solution VPN Neu, DMVPN

Hello world

I'm doing my research about to create new connections between offices in our network.

My plan is to have with the centres and the rest as the rays.

There are 35 offices, 12 of which are up to 20 users.

most of the offices are between 20-200 users

and only 2 are more than 200 users

DMVPN is sure how, but I have a request for short.

What kind of models do you recommend?

for example, for small offices I think to the Cisco881-Sec-K9

For hubs, I was thinking about the Cisco 4451 x, how do you think?

Thanks in advance,

Thomas

Here is a comparison between the 4000 series routers.  I think I'd go for the cheapest 4431.  If money is no object to stick with the 4451.

http://www.Cisco.com/c/en/us/products/routers/4000-series-integrated-services-routers-ISR/models-comparison.html

Make sure you get a HSEC license as well, otherwise flow crypto is severely limited.  I also get the AppX license.

For the rays, if it were my money, I would like to have the 890 series routers.  They can dish line a circuit of 100 Mbps and come with 'Advanced IP', so that can run BGP, EIGRP, etc..  Almost no restrictions.  A Cisco 897VA is particularly versatile.  Note If you want the grid, you can order a support separately for the 890 series mount rack mount routers.  The 897 a ADSL, VDSL and port WAN Gigabit copper/fiber built in.  It can plug into a lot of WAN circuits as a result.

Tags: Cisco Security

Similar Questions

  • Best design solution VPN for Central/branches

    Hi all

    I would like your comments on the design of a VPN account solution required the following:

    Right now, the customer has a single office. I will be putting in place of a Cisco 1811w for them, and its main functions will be wireless, firewall with CBAC and EZVPN server access.

    Server EZVPN function will be carried out so that employees with laptops can work from home.

    In the near future, there will be about 4 branches in operation.

    Static IP address is available for the main office, but I'm not sure if the static IP will be available for the office once they are established (there are 50 / 50 chance).

    There will be an Active Directory server in the central location and will be accessible from the branches.

    My question is - given the uncertainty in the branches having a static IP - what is the best way to implement the VPN to connect them to the branch?

    Each branch will have an installed Cisco 831.

    Is EZVPN a viable, given the above requirements?

    Is it possible to put in place the 831 as customers without XAUTH EZVPN, all keeping XAUTH for employees using EZVPN clients?

    If this does not work, XAUTH might have to.

    Or, given the situation, you would opt for DMVPN... Unfortunately I do not know too much about it as the technology for now... What are the advantages / disadvantages of its use, if it is an appropriate solution to this scenario?

    Thank you all in advance for your comments!

    Sean

    I think that you need to use a mode of expansion of network (configured in the vpngroup) instead of client mode. Just make sure that each office uses a different and not overlapping address space.

  • DMVPN BGP and EIGRP

    I am in the initial phase of research DMVPN.  We currently have an MPLS network running BGP.  Each site has Internet at home as well as a VPN site-to-site is built on the router and talks to an ASA when the SPLM fails.

    I want to implement DMVPN to do away with the site to site VPN and ASA.  I'm going to run EIGRP on routers to connect DMVPN.  Are there any good whitepapers on BGP as the main path and by EIGRP on the DMVPN as a backup?  Or no focus on a general config?

    Thank you

    It's really the main issue.

    With your configuration DMVPN roads will be internal EIGRP of an advertisement of 90, so your default DC prefer DMVPN on MPLS, which is exactly what you don't want.

    There are several ways around this as summarizing through DMPVN, redistribution connected on the sites of the branch in EIGRP so roads DMVPN are external as well and then changing measures etc.

    The other alternative I have ever done so it's for your information is really Cisco have what is called a solution IWAN where DMVPN is performed everywhere that is, even through the MPLS network.

    That would solve your problem of external routes internal EIGRP but IWAN vs is much more than just that, even if you do not need necessarily to implement the entire solution at a time.

    I just thought that it should be mentioned, and if you want more information on this I can direct you to the design guide.

