss 1360
delay of 1000
source of Dialer0 tunnel
tunnel destination 82.114.179.105
tunnel key 100000
Tunnel CiscoCP_Profile1 ipsec protection profile
!
interface Tunnel10
bandwidth 1000
IP 172.16.10.32 255.255.255.0
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
property intellectual PNDH 172.16.10.1 card 82.114.179.120
PNDH id network IP-100000
property intellectual PNDH holdtime 360
property intellectual PNDH nhs 172.16.10.1
IP tcp adjust-mss 1360
delay of 1000
source of Dialer0 tunnel
tunnel destination 82.114.179.120
key to tunnel 22334455
tunnel of ipsec to Taiz-profile protection
!
interface Ethernet0
no ip address
Shutdown
!
ATM0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0.1
PVC 8/35
PPPoE-client dial-pool-number 1
!
!
interface FastEthernet0
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet1
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet2
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet3
# CONNECT TO LAN description #.
no ip address
!
interface Vlan1
# LAN INTERFACE description #.
customer IP dhcp host name no
IP 192.168.32.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1412
!
interface Dialer0
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP authentication chap callin pap
PPP chap hostname mohammadaa
password PPP chap 0-123456
PPP pap sent-name of user mohammadaa password 123456 0
!
IP forward-Protocol ND
IP http server
10 class IP http access
local IP http authentication
no ip http secure server
!
the IP nat inside source 1 interface Dialer0 overload list
IP route 0.0.0.0 0.0.0.0 Dialer0
Route IP 192.168.0.0 255.255.255.0 172.16.0.1
IP route 192.168.1.0 255.255.255.0 172.16.10.1
!
auto discovering IP sla
Dialer-list 1 ip protocol allow
!
access-list 1 permit 192.168.32.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.0.255
!Branch #sh cry isa his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
82.114.179.120 78.137.84.92 MM_NO_STATE ACTIVE 2061 (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 2060 ACTIVE (deleted)Mohammed,
No probs, ensure safety.
The config you home has only one profile of IKE again. i.e. your DMVPN and ezvpn fall into the same basket.
What you need is a clean separation.
In the example you have
crypto isakmp profile VPNclient match identity group hw-client-groupname client authentication list userauthen isakmp authorization list hw-client-groupname client configuration address respond
which is then linked to:crypto dynamic-map dynmap 10 set isakmp-profile VPNclient reverse-route set transform-set strong
and separately a Profile of IKE DMVPN:
crypto isakmp profile DMVPN keyring dmvpnspokes match identity address 0.0.0.0
linked to your profile DMVPN IPsec:
crypto ipsec profile cisco set security-association lifetime seconds 120 set transform-set strong set isakmp-profile DMVPN
You apply the same logic here and clean to the top of your current config (i.e. move the features that you have applied to the level of the crypto map to your new profile of IKE).
M.
-
Address problem Source DMVPN Dual-Cloud
Greetings,
I run a pivot single double-cloud DMVPN in operation phase2 (talk-to-spoke active). I am very surprised that the question does not come upwards more often.
Here is my configuration:
Each station has its own ISP.
Each remote site has a single router connected to ISP (interface1 and interface2) 2
Each head of public-IP network is routed static (/ 32) through a single interface.
The default route is floating based on an IP SLA monitoring mechanism.
Note the following image (showing the host routes) static and default
With the two routes by default the value of the interface making DMVPN-X, a spoke-to-spoke on DMVPN-X works well. But what of the talk-to-spoke out DMVPN? It gets broken in the following way:
At Site A, my TunnelY Interface come from 10.2.0.2. After it to Site B; s public IP (10.4.0.2) via PNDH, he's trying to form a tunnel spoke to rays. But how to get to 10.4.0.2? It uses its default route on the 10.1.0.2 interface with address 10.2.0.2 source. A few things can happen:
(1) ISP blocks the bad sources completely, either explicitly or through uRPF.
(2) talking-to-Spoke Tunnel arrives, but assymetic routing is performed (this is rare)
(3) all sources of the ISP Nat to himself (gateways Comcast SMC this) in the example above, you see 10.1.0.1 crypto packages arriving at 10.4.0.2! Imagine the confusion caused
In most cases, isakmp is watered. Even if the tunnel is in place, I don't want to assymetic shaping with all the bandwidth on a single interface - I like to use actively both ISP connections.
Then... How to handle this? I predicted it, but I thought that the mechanism of the PNDH/DMVPN would deal with this situation. that is if I hear one speak via TunnelY and TunnelY is source on Interface2, it would naturally be to send packets on interface2. Alas, this isn't the case.
Here are some ways that I thought to solve:
(1) because my end points are not dyamic, I could host statically road all rays are out all the interface2s, all the X on the interface1s. (with 30 sites, it's so ugly, that I hesitate to even include it)
(2) road map of each external interface and match against the source address. If interface1 detects a source interface2, set-next-hop to interface2. The same thing on interface2 - if she hears a source corresponding to the IP address of interface1, value jump following interface1. It is repeatable, but looks a bit ugly as well.
(3) poster on the forums of Cisco and see what the consensus is
Thank you much in advance. Here are my configs sites speaks if you need:
Example of use of site A above:
(using the PKI for isakmp)
interface TunnelX
bandwidth 10000
IP 192.168.X.13 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP [redact]
map of PNDH IP 1.1.1.1 multicast
PNDH IP card 192.168.X.1 1.1.1.1
PNDH IP network id X
property intellectual PNDH holdtime 240
property intellectual PNDH nhs 192.168.X.1
IP tcp adjust-mss 1360
source of tunnel GigabitEthernet0/1
multipoint gre tunnel mode
tunnel key X
Tunnel DMVPN_IPSEC ipsec protection profile
!interface TunnelY
bandwidth 10000
IP 192.168.Y.13 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP [redact]
map of PNDH IP multicast 2.2.2.2
PNDH IP card 192.168.Y.1 2.2.2.2
PNDH IP network id Y
property intellectual PNDH holdtime 240
property intellectual PNDH nhs 192.168.Y.1
IP tcp adjust-mss 1360
source of tunnel GigabitEthernet0/2
multipoint gre tunnel mode
tunnel key Y
Tunnel DMVPN_IPSEC ipsec protection profile
!Route IP 1.1.1.1 255.255.255.255 10.1.0.1
IP route 2.2.2.2 255.255.255.255 10.2.0.1
IP route 0.0.0.0 0.0.0.0 10.1.0.1 Track1
IP route 0.0.0.0 0.0.0.0 10.2.0.1 250 (for failover if track 1 breaks down)
This is usually resolved by separating the ISP in before VRF (keeping global VRF inside if you chose to), allowing both titled tracks.