    Jon

  • DMVPN spoke of issues after migration double ISR2 3925 hub to ASR-1001 X

    Hello world

    After our hub solution migration DMVPN double ISR2 3925 to ASR - 1001 X (running asr1001x - universalk9.03.12.03.S.154 - 2.S3 - std.SPA.bin) we started to have some problems with tunnels rays beat (which goes up and down) and sometimes never came.

    Running 'show dmvpn' speak it is stuck in State PNDH to our hub. To solve the problem, we run 'stop' and then 'non-stop' on the tunnel interface to actually speak that DMVPN Monte. Also runs "clear encryption session " on the shelf often solves the problem. So, it seems that the question has something to do with IPSEC.

    When the problem occurred, and then debug crypto ipsec, crypto, crypto isakmp and crypto engine socket the following can be seen on the hub:

     Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Sending NOTIFY DPD/R_U_THERE protocol 1 spi 140130067548488, message ID = 629121681 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): seq. no 0x64B2238C Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): sending packet to  my_port 500 peer_port 500 (I) QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Sending an IKE IPv4 Packet. Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):purging node 629121681 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:41 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP: set new node 3442686097 to QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 3442686097 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): processing NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 0, message ID = 3442686097, sa = 0x7F72986867D0 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): DPD/R_U_THERE_ACK received from peer , sequence 0x64B2238C Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):deleting node 3442686097 error FALSE reason "Informational (in) state 1" Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:42 SUMMERT: IPSEC: delete incomplete sa: 0x7F729923A438 Jun 25 10:01:42 SUMMERT: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jun 25 10:01:42 SUMMERT: ISAKMP:(46580):purging node 1111296046 Jun 25 10:01:44 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP: set new node 928225319 to QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing SA payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Checking IPSec proposal 1 Jun 25 10:01:44 SUMMERT: ISAKMP: transform 1, ESP_AES Jun 25 10:01:44 SUMMERT: ISAKMP: attributes in transform: Jun 25 10:01:44 SUMMERT: ISAKMP: encaps is 2 (Transport) Jun 25 10:01:44 SUMMERT: ISAKMP: SA life type in seconds Jun 25 10:01:44 SUMMERT: ISAKMP: SA life duration (basic) of 3600 Jun 25 10:01:44 SUMMERT: ISAKMP: SA life type in kilobytes Jun 25 10:01:44 SUMMERT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 Jun 25 10:01:44 SUMMERT: ISAKMP: authenticator is HMAC-SHA Jun 25 10:01:44 SUMMERT: ISAKMP: key length is 256 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):atts are acceptable. Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Active open, socket info: local  /255.255.255.255/0, remote  /255.255.255.255/0, prot 47, ifc Tu3300 Jun 25 10:01:44 SUMMERT: IPSEC(recalculate_mtu): reset sadb_root 7F7292E64990 mtu to 1500 Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Sending Socket Ready message Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing NONCE payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing ID payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing ID payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):QM Responder gets spi Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT Jun 25 10:01:44 SUMMERT: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer  Jun 25 10:01:44 SUMMERT: IPSEC(crypto_ipsec_update_ident_tunnel_decap_oce): updating profile-shared Tunnel3300 ident 7F7298B2BF80 with lookup_oce 7F7296BF5440 Jun 25 10:01:44 SUMMERT: IPSEC(create_sa): sa created, (sa) sa_dest= , sa_proto= 50, sa_spi= 0x14F40C56(351538262), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 27873 sa_lifetime(k/sec)= (4608000/3600), (identity) local= :0, remote= :0, local_proxy= /255.255.255.255/47/0, remote_proxy= /255.255.255.255/47/0 Jun 25 10:01:44 SUMMERT: IPSEC(create_sa): sa created, (sa) sa_dest= , sa_proto= 50, sa_spi= 0x3B4731D7(994521559), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 27874 sa_lifetime(k/sec)= (4608000/3600), (identity) local= :0, remote= :0, local_proxy= /255.255.255.255/47/0, remote_proxy= /255.255.255.255/47/0 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Received IPSec Install callback... proceeding with the negotiation Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Successfully installed IPSEC SA (SPI:0x14F40C56) on Tunnel3300 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): sending packet to  my_port 500 peer_port 500 (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Sending an IKE IPv4 Packet. Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2 Jun 25 10:01:44 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP: set new node 1979798297 to QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 1979798297 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 351538262, message ID = 1979798297, sa = 0x7F72986867D0 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): deleting spi 351538262 message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):deleting node 928225319 error TRUE reason "Delete Larval" Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):peer does not do paranoid keepalives. Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x3B4731D7) Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):deleting node 1979798297 error FALSE reason "Informational (in) state 1" Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:44 SUMMERT: IPSEC: delete incomplete sa: 0x7F729923A340 Jun 25 10:01:44 SUMMERT: IPSEC(key_engine_delete_sas): delete SA with spi 0x3B4731D7 proto 50 for  Jun 25 10:01:44 SUMMERT: IPSEC(update_current_outbound_sa): updated peer  current outbound sa to SPI 0 Jun 25 10:01:44 SUMMERT: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Sending request for CRYPTO SS CLOSE SOCKET