It's late (almost 1:00) but I think that tunnel road-via could potentially work too.
-
Hello
I'll put up our ACS server to authenticate access to networking with GANYMEDE + and it works fine, but when I create the network devices and the AAA Clients I like include the row set that these devices will be in (we have 200 + devices DMVPN). When I do thi I get an error message whenever I open the ACS server telling me "Managed Device exceeded" under the Administration of the system > Licensing > Base Server License. I was told it was a cosmetic thing to the Cisco TAC.
I'll be okay to add as many addresses that I need? I really don't want to have to go and add all addresses for each network in the network device - even if this would result in less than the limit of 500 devices.
Thank you
Hi Patrick,
There are two types of licenses the Base and the largest deployment license, with the base license GBA will tell you that you can add 500 devices, however for the countries candidates 5.x each IP address is a device, so if you add a router with range: 192.168.1.0/24 to EC is the same as adding 255 devices , so if you add more than 500 devices, you will get this information on the outdated "Managed Device" message but it is only cosmetic and you need not worry about this.
The largest deployment license the have a limit of devices and it will remove the message "information", but it will be for you to decide whether you need it or not.
Let me know if it helps.
-
Crypto pki Server SH on fails on CA no
The command ' show cryptographic pki server "provides only valid output during execution of the
order on the CA server as shown below.Is this OK or I do something wrong?
SPOKE1#sh cryptographic pki SERVER-CA Server
% Cannot find Certificate Server to label CA-SERVERCA-SERVER#sh cryptographic pki SERVER-CA Server
Certificate Server CA-SERVER:
Status: enabled
Status: enabled
Configuration of the server is locked (enter 'closed' to unlock)
Name of the issuer: CN =CA-SERVER, OU = DMVPN, O = LAB, L = Lonny-Bin, ST = AA, C = HOME
Cert CA footprint: A # # # #.
Licensing mode: manual
Last serial number of the certificate issued (hex): 1
CA certificate expiration timer: 11:57:05 EST October 3, 2012
CRL NextUpdate timer: 11:57:00 GMT October 18, 2010
Current main repository: usbflash0:
Database level: Complete - CERT issued all written as.cer TKS
Frank
Hi, Frank:
What you have observed, this is the expected behavior, this command is valid only on a CA IOS server.
Thank you
Wen
-
Phase DMVPN I fail when migration of PSK to GIPR
I'm currently is the migration process of my network key preshared certificate DMVPN. Most of the rays have developed and works without any problem, but there are several that are not past the phase I. I have included the isakmp debug of the hub and one of the rays who fail. I see that the hub goes QM_IDLE after receiving the certificate of the talks, but it looks like not to speak it never receives the cert of the hub. I suspect a problem with the ISP, but it's not as simple as filtering 500 as seem to do all messages except the cert. If I bring him talking on PSK it works fine. Has anyone seen this problem before and what is the resolution?
DMVPN Hub
7 Oct 19:38:36.213: ISAKMP: 500 local port, remote port 500
7 Oct 19:38:36.213: ISAKMP: find a dup her to the tree during the isadb_insert his 7F1AA7CC5920 = call BVA
7 Oct 19:38:36.213: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.213: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