     #sh pl ha qf ac fe ipsec data drop ------------------------------------------------------------------------ Drop Type Name Packets ------------------------------------------------------------------------ 3 IN_US_V4_PKT_FOUND_IPSEC_NOT_ENABLED 127672 19 IN_OCT_ANTI_REPLAY_FAIL 13346 20 IN_UNEXP_OCT_EXCEPTION 4224 33 OUT_V4_PKT_HIT_IKE_START_SP 1930 62 IN_OCT_MAC_EXCEPTION 9 #sh plat hard qfp act stat drop | e _0_ ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- Disabled 1 82 IpFragErr 170536 246635169 IpTtlExceeded 4072 343853 IpsecIkeIndicate 1930 269694 IpsecInput 145256 30071488 Ipv4Acl 2251965 215240194 Ipv4Martian 6248 692010 Ipv4NoAdj 43188 7627131 Ipv4NoRoute 278 27913 Ipv4Unclassified 6 378 MplsNoRoute 790 69130 MplsUnclassified 1 60 ReassTimeout 63 10156 ServiceWireHdrErr 2684 585112

    In addition, after you run "logging dmvpn rate-limit 20' on the hub

     %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel292: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel:  NBMA: )

    On the talks both the following can be seen debugging as well:

     *Jun 25 09:17:26.884: ISAKMP:(1032): sitting IDLE. Starting QM immediately (QM_IDLE ) *Jun 25 09:17:26.884: ISAKMP:(1032):beginning Quick Mode exchange, M-ID of 1599359281 *Jun 25 09:17:26.884: ISAKMP:(1032):QM Initiator gets spi *Jun 25 09:17:26.884: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:26.884: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:26.884: ISAKMP:(1032):Node 1599359281, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Jun 25 09:17:26.884: ISAKMP:(1032):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Jun 25 09:17:26.940: ISAKMP (1032): received packet from  dport 500 sport 500 Global (R) QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032): processing HASH payload. message ID = 1599359281 *Jun 25 09:17:26.940: ISAKMP:(1032): processing SA payload. message ID = 1599359281 *Jun 25 09:17:26.940: ISAKMP:(1032):Checking IPSec proposal 1 *Jun 25 09:17:26.940: ISAKMP: transform 1, ESP_AES *Jun 25 09:17:26.940: ISAKMP: attributes in transform: *Jun 25 09:17:26.940: ISAKMP: encaps is 2 (Transport) *Jun 25 09:17:26.940: ISAKMP: SA life type in seconds *Jun 25 09:17:26.940: ISAKMP: SA life duration (basic) of 3600 *Jun 25 09:17:26.940: ISAKMP: SA life type in kilobytes *Jun 25 09:17:26.940: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Jun 25 09:17:26.940: ISAKMP: authenticator is HMAC-SHA *Jun 25 09:17:26.940: ISAKMP: key length is 256 *Jun 25 09:17:26.940: ISAKMP:(1032):atts are acceptable. *Jun 25 09:17:26.940: IPSEC(ipsec_process_proposal): proxy identities not supported *Jun 25 09:17:26.940: ISAKMP:(1032): IPSec policy invalidated proposal with error 32 *Jun 25 09:17:26.940: ISAKMP:(1032): phase 2 SA policy not acceptable! (local  remote ) *Jun 25 09:17:26.940: ISAKMP: set new node -1745931191 to QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 834718720, message ID = 2549036105 *Jun 25 09:17:26.940: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:26.940: ISAKMP:(1032):purging node -1745931191 *Jun 25 09:17:26.940: ISAKMP:(1032):deleting node 1599359281 error TRUE reason "QM rejected" *Jun 25 09:17:26.940: ISAKMP:(1032):Node 1599359281, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Jun 25 09:17:26.940: ISAKMP:(1032):Old State = IKE_QM_I_QM1 New State = IKE_QM_I_QM1 *Jun 25 09:17:34.068: ISAKMP (1032): received packet from  dport 500 sport 500 Global (R) QM_IDLE *Jun 25 09:17:34.068: ISAKMP: set new node 1021264821 to QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032): processing HASH payload. message ID = 1021264821 *Jun 25 09:17:34.072: ISAKMP:(1032): processing NOTIFY DPD/R_U_THERE protocol 1 spi 0, message ID = 1021264821, sa = 0x32741028 *Jun 25 09:17:34.072: ISAKMP:(1032):deleting node 1021264821 error FALSE reason "Informational (in) state 1" *Jun 25 09:17:34.072: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Jun 25 09:17:34.072: ISAKMP:(1032):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jun 25 09:17:34.072: ISAKMP:(1032):DPD/R_U_THERE received from peer , sequence 0x64B2279D *Jun 25 09:17:34.072: ISAKMP: set new node 716440334 to QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 834719464, message ID = 716440334 *Jun 25 09:17:34.072: ISAKMP:(1032): seq. no 0x64B2279D *Jun 25 09:17:34.072: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:34.072: ISAKMP:(1032):purging node 716440334 *Jun 25 09:17:34.072: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE *Jun 25 09:17:34.072: ISAKMP:(1032):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jun 25 09:17:35.356: ISAKMP:(1032):purging node 206299144

    Obviously something seems to be wrong Phase 2 not to come. But why is it going up after having erased the session encryption or close the tunnel interface and activate the interface of tunnel has spoken?

    Very weird. Also, in looking at att the hub debugging messages it seems that Cryptography is associated with evil Tu3300 tunnel interface when it is Tu2010. Normal or Bug?

    The configuration of the hub looks like this:

     crypto keyring ISP1-DMVPN vrf ISP1-DMVPN pre-shared-key address 0.0.0.0 0.0.0.0 key  crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp keepalive 10 3 periodic crypto isakmp nat keepalive 10 crypto isakmp profile ISP1-DMVPN keyring ISP1-DMVPN match identity address 0.0.0.0 ISP1-DMVPN keepalive 10 retry 3 crypto ipsec transform-set AES256-MD5 esp-aes 256 esp-md5-hmac mode tunnel crypto ipsec transform-set AES256-SHA-TRANSPORT esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile ISP1-DMVPN set transform-set AES256-SHA AES256-SHA-TRANSPORT set isakmp-profile ISP1-DMVPN vrf definition ISP1-DMVPN description DMVPN-Outside-ISP1 rd 65527:10 ! address-family ipv4 exit-address-family ! ! interface TenGigabitEthernet0/0/0 no ip address ! interface TenGigabitEthernet0/0/0.71 description VPN;ISP1-DMVPN;Outside;VLAN71 encapsulation dot1Q 71 vrf forwarding ISP1-DMVPN ip address  255.255.255.128 no ip proxy-arp ip access-group acl_ISP1-DMVPN_IN in ! ip route vrf ISP1-DMVPN 0.0.0.0 0.0.0.0  name ISP1;Default ip access-list extended acl_ISP1-DMVPN_IN permit icmp any any permit esp any host  permit gre any host  permit udp any host  eq isakmp permit udp any host  eq non500-isakmp deny ip any any vrf definition 2010  description CUSTA - Customer A  rd 65527:2010 route-target export 65527:2010 route-target import 65527:2010 ! address-family ipv4 exit-address-family ! ! interface Tunnel2010 description CUSTA;DMVPN;Failover-secondary vrf forwarding 2010 ip address 10.97.0.34 255.255.255.240 no ip redirects ip mtu 1380 ip nhrp map multicast dynamic ip nhrp network-id 2010 ip nhrp holdtime 120 ip nhrp server-only ip nhrp max-send 1000 every 10 ip tcp adjust-mss 1340 tunnel source TenGigabitEthernet0/0/0.71 tunnel mode gre multipoint tunnel key 2010 tunnel vrf ISP1-DMVPN tunnel protection ipsec profile ISP1-DMVPN shared router bgp 65527 ! address-family ipv4 vrf 2010 redistribute connected metric 10 redistribute static metric 15 neighbor 10.97.0.39 remote-as 65028 neighbor 10.97.0.39 description spokerouter;Tunnel1 neighbor 10.97.0.39 update-source Tunnel2010 neighbor 10.97.0.39 activate neighbor 10.97.0.39 soft-reconfiguration inbound neighbor 10.97.0.39 prefix-list EXPORT-IVPN-VRF2010 out neighbor 10.97.0.39 route-map AllVRF-LocalPref-80 in neighbor 10.97.0.39 maximum-prefix 5000 80 default-information originate exit-address-family