7 October 19:38:36.214: ISAKMP: (0): treatment ITS payload. Message ID = 0
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
7 Oct 19:38:36.214: ISAKMP (0): provider ID is NAT - T RFC 3947
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
7 Oct 19:38:36.214: ISAKMP (0): provider ID is NAT - T v7
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
7 October 19:38:36.214: ISAKMP: (0): provider ID is NAT - T v3
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
7 October 19:38:36.214: ISAKMP: (0): provider ID is NAT - T v2
7 Oct 19:38:36.214: ISAKMP: (0): pair found pre-shared key matching 2.8.51.58
7 October 19:38:36.214: ISAKMP: (0): pre-shared key local found
7 October 19:38:36.214: ISAKMP: (0): IKE-> PKI get configured TrustPoints State (R) MM_NO_STATE (post 2.8.51.58)
7 October 19:38:36.214: ISAKMP: (0): ICP-> IKE Got set up TrustPoints State (R) MM_NO_STATE (post 2.8.51.58)
7 Oct 19:38:36.214: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
7 Oct 19:38:36.214: ISAKMP: 3DES-CBC encryption
7 Oct 19:38:36.214: ISAKMP: MD5 hash
7 Oct 19:38:36.214: ISAKMP: default group 1
7 Oct 19:38:36.214: ISAKMP: auth RSA sig
7 Oct 19:38:36.214: ISAKMP: type of life in seconds
7 Oct 19:38:36.214: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
7 Oct 19:38:36.214: ISAKMP: (0): atts are acceptable. Next payload is 3
7 Oct 19:38:36.214: ISAKMP: (0): Acceptable atts: real life: 0
7 Oct 19:38:36.214: ISAKMP: (0): Acceptable atts:life: 0
7 Oct 19:38:36.214: ISAKMP: (0): fill atts in his vpi_length:4
7 Oct 19:38:36.214: ISAKMP: (0): fill atts in his life_in_seconds:86400
7 October 19:38:36.214: ISAKMP: (0): IKE-> PKI start PKI Session state (R) MM_NO_STATE (post 2.8.51.58)
7 October 19:38:36.214: ISAKMP: (0): ICP-> IKE started PKI Session state (R) MM_NO_STATE (post 2.8.51.58)
7 Oct 19:38:36.214: ISAKMP: (0): return real life: 86400
7 Oct 19:38:36.214: ISAKMP: (0): timer life Started: 86400.
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
7 Oct 19:38:36.214: ISAKMP (0): provider ID is NAT - T RFC 3947
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
7 Oct 19:38:36.214: ISAKMP (0): provider ID is NAT - T v7
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
7 October 19:38:36.214: ISAKMP: (0): provider ID is NAT - T v3
7 October 19:38:36.214: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.214: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
7 October 19:38:36.214: ISAKMP: (0): provider ID is NAT - T v2
7 Oct 19:38:36.214: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.214: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1
7 October 19:38:36.214: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
7 October 19:38:36.214: ISAKMP: (0): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
7 Oct 19:38:36.214: ISAKMP: (0): sending a packet IPv4 IKE.
7 Oct 19:38:36.214: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.214: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2
7 Oct 19:38:36.240: ISAKMP (0): received 2.8.51.58 packet 500 Global 500 (R) sport dport MM_SA_SETUP
7 Oct 19:38:36.240: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.240: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3
7 October 19:38:36.240: ISAKMP: (0): processing KE payload. Message ID = 0
7 October 19:38:36.242: ISAKMP: (0): processing NONCE payload. Message ID = 0
7 October 19:38:36.242: ISAKMP: (38618): payload processing CERT_REQ. Message ID = 0
7 October 19:38:36.242: ISAKMP: (38618): peer wants a cert CT_X509_SIGNATURE
7 October 19:38:36.242: ISAKMP: (38618): peer wants cert issued by cn = Tetra Pak Root CA - G1
7 October 19:38:36.242: ISAKMP: (38618): load useful vendor id of treatment
7 October 19:38:36.242: ISAKMP: (38618): provider ID is DPD
7 October 19:38:36.242: ISAKMP: (38618): load useful vendor id of treatment
7 October 19:38:36.242: ISAKMP: (38618): addressing another box of IOS!
7 October 19:38:36.242: ISAKMP: (38618): load useful vendor id of treatment
7 October 19:38:36.242: ISAKMP: (38618): provider ID seems the unit/DPD but major incompatibility of 209
7 October 19:38:36.242: ISAKMP: (38618): provider ID is XAUTH
7 Oct 19:38:36.242: ISAKMP: receives the payload type 20
7 Oct 19:38:36.242: ISAKMP (38618): sound not hash no match - this node outside NAT
7 Oct 19:38:36.242: ISAKMP: receives the payload type 20
7 Oct 19:38:36.242: ISAKMP (38618): No. NAT found for oneself or peer
7 Oct 19:38:36.242: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.242: ISAKMP: (38618): former State = new State IKE_R_MM3 = IKE_R_MM3
7 October 19:38:36.243: ISAKMP: (38618): IKE-> PKI get configured TrustPoints State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.243: ISAKMP: (38618): ICP-> IKE Got set up TrustPoints State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.243: ISAKMP: (38618): IKE-> PKI obtain IssuerNames State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.243: ISAKMP: (38618): ICP-> IKE got IssuerNames State (R) MM_KEY_EXCH (post 2.8.51.58)
7 Oct 19:38:36.243: ISAKMP (38618): construction CERT_REQ for issuer cn = Tetra Pak issuing CA 01 - G1 n, dc = tp1, dc = ad1, dc is tetrapak, dc = com
7 October 19:38:36.243: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
7 Oct 19:38:36.243: ISAKMP: (38618): sending a packet IPv4 IKE.
7 Oct 19:38:36.243: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.243: ISAKMP: (38618): former State = new State IKE_R_MM3 = IKE_R_MM4
7 Oct 19:38:36.484: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport MM_KEY_EXCH
7 Oct 19:38:36.484: ISAKMP: (38618): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.484: ISAKMP: (38618): former State = new State IKE_R_MM4 = IKE_R_MM5
7 October 19:38:36.484: ISAKMP: (38618): payload ID for treatment. Message ID = 0
7 Oct 19:38:36.484: ISAKMP (38618): payload ID
next payload: 6
type: 2
FULL domain name: s2s-lvrirt - 01.nvv .net .company .com
Protocol: 17
Port: 500
Length: 42
7 October 19:38:36.484: ISAKMP: (38618): processing CERT payload. Message ID = 0
7 October 19:38:36.484: ISAKMP: (38618): treatment of a cert CT_X509_SIGNATURE
7 October 19:38:36.484: ISAKMP: (38618): IKE-> certificate PKI add the peer of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): ICP-> certificate of the peer IKE Added State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): IKE-> PKI get PeerCertificateChain State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): ICP-> IKE got PeerCertificateChain State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): pubkey from the counterpart is cached
7 October 19:38:36.485: ISAKMP: (38618): IKE-PKI > validate the chain of certificates of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): ICP-> IKE Validate string certificates of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.485: ISAKMP: (38618): failed to get the certificate DN!
7 October 19:38:36.485: ISAKMP: (38618): payload processing GIS. Message ID = 0
7 Oct 19:38:36.486: ISAKMP: received payload type 17
7 October 19:38:36.486: ISAKMP: (38618): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID = 0, a = 0x7F1AA7CC5920
7 Oct 19:38:36.486: ISAKMP: (38618): SA authentication status:
authenticated
7 Oct 19:38:36.486: ISAKMP: (38618): SA has been authenticated with 2.8.51.58
7 Oct 19:38:36.486: ISAKMP: (38618): SA authentication status:
authenticated
7 October 19:38:36.486: ISAKMP: (38618): process of first contact.
lowering existing phase 1 and 2 with local 15.18.1.1 2.8.51.58 remote remote port 500
7 Oct 19:38:36.486: ISAKMP: (38617): received first contact, delete SA
7 Oct 19:38:36.486: ISAKMP: (38617): peer does not paranoid KeepAlive.
7 Oct 19:38:36.486: ISAKMP: (38617): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 2.8.51.58)
7 Oct 19:38:36.486: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.486: ISAKMP: (38618): former State = new State IKE_R_MM5 = IKE_R_MM5
7 Oct 19:38:36.487: ISAKMP: node set 2177251913 to QM_IDLE
7 October 19:38:36.487: ISAKMP: (38617): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
7 Oct 19:38:36.487: ISAKMP: (38617): sending a packet IPv4 IKE.
7 Oct 19:38:36.487: ISAKMP: (38617): purge the node 2177251913
7 Oct 19:38:36.487: ISAKMP: (38617): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
7 Oct 19:38:36.487: ISAKMP: (38617): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA
7 October 19:38:36.487: ISAKMP: (38618): IKE-> PKI get self CertificateChain State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.487: ISAKMP: (38618): ICP-> IKE Got self CertificateChain State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.487: ISAKMP: (38618): IKE-> PKI obtain SubjectName State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.487: ISAKMP: (38618): ICP-> IKE got SubjectName State (R) MM_KEY_EXCH (post 2.8.51.58)
7 Oct 19:38:36.487: ISAKMP: (38618): My ID configured as IPv4 address, but Addr not in Cert!
7 Oct 19:38:36.487: ISAKMP: (38618): using domain FULL as my ID name
7 Oct 19:38:36.487: ISAKMP: (38618): ITS been RSA authentication of signature using id ID_FQDN type
7 Oct 19:38:36.487: ISAKMP (38618): payload ID
next payload: 6
type: 2
FULL domain name: dmvpn-selurt - 01.nvv .net .company .com
Protocol: 17
Port: 500
Length: 44
7 Oct 19:38:36.487: ISAKMP: (38618): the total payload length: 44
7 October 19:38:36.487: ISAKMP: (38618): IKE-> PKI is CertificateChain to be sent through peer review of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 October 19:38:36.488: ISAKMP: (38618): ICP-> IKE got CertificateChain to be sent through peer review of State (R) MM_KEY_EXCH (post 2.8.51.58)
7 Oct 19:38:36.489: ISAKMP (38618): construction of CERT payload for hostname = selurt-dmvpn - 01.nvv .net .company .com, serialNumber = 4279180096
7 Oct 19:38:36.489: ISAKMP (38618): construction CERT payload for cn = Tetra Pak issuing CA 01 - G1 n, dc = tp1, dc = ad1, dc is tetrapak, dc = com
7 October 19:38:36.489: ISAKMP: (38618): using the key of the TP_NAD_CA trustpoint to sign pair
7 October 19:38:36.494: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
7 Oct 19:38:36.494: ISAKMP: (38618): sending a packet IPv4 IKE.
7 Oct 19:38:36.494: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.494: ISAKMP: (38618): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE
7 Oct 19:38:36.494: ISAKMP: (38617): deletion of 'Initial of receive Contact' State HIS reason (R) QM_IDLE (post 2.8.51.58)
7 Oct 19:38:36.494: ISAKMP: (38617): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.494: ISAKMP: (38617): former State = new State IKE_DEST_SA = IKE_DEST_SA
7 Oct 19:38:36.494: ISAKMP: (38618): IKE_DPD is enabled, the initialization of timers
7 October 19:38:36.494: ISAKMP: (38618): IKE-> end of the PKI public PKI Session state (R) QM_IDLE (post 2.8.51.58)
7 October 19:38:36.494: ISAKMP: (38618): ICP-> IKE session completed ICP State (R) QM_IDLE (post 2.8.51.58)
7 Oct 19:38:36.494: ISAKMP: (38618): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
selurt-dmvpn-01 #.
7 Oct 19:38:36.494: ISAKMP: (38618): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
selurt-dmvpn-01 #.
7 Oct 19:38:46.492: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:38:46.492: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:38:46.492: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:38:46.992: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:38:46.992: ISAKMP (38618): increment the count of errors on his, try 1 5: retransmit the phase 1
7 October 19:38:46.992: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:38:46.992: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:38:46.992: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:38:56.481: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:38:56.481: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:38:56.481: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:38:56.981: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:38:56.981: ISAKMP (38618): increment the count of errors on his, try 2 of 5: retransmit the phase 1
7 October 19:38:56.981: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:38:56.981: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:38:56.981: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:39:06.481: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:39:06.481: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:39:06.481: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:39:06.981: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:39:06.981: ISAKMP (38618): increment the count of errors on his, try 3 of 5: retransmit the phase 1
7 October 19:39:06.981: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:39:06.981: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:39:06.981: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:39:09.880: ISAKMP: (38616): serving SA., his is 7F1AA7721158, delme is 7F1AA7721158
selurt-dmvpn-01 #.
7 Oct 19:39:16.481: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:39:16.481: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:39:16.481: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:39:16.980: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:39:16.980: ISAKMP (38618): increment the count of errors on his, try 4 out 5: retransmit the phase 1
7 October 19:39:16.980: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:39:16.980: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:39:16.980: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:39:26.481: ISAKMP (38618): received 2.8.51.58 packet 500 Global 500 (R) sport dport QM_IDLE
7 October 19:39:26.482: ISAKMP: (38618): package of phase 1 is a duplicate of a previous package.
7 October 19:39:26.482: ISAKMP: (38618): retransmission due to phase 1 of retransmission
7 October 19:39:26.981: ISAKMP: (38618): transmit phase 1 QM_IDLE...
7 Oct 19:39:26.981: ISAKMP (38618): increment the count of errors on his, try 5 of 5: retransmit the phase 1
7 October 19:39:26.981: ISAKMP: (38618): transmit phase 1 QM_IDLE
7 October 19:39:26.981: ISAKMP: (38618): lot of 2.8.51.58 sending my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01 #.
7 Oct 19:39:26.981: ISAKMP: (38618): sending a packet IPv4 IKE.
selurt-dmvpn-01 #.