    Configuring spoke:

     crypto keyring DMVPN01 pre-shared-key address 0.0.0.0 0.0.0.0 key  crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp invalid-spi-recovery crypto isakmp profile DMVPN01 keyring DMVPN01 match identity address 0.0.0.0 keepalive 10 retry 3 crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec transform-set AES256-SHA-TRANSPORT esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile DMVPN01 set transform-set AES256-SHA-TRANSPORT set isakmp-profile DMVPN01 vrf definition inside rd 65028:1 route-target export 65028:1 route-target import 65028:1 ! address-family ipv4 exit-address-family ! interface Tunnel1 description DMVPN to HUB vrf forwarding inside ip address 10.97.0.39 255.255.255.240 no ip redirects ip mtu 1380 ip nhrp map 10.97.0.33  ip nhrp map multicast  ip nhrp map 10.97.0.34  ip nhrp map multicast  ip nhrp network-id 1 ip nhrp holdtime 120 ip nhrp nhs 10.97.0.33 ip nhrp nhs 10.97.0.34 ip nhrp registration no-unique ip nhrp registration timeout 60 ip tcp adjust-mss 1340 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 2010 tunnel protection ipsec profile DMVPN01 shared router bgp 65028 ! address-family ipv4 vrf inside bgp router-id 172.28.5.137 network 10.97.20.128 mask 255.255.255.128 network 10.97.21.0 mask 255.255.255.0 network 10.97.22.0 mask 255.255.255.0 network 10.97.23.0 mask 255.255.255.0 network 172.28.5.137 mask 255.255.255.255 neighbor 10.97.0.33 remote-as 65527 neighbor 10.97.0.33 description HUB1;Tunnel2010 neighbor 10.97.0.33 update-source Tunnel1 neighbor 10.97.0.33 timers 10 30 neighbor 10.97.0.33 activate neighbor 10.97.0.33 send-community both neighbor 10.97.0.33 soft-reconfiguration inbound neighbor 10.97.0.33 prefix-list IROUTE-EXPORT out neighbor 10.97.0.33 maximum-prefix 5000 80 neighbor 10.97.0.34 remote-as 65527 neighbor 10.97.0.34 description HUB2;tunnel2010 neighbor 10.97.0.34 update-source Tunnel1 neighbor 10.97.0.34 timers 10 30 neighbor 10.97.0.34 activate neighbor 10.97.0.34 send-community both neighbor 10.97.0.34 soft-reconfiguration inbound neighbor 10.97.0.34 prefix-list IROUTE-EXPORT out neighbor 10.97.0.34 route-map AllVRF-LocalPref-80 in neighbor 10.97.0.34 maximum-prefix 5000 80 exit-address-family

    If more information is needed, please say so.

    Any help or advice would be greatly appreciated!