7 Oct 19:39:36.493: ISAKMP: (38617): serving SA., his is 7F1AA79AD9E0, delme is 7F1AA79AD9E0DMVPN speaks
7 October 19:38:36.181: ISAKMP: (0): profile of THE request is (NULL)
7 Oct 19:38:36.181: ISAKMP: created a struct peer 15.18.1.1, peer port 500
7 Oct 19:38:36.181: ISAKMP: new position created post = 0x2B1F480C peer_handle = 0x80001DF4
7 Oct 19:38:36.181: ISAKMP: lock struct 0x2B1F480C, refcount 1 to peer isakmp_initiator
7 Oct 19:38:36.181: ISAKMP: 500 local port, remote port 500
7 Oct 19:38:36.181: ISAKMP: set new node 0 to QM_IDLE
7 Oct 19:38:36.181: ISAKMP: find a dup her to the tree during the isadb_insert his 2B16C9FC = call BVA
7 Oct 19:38:36.181: ISAKMP: (0): cannot start aggressive mode, try the main mode.
7 Oct 19:38:36.181: ISAKMP: (0): pair found pre-shared key matching 15.18.1.1
7 October 19:38:36.181: ISAKMP: (0): IKE-> PKI get configured TrustPoints State (I) MM_NO_STATE (ext. 15.18.1.1)
7 October 19:38:36.181: ISAKMP: (0): ICP-> IKE Got set up TrustPoints State (I) MM_NO_STATE (ext. 15.18.1.1)
7 October 19:38:36.181: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
7 October 19:38:36.181: ISAKMP: (0): built the seller-07 ID NAT - t
7 October 19:38:36.181: ISAKMP: (0): built of NAT - T of the seller-03 ID
7 October 19:38:36.181: ISAKMP: (0): built the seller-02 ID NAT - t
7 Oct 19:38:36.181: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
7 Oct 19:38:36.181: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1
7 October 19:38:36.181: ISAKMP: (0): Beginner Main Mode Exchange
7 October 19:38:36.181: ISAKMP: (0): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_NO_STATE
7 Oct 19:38:36.181: ISAKMP: (0): sending a packet IPv4 IKE.
7 Oct 19:38:36.205: ISAKMP (0): packet received 15.18.1.1 dport 500 sport Global 500 (I) MM_NO_STATE
7 Oct 19:38:36.205: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.205: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2
7 October 19:38:36.205: ISAKMP: (0): treatment ITS payload. Message ID = 0
7 October 19:38:36.205: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.205: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
7 Oct 19:38:36.205: ISAKMP (0): provider ID is NAT - T RFC 3947
7 Oct 19:38:36.205: ISAKMP: (0): pair found pre-shared key matching 15.18.1.1
7 October 19:38:36.205: ISAKMP: (0): pre-shared key local found
7 Oct 19:38:36.205: ISAKMP: analysis of the profiles for xauth...
7 October 19:38:36.205: ISAKMP: (0): IKE-> PKI get configured TrustPoints State (I) MM_NO_STATE (ext. 15.18.1.1)
7 October 19:38:36.205: ISAKMP: (0): ICP-> IKE Got set up TrustPoints State (I) MM_NO_STATE (ext. 15.18.1.1)
7 Oct 19:38:36.205: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
7 Oct 19:38:36.205: ISAKMP: 3DES-CBC encryption
7 Oct 19:38:36.205: ISAKMP: MD5 hash
7 Oct 19:38:36.205: ISAKMP: default group 1
7 Oct 19:38:36.205: ISAKMP: auth RSA sig
7 Oct 19:38:36.205: ISAKMP: type of life in seconds
7 Oct 19:38:36.205: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
7 Oct 19:38:36.205: ISAKMP: (0): atts are acceptable. Next payload is 0
7 Oct 19:38:36.205: ISAKMP: (0): Acceptable atts: real life: 0
7 Oct 19:38:36.205: ISAKMP: (0): Acceptable atts:life: 0
7 Oct 19:38:36.205: ISAKMP: (0): fill atts in his vpi_length:4
7 Oct 19:38:36.205: ISAKMP: (0): fill atts in his life_in_seconds:86400
7 October 19:38:36.205: ISAKMP: (0): IKE-> PKI start PKI Session state (I) MM_NO_STATE (ext. 15.18.1.1)
7 October 19:38:36.205: ISAKMP: (0): ICP-> IKE started PKI Session state (I) MM_NO_STATE (ext. 15.18.1.1)
7 Oct 19:38:36.205: ISAKMP: (0): return real life: 86400
7 Oct 19:38:36.205: ISAKMP: (0): timer life Started: 86400.
7 October 19:38:36.205: ISAKMP: (0): load useful vendor id of treatment
7 October 19:38:36.205: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
7 Oct 19:38:36.205: ISAKMP (0): provider ID is NAT - T RFC 3947
7 Oct 19:38:36.205: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.205: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
7 October 19:38:36.209: ISAKMP: (0): IKE-> PKI get configured TrustPoints State (I) MM_SA_SETUP (ext. 15.18.1.1)
7 October 19:38:36.209: ISAKMP: (0): ICP-> IKE Got set up TrustPoints State (I) MM_SA_SETUP (ext. 15.18.1.1)
7 October 19:38:36.209: ISAKMP: (0): IKE-> PKI obtain IssuerNames State (I) MM_SA_SETUP (ext. 15.18.1.1)
7 October 19:38:36.209: ISAKMP: (0): ICP-> IKE got IssuerNames State (I) MM_SA_SETUP (ext. 15.18.1.1)
7 Oct 19:38:36.209: ISAKMP (0): construction CERT_REQ for issuer cn = Tetra Pak Root CA - G1
7 October 19:38:36.209: ISAKMP: (0): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_SA_SETUP
7 Oct 19:38:36.209: ISAKMP: (0): sending a packet IPv4 IKE.
7 Oct 19:38:36.209: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.209: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
7 Oct 19:38:36.233: ISAKMP (0): packet received 15.18.1.1 dport 500 sport Global 500 (I) MM_SA_SETUP
7 Oct 19:38:36.233: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7 Oct 19:38:36.233: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
7 October 19:38:36.233: ISAKMP: (0): processing KE payload. Message ID = 0
7 October 19:38:36.245: ISAKMP: (0): processing NONCE payload. Message ID = 0
7 October 19:38:36.245: ISAKMP: (8329): payload processing CERT_REQ. Message ID = 0
7 October 19:38:36.245: ISAKMP: (8329): peer wants a cert CT_X509_SIGNATURE
7 October 19:38:36.245: ISAKMP: (8329): peer wants cert issued by cn = Tetra Pak issuing CA 01 - G1 n, dc = tp1, dc = ad1, dc is tetrapak, dc = com
7 Oct 19:38:36.249: choose trustpoint TP_NAD_CA as transmitter
7 October 19:38:36.249: ISAKMP: (8329): load useful vendor id of treatment
7 October 19:38:36.249: ISAKMP: (8329): provider ID is the unit
7 October 19:38:36.249: ISAKMP: (8329): load useful vendor id of treatment
7 October 19:38:36.249: ISAKMP: (8329): provider ID is DPD
7 October 19:38:36.249: ISAKMP: (8329): load useful vendor id of treatment
7 October 19:38:36.249: ISAKMP: (8329): addressing another box of IOS!
7 Oct 19:38:36.249: ISAKMP: receives the payload type 20
7 Oct 19:38:36.249: ISAKMP (8329): sound not hash no match - this node outside NAT
7 Oct 19:38:36.249: ISAKMP: receives the payload type 20
7 Oct 19:38:36.249: ISAKMP (8329): No. NAT found for oneself or peer
7 Oct 19:38:36.249: ISAKMP: (8329): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7 Oct 19:38:36.249: ISAKMP: (8329): former State = new State IKE_I_MM4 = IKE_I_MM4
7 Oct 19:38:36.249: ISAKMP: (8329): send initial contact
7 October 19:38:36.249: ISAKMP: (8329): IKE-> PKI get self CertificateChain of State (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 October 19:38:36.249: ISAKMP: (8329): ICP-> IKE Got self CertificateChain of State (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 October 19:38:36.249: ISAKMP: (8329): IKE-> PKI obtain SubjectName State (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 October 19:38:36.249: ISAKMP: (8329): ICP-> IKE got SubjectName State (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 Oct 19:38:36.249: ISAKMP: (8329): My ID configured as IPv4 address, but Addr not in Cert!
7 Oct 19:38:36.249: ISAKMP: (8329): using domain FULL as my ID name
7 Oct 19:38:36.249: ISAKMP: (8329): ITS been RSA authentication of signature using id ID_FQDN type
7 Oct 19:38:36.249: ISAKMP (8329): payload ID
next payload: 6
type: 2
FULL domain name: s2s-lvrirt - 01.nvv .net .company .com
Protocol: 17
Port: 500
Length: 42
7 Oct 19:38:36.249: ISAKMP: (8329): the total payload length: 42
7 October 19:38:36.249: ISAKMP: (8329): IKE-> PKI is CertificateChain to send to the State peer (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 October 19:38:36.253: ISAKMP: (8329): ICP-> IKE got CertificateChain to send to the State peer (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 Oct 19:38:36.253: ISAKMP (8329): construction of CERT payload for hostname = s2s-lvrirt - 01.nvv .net .company .com, serialNumber = FCZ163860KW
7 October 19:38:36.253: ISKAMP: more send buffer from 1024 to 3072
7 October 19:38:36.253: ISAKMP: (8329): using the key of the TP_NAD_CA trustpoint to sign pair
7 October 19:38:36.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:38:36.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:38:36.449: ISAKMP: (8329): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7 Oct 19:38:36.449: ISAKMP: (8329): former State = new State IKE_I_MM4 = IKE_I_MM5
7 Oct 19:38:36.481: ISAKMP (8328): packet received 15.18.1.1 dport 500 sport Global 500 (I) MM_NO_STATE
7 October 19:38:46.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:38:46.449: ISAKMP (8329): increment the count of errors on his, try 1 5: retransmit the phase 1
7 October 19:38:46.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:38:46.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:38:46.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:38:54.709: ISAKMP: (8327): purge the node 1841056658
7 Oct 19:38:54.709: ISAKMP: (8327): purge the node-57107868
7 October 19:38:56.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:38:56.449: ISAKMP (8329): increment the count of errors on his, try 2 of 5: retransmit the phase 1
7 October 19:38:56.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:38:56.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:38:56.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:39:04.709: ISAKMP: (8327): serving SA., his is 3169E824, delme is 3169E824
7 Oct 19:39:06.181: ISAKMP: set new node 0 to QM_IDLE
7 Oct 19:39:06.181: ISAKMP: (8329): SA is still budding. Attached new request ipsec. (2.8.51.58 local, remote 15.18.1.1)
7 Oct 19:39:06.181: ISAKMP: error during the processing of HIS application: failed to initialize SA
7 Oct 19:39:06.181: ISAKMP: error while processing message KMI 0, error 2.
7 October 19:39:06.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:39:06.449: ISAKMP (8329): increment the count of errors on his, try 3 of 5: retransmit the phase 1
7 October 19:39:06.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:39:06.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:39:06.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:39:10.261: ISAKMP: (8328): purge the node-1445247076
7 October 19:39:16.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:39:16.449: ISAKMP (8329): increment the count of errors on his, try 4 out 5: retransmit the phase 1
7 October 19:39:16.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:39:16.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:39:16.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 Oct 19:39:20.261: ISAKMP: (8328): serving SA., his is 2AD85BD0, delme is 2AD85BD0
7 October 19:39:26.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:39:26.449: ISAKMP (8329): increment the count of errors on his, try 5 of 5: retransmit the phase 1
7 October 19:39:26.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH
7 October 19:39:26.449: ISAKMP: (8329): 15.18.1.1 package sending 500 peer_port 500 (I) my_port MM_KEY_EXCH
7 Oct 19:39:26.449: ISAKMP: (8329): sending a packet IPv4 IKE.
7 October 19:39:36.449: ISAKMP: (8329): transmit phase 1 MM_KEY_EXCH...
7 Oct 19:39:36.449: ISAKMP: (8329): peer does not paranoid KeepAlive.
7 Oct 19:39:36.449: ISAKMP: (8329): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (ext. 15.18.1.1)
7 Oct 19:39:36.449: ISAKMP: (8329): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (ext. 15.18.1.1)Mike,
Concentrator sends his cert but never spoke glow, it is usually a problem with the fragmentation of handling in transit networks.
Sniff the two end you can control and check if you are not missing any fragment on end spoke.
Could be as simple as a MTU problem on your end, or could be something in the path try reassambly.
Several ways to go, check your end if the fragments are missing in transit - begin studying with ISP (s).
M.
-
Double-Cloud DMVPN spoke Router Configuration
I have a decided to adopt an architecture dual-cloud DMVPN (1 head of network in the main office, 1 head of bed instead of DR) with the option later to go to double / hub in each of my network places.
I tried to configure each of the clouds to have its own key.
Cloud Hub 1 1:
ISAKMP crypto key KEY123 address 0.0.0.0 0.0.0.0 no.-xauth
1 2 hub cloud:
ISAKMP crypto key KEY456 address 0.0.0.0 0.0.0.0 no.-xauth
Of course, the rays I want to connect to the two clouds not would allow me to use the same simple crypto isakmp key command twice.