    Thank you!

    It is possible that you touch it--the failure of negotiations of phase 2:

    https://Tools.Cisco.com/bugsearch/bug/CSCup72039/?reffering_site=dumpcr

    [Too little detail to say with certainty:]

    M.

  • Help without NAT and VPN Config DMZ.

    Before VPN, we miss with 'nonatdmz '. Recently, we tried to implement the solution VPN using "VPNRA".

    ASA IOS would only you are using a "NAT 0" at a time, how do you get around that.

    TIA

    nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0

    NAT (inside) 0-list of access nonatdmz

    Access extensive list ip 172.0.0.0 VPNRA allow 255.0.0.0 10.17.70.0 255.255.255.0

    NAT (inside) 0-list of access VPNRA

    You can add several lines to you nonatdmz access-list: for example:

    nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0

    access extensive list ip 172.0.0.0 nonatdmz allow 255.0.0.0 10.17.70.0 255.255.255.0

    NAT (inside) 0-list of access nonatdmz

  • DMVPN/GETVPN double spoke router Design

    All the:

    I'm developing a new design of VPN - cloud DMVPN, routers double hub to the main site, router hub unique to the backup site and double routers spoke at the Directorate General/remotes.

    This is all via internet transport, with overlay GETVPN to encrypt.

    Somebody has experiences establishing DMVPN designs with dual spoke routers, and how go you about it? HSRP @ interface outside or inside, determination of Protocol routing only, etc...

    Thanks in advance!

    Hi Steve,.

    Using BGP will complicate things a bit.

    This is because you must announce the IP (used as source GRE) HSRP on both your ISP. If you need to own that IP.

    If this is not possible, you can use the double Hub - double DMVPN Layout (a part of the link DMVPN I joined precedent).

    This will require a WILL by the router and routing to use routing protocol.

    HSRP can still be used on the inside of the interface, the GRE tunnel status tracking.

    Doesnít of traffic must be translated as possible via GRE tunnels.

    Please rate if this helped.

    Kind regards

    Daniel

  • ASA DMVPN to Azure cloud

    Hello

    It looks like one of our customers were buying SRI is to connect to the Microsoft via DMVPN cloud azure, because Cisco ASA does not (yet) support.

    ASA will support this in a future release nearby?

    Finally, anyone have any suggestions? (Apart from not using azure ;-)

    Based on the comments of the representatives of Cisco in sessions DMVPN/FlexVPN to Cisco Live!, there is no plan to support DMVPN/FlexVPN on SAA. This may have changed since then, but I doubt it.

    VPN infrastructure evolve slowly but surely based simply on strategies IPSec VPN that supports the ASA to the more modern and more flexible based on the VPN as DMVPN and FlexVPN road. The key here sentence is "road", which puts the technology firmly within the scope of routers rather than safety devices.

    The ASA units are very good in what they do, but modern VPN infrastructure are a bit beyond their reach.

  • VPN in 1921 with the AAS wireless card

    I have a router Cisco 1921 with a Verizon LTE eHWIC wireless card. I want this device to use dial-on-demand routing (which will be always activated) to connect to the wireless network and then open a VPN IPSec tunnel in a central location. The tunnel ends in an ASA 5545

    Looking at the documentation, I see examples of use (DMVPN and EasyVPN

    ( http://www.cisco.com/en/US/products/ps5949/products_installation_and_configuration_guides_list.html)

    But these methods are not supported by the ASA.

    So my question (s)

    1. can I use a point to point standard IPSec VPN without DMVPN tunnel, etc. ? Where I go to see an example (the above does not seem to have one)

    2. If the wireless interface retrieves an address FRO Verizon (similar to DHCP), how can I specify the peer side of the ASA?

    The simplest is to configure EasyVPN which is supported on the SAA. There you have the same setup as for the Legacy Client VPN. Another option is to set up a traditional crypto map on the router and that link to the group by default-tunnel on the SAA. For both styles of VPN - you need not to know the address of peers as it is always considered as dynamic.