Several of my sites will have 2 internet connections. Given that I source a tunnel each of these Internet connections, I came up with the following solution:
talk 1:
door-key crypto X-RING
address Gig0/1 (internet connection interface 1)
preshared key address 0.0.0.0 0.0.0.0 touches 0 KEY123
door-key crypto Y-RING
address Gig0/2 (internet connection interface 2)
preshared key address 0.0.0.0 0.0.0.0 touch 0 KEY456
Crypto isakmp DMVPN_ISAKMP_X profile
X-RING keychain
function identity address 0.0.0.0
address Gig0/1
Crypto isakmp DMVPN_ISAKMP_Y profile
Y-RING keychain
function identity address 0.0.0.0
address Gig0/2
OK... to the question... the first site I tried to connect the two clouds DMVPN has only 1 internet connection!
Without changing both my DMVPN clouds to the same key (almost all of the examples have this) - how can I make sure that tunnels speaks - has spoken-star work?
Is there anything else I can match? or create on each configs speaks and hub?
I tried:
-
identity group match, but couldn't figure out how to set a group name on each of the rays - or the hub also. Also, no.-xauth wouldn't prevent it being considered? -matching fqdn does not seem to work either.
-vrf is not an option - not applicable
-telesignalisations behind the ip address do not appear to be an option and seems to complicate the issue too.Thank you very much in advance!
There is something special with ICP when seen DMVPN. PKI or preshared keys is just how isakmp authenticates the session, and there is no difference between DMVPN or Site to Site.
Basically, you'd have to do these things:
-create a CA. The basic can be created on some of your routers.
-create the Trustpoint on each DMVPN hub and spokes.
-change the type of authentication in isakmp profile of pre-shared key to rsa - SIG.
You can certainly more trustpoint then one, one for each cloud, but I highly doubt that it is necessary for the public key infrastructure.
Maybe this doc will be of little help, even if it has too much info:
http://www.Cisco.com/en/us/docs/solutions/enterprise/security/DCertPKI.html
If you need, I can bring up some full example site to site with PKI auth.
-
FlexVPN vs DMVPN behavior. Advice?
So I test FlexVPN and I found, for me anyway, a pretty big deal breaker.
I ping, telnet, cannot connect to somehow (other than the routing protocol, which works very well), the network "directly attached".
What I mean by that is to say my Tunnel interface is 192.168.254.2 on one of my shelves, I can't connect to my hub to 192.168.254.1 or another spoke to 192.168.254.3.
Day to day, that this wouldn't be a problem, but sometimes in the case of a network failure, that I need to be able to get through my VPN backdoor. So I would go to 192.168.254.1 and telnet to 192.168.254.3 and wallah I am. DMVPN it has worked very well and saved my bacon several times. With FlexVPN this option is no longer available for me better than I can say.
Is this known behaviour? Is there a solution? I'm just doing something wrong?
Thank you
Hello
Routing for ikev2 that you have configured in your example that is on the hub and the spokes, if so make sure that the aaa authorization is also configured and mapped on the profile of ikev2, it comes to allowing the roads that are pushed between the hub and rays.
AAA new-model
AAA authorization network default local
Profile of ikev2 crypto FlexVPN
AAA - permission group psk DEFECT list
Then you have to close and without closing the tunnel interfaces to force new sessions of ikev2.
Tarik Admani
* Please note the useful messages *.[changed to make my thoughts a lot easier to understand]
-
Hello
I'm trying to configure the DMVPN with the following topology:
I configured simply PNDH and EIGRP, the permanent tunnel are there, but the arnt speaks of talking about tunnel, s rays routing tables show that each Department does not know the subnets to other rays.
normally the hub shoud disseminate this information to the rays I don't know why he is not doing.
This is the routing table for each device.
HUBS:
ISP:
Mentioned for example 1:
I tried a traceroute on Spoke1 to reach Spoke2 subnet and I got this:
Here are the configs:
HUBS:
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
HUB host name
!
boot-start-marker
boot-end-marker
!
!
No aaa new-model
!
resources policy
!
memory iomem size 5
IP subnet zero
!
!
IP cef
no ip domain search
IP domain name lab.local
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel0
bandwidth 1000
the IP 10.0.0.1 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP ENIMISTE
dynamic multicast of IP PNDH map
PNDH id network IP-123
property intellectual PNDH holdtime 300
IP tcp adjust-mss 1360
delay of 1000
tunnel source 212.67.1.2
multipoint gre tunnel mode
6 tunnel button
!
interface Loopback0
IP 172.16.4.1 255.255.255.0
!
interface Serial0/0
IP 212.67.1.2 255.255.255.0
series 0 restart delay
!
interface Serial0/1
no ip address
Shutdown
series 0 restart delay
!
interface Serial0/2
no ip address
Shutdown
series 0 restart delay
!
interface Serial0/3
no ip address
Shutdown
series 0 restart delay
!
Router eigrp 123
Network 10.0.0.0 0.0.0.255
network 172.16.4.0 0.0.0.255
No Auto-resume
!
no ip address of the http server
no ip http secure server
!
IP classless
IP route 0.0.0.0 0.0.0.0 212.67.1.1
!
!
!
!
control plan
!
!
!
!
!
!
!
!
!
!
Line con 0
exec-timeout 0 0
privilege level 15
Synchronous recording
line to 0
INTERNET SERVICE PROVIDER
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
ISP hostname
!
boot-start-marker
boot-end-marker
!
!
No aaa new-model
!
resources policy
!
memory iomem size 5
IP subnet zero
!
!
IP cef
no ip domain search
IP domain name lab.local
No dhcp use connected vrf ip
DHCP excluded-address IP 212.67.0.1 212.67.0.2
!
pool IP dhcp URN
network 212.67.0.0 255.255.255.0
router by default - 212.67.0.1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Serial0/0
IP 212.67.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly
series 0 restart delay
!
interface Serial0/1
no ip address
Shutdown
series 0 restart delay
!
interface Serial0/2
no ip address
Shutdown
series 0 restart delay
!
interface Serial0/3
no ip address
Shutdown
series 0 restart delay
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
switchport access vlan 10
!
interface FastEthernet1/14
switchport access vlan 10
!
interface FastEthernet1/15
switchport access vlan 10
!
interface FastEthernet2/0
IP 192.168.137.2 255.255.255.0
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
!
interface Vlan1
no ip address
!
interface Vlan10
IP 212.67.0.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
Router eigrp 123
network 212.67.0.0
network 212.67.1.0
No Auto-resume
!
no ip address of the http server
no ip http secure server
!