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • Design VPN recommendation

    I'm standing, a site with an L2L connection, but needs to vpn client host connections as well. I know that you can do with old good crypto cards, but it is not the preferred method these days with the virtual Tunnel Interfaces? Trying to figure out the best method to deal with. Links and guidance appreciated.

    Hi Robert,.

    To be honest, today the best recommendation is to run AnyConnect instead of the legacy IPsec client.

    In the case where you would need to run the IPsec client, it doesn't really matter if you use a virtual interface or not, given that from the point of view of the VPN client functionalilty is the same.

    I would recommend simple card crypto for a simple connection to a router not to treat many types of VPN as DMVPN, VTI, DVTI connections, etc.

    However, if you want to get more familiar with DVTI, then I suggest this link:

    Cisco Easy VPN with IPSec configuration dynamic Tunnel Virtual Interface (DVTI)

    Remember that the configuration of a box of equipment or software is pretty much the same thing on the VPN server.

    With a card encryption:

    Router allows the VPN Clients to connect to IPsec and Internet using Split Tunneling Configuration example

    So as you can see the configuration of the client is the same on the server:

    crypto isakmp client configuration group vpngroup key cisco123 dns 10.10.10.10 wins 10.10.10.20 domain cisco.com pool ippool acl 101

    What really changes is to use if a card encryption or a VTI.

    It will be useful.

    Portu.

    Please note all useful posts

    Post edited by: Javier Portuguez

  • WINDOWS REMOTE DESKTOP

    I can't connect to the work computer via remote desktop. Error, said that this computer can not connect.

    Check with your work IT people to see if they allow to connect to desktop computers.  If they do, they will be able to tell you how.  In general, companies do not allow that without a solution VPN in place. Brian Tillman [MVP-Outlook]

  • How can I get the engine working in the ASA 5505 Crypto

    I bought a brand new ASA 5505 to connect to the Cisco 3640 and I can not yet set up the tunnel. I have tried to change the set of transformation to just but know luck. I recently put a VPN using DMVPN and Cisco 501 in a site-to-site, but it has been wondering what happens.

    The router (3640 executes code 12.4) seems ok and I don't think I have a problem with the router with Cisco 501 great work.

    This is a laboratory environment.

    This is the function defined on the ASA 5505

    The devices allowed for this platform:

    The maximum physical Interfaces: 8

    VLAN: 3, restricted DMZ

    Internal guests: 10

    Failover: disabled

    VPN - A: enabled

    VPN-3DES-AES: enabled

    Peer VPN: 10

    WebVPN peers: 2

    Double ISP: disabled

    Junction ports VLAN: 0

    AnyConnect for Mobile: disabled

    AnyConnect for Linksys phone: disabled

    Assessment of Advanced endpoint: disabled

    This platform includes a basic license.

    This is a ping from 10.3.4.10 to 10.1.1.1. He said nothing about IPSEC or ISAKMP.

    That's what I get when I do the: show crypto ipsec his

    ASA5505 (config) # show crypto ipsec his

    There is no ipsec security associations

    ASA5505 (config) # show crypto isakmp his

    There is no isakmp sas

    Debug crypto isakmp 10

    entry packets within the icmp 10.3.4.10 8 0 10.1.1.1 detail

    I have worked on it for a week and don't really know if I have a bad ASA5505. Since the normal stuff like browsing the Internet works and I can ping to the outside and inside, I don't know what to think. See attachments.

    "Do what you asked has worked.

    Nice to hear that your problem is solved.

    "My question is can I use the transform-set ESP-3DES-SHA instead of MD5?"

    Of course you can.

    Kind regards.

    Please do not forget to note the useful messages and check "Solved my problem", if the post has solved your problem.

  • IPSec Site to Site VPN Solution needed?

    Hi all

    I need a solution to provide full connectivity to one of my clients. I created two IPSEC Site to Site VPN, one between the INFO and RITA and second between NIDA and RITA. I can access RITA machine that is 172.16.36.101 at the INFO and 10.0.0.5 to NIDA.

    Now, I need to give access to my customer INFORMATION to direct NIDA 10.0.0.5 without established VPN machine to NIDA 10.0.0.5 of 172.16.36.101 access.

    Could you please give me the solution how is that possible?

    Concerning

    Uzair Hussain

    Hi uzair.infotech,

    Looks like you need to set up a grouping between the 3 sites, at the end of that your topology will look like this:

    INFO - RITA - NIDA

    You can check this guide that explains step by step how to configure grouping:

    https://supportforums.Cisco.com/document/12752536/how-configure-site-sit...

    Hope this info helps!

    Note If you help!

    -JP-

  • DMVPN (NAT?) solution with rais as subnets

    Hi all

    I have a large number of remote networks that are prevalent all over the world. Currently, they are all individual island with no connectivity to anywhere else.

    What I would do is connect all back to Headquarters on the internet so I can access it remotely. The internet service that I receive from all the sites will be different and unknown for example some directly on the internet, some behind NAT.

    So I think that the solution to this is DMVPN.

    But my problem is that all of the remote locations have the same internal subnet. So, how can I make sure that they are all connected and remote devices are all available at the same time?

    I wonder if I can configure NAT on the router may talk so that each device has a static nat with the Natted IP is unique. I labbed this place GNS3 and it seems to work. However the problem is that there are hundreds of devices on each site, which means a large number of NAT entries.

    I was wondering is it possible to make a fair full 1:1 Nat specifies a network to network. For example, something like 192.168.20.0/24 NAT to 10.0.1.0/24, so try to access the 192.168.20.5 in fact, it connects to 10.0.1.5

    Has anyone never has something like this work?

    Y at - it a good solution?

    Thank you, Simon

    It is possible, but (assuming they already use NAT for Internet access) you'll need to define things very carefully to avoid interference with what they have.

    Do a complete translation of subnet is easy and is a good word:

    IP nat inside source static 10.0.0.0 network 192.168.0.0/24

    The problem is that this will replace all existing for this subnet NAT, condition and the existing NAT configuration.

    Can you provide an example of how the current NAT is set up for one of these sites?

  • VPN monitoring solution

    Some client has a main office and several branch offices connected via VPN.

    He needs a solution that will allow him to specific information and monitor VPN sessions (ex: number of sessions, session source, date, duration, bandwidth used, ect,.,)

    Cisco provides such a solution.

    a solution that is better with GUI

    Please, your quick response time is appreciated

    Included with Cisco Security Manager is an application called performance monitor, which supports the monitoring of remote access and site-to-site VPN. links:

    Security Manager:

    http://www.Cisco.com/go/CSManager

    Performance Monitor user guide:

    http://www.Cisco.com/en/us/products/ps6498/products_user_guide_book09186a00806b7a60.html

    Performance monitor is from the previous security management product called CiscoWorks VMS and is currently no improvement. We want to implement an update of health related to security and performance monitoring capacity on-par with the Security Manager, but not clear word yet.

    Security Manager and performance monitor can be downloaded and used up to 90 days of assessment.

  • DMVPN Solution for 50 Branches...

    Hi all

    We have about 40 branches and a Central data center.
    each office is connected with the domain controller and all internet traffic passed and filtered between DC and the Central firewall.
    We have VoiP, with a Central in DC call manager.
    our data are in DC, except some of the offices that have their own file server.
    RDP is also continue to use.

    Now, one day, we have a MPLS network linking all of our offices.

    I do a search about to implement a DMVPN for all, or as a second solution to some of our offices (the small one).
    How can you recommend or kind one or the other solution?

    as I read, the voice traffic is the most critical and the most difficult to manage with the ISP and DMVPN Solution.

    I would really apriciate your opinion.

    Kind regards
    Thomas.

    PS
    I chose cause DMVPN we have in the near future to have a backup of our DC in a second office, only for some of the critics of the data and services.
    That's why I think to use the DMVPN with 2 Hubs

    Yes you can run it on the Internet.  Yes, you may have questions of VoIP.

    A solution that we used in the past is double internet connections.  You dedicate one VoIP and one for everything else.  Always much cheaper than MPLS.

    You can also use Pfr (routing performance) to select the circuit to use based on the latency and jitter, and the type of traffic.

    http://docwiki