IP classless
!
IP nat inside source list 1 interface FastEthernet2/0 overload
IP nat inside source list 2 interface FastEthernet2/0 overload
!
access-list 1 permit 212.67.0.0 0.0.0.255
access-list 2 permit 212.67.1.0 0.0.0.255
!
!
control plan
!
!
!
!
!
!
!
!
!
!
Line con 0
exec-timeout 0 0
privilege level 15
Synchronous recording
line to 0
exec-timeout 0 0
privilege level 15
Synchronous recording
line vty 0 4
opening of session
!
!
end
SPOKE 1
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname SPOKE1
!
boot-start-marker
boot-end-marker
!
!
No aaa new-model
!
resources policy
!
memory iomem size 5
IP subnet zero
!
!
IP cef
no ip domain search
IP domain name lab.local
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel0
bandwidth 1000
the IP 10.0.0.2 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP ENIMISTE
map of PNDH IP 10.0.0.1 212.67.1.2
map of PNDH IP multicast 212.67.1.2
PNDH id network IP-123
property intellectual PNDH holdtime 300
property intellectual PNDH nhs 10.0.0.1
IP tcp adjust-mss 1360
delay of 1000
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
6 tunnel button
!
interface Loopback0
IP 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
DHCP IP address
automatic duplex
automatic speed
!
Router eigrp 123
Network 10.0.0.0 0.0.0.255
network 172.16.1.0 0.0.0.255
No Auto-resume
!
no ip address of the http server
no ip http secure server
!
IP classless
!
!
!
!
control plan
!
!
!
!
!
!
!
!
!
!
Line con 0
exec-timeout 0 0
privilege level 15
Synchronous recording
line to 0
exec-timeout 0 0
privilege level 15
Synchronous recording
line vty 0 4
opening of session
!
!
end
Sorry for the implementation of a large number of photos
Thanks in advance
Abdelilah
Try adding no ip split-horizon eigrp number and no ip next-hop-self eigrp number commands on the hub, split horizon prevents the rays to get the update by the other spoke and the other command is to ensure that the hub does not change the ip address of the next jump with its own ip address.
-
Hello
I run a solution DMVPN mode double hub. I use EIGRP as Protocol routing between the hub and the spokes.
I know that the gre is pain most of the time, but we have to live with that. Although I had neighbors talk about EIGRP
stable for 8-9 weeks and other drop all the few weeks that I realized 2 days all EIGRP neighbors dropped simultaneously
in the two centres.
On each RADIUS, I run a phase commune 1 for the VPN, but different phase 2 of people who know well the DMVPN th know what I mean.
HUBs located in different areas and it was not issue of bandwidth to assign the two hubs at the same time. Its really something
with protocols that use the DMVPN or EIGRP.
I saw DMVPN drops I saw only the EIGRP neighborship declined for all rays in both same time centers. Any suggestions
Why EIGRP failed?
It could be something with PNDH or an IOS bug;
iOS c800-universalk9 - mz.spa.153 - 3.m.bin
Please don't ask me basic troubleshooting, connectivity or timers. I'm looking for an advanced suggestion I have solved many problems DMVPN
which cisco even could not find.
I am looking forward to good suggestion and thank you for taking the time to consider the issue.
Kind regards
Spyros
Hello
«Do not forget that it is a design talk to speak.» Talk about communication talk goes staright away. DMVPN creates a dynamic tunnel between them and does not have the traffic via the HUB. »
I think I disagree with you here cordially with these instructions next hop and split horizon of eigrp on shelves
Rays set in fact tunnels between them however I'm being understood that the PNDH Rais of first need to query the cache of the PNDH server for the ip address of 'inside' to speak it it wants to connect to check the accessibility of the address of tunnel - I can't see or understand now why this requirement is also necessary on the rays.
When you say adjacencies eigrp lowered at the same time - we are still not sure, this is due to some partial failure that has been found to ask, but I think for all rollover between hubs eigrp to work they must have potential successors then do these show upward in the topology tables? -Maybe you had a situation where the two hubs became State SIA and dropped?
One last thing for a DWVPN mesh (talk to speaks) don't is not PKI is necessary and not pre-shared key and you say said cisco iOS has been or use cordially IPSec/gre is buggy what they suggest to make? As in your last post, you say that you sorted.
RES
PaulSent by Cisco Support technique iPad App
Maybe you are looking for
-
Satellite C660: HARD drive space shows only 20 GB of free?
Toshiba Satellite c660 with 320 GB of disk space, it shows that 2 hard drives or 2 partitions, one called data shows only 20.6 GB of free on 148, but when I go in there I can only find at maximum approximately 50 GB even with all the backups?
-
Need help with LabVIEW code for motor control.
Hello My name is Sasi. I'm a grad student BME working on my thesis topic of assessment for back pain spine implants. To do this, I'm building a test machine that would apply pure moments of a specimen of the spinal column. I use LabVIEW 8.5 to implem
-
Downgrade my Vista Home Premium to Windows XP
Hello I'm fed up with Vista, and I bet that lots of ppl would agree with me.It is slow and eats a lot of my energy to the battery. I would like Microsoft to tell me how I can downgrade to XP, free of Charge!I can't be expected to pay for the XP opera
-
Cannot open Word attachments in Windows Mail
I am running windows vista, but can not open Word attachments in windows mail. I get the message: "this file has no program associated with it. Create an association in the set Associations Panel. If I'm going to start by default/programs/associated
-
su hppsc1350series storage LAN win7 64 bit - non stampa da win xp in o rete LAN WLAN
The stampante e' collegata USB known STORAGE in rete LAN e installata da HP Pavilion dv6 win 7 64 bit In rete LAN WLAN o another laptop with win xp 32 bit non trova I have drivers used e con I add stampante stessa viene dal sistema my al momento di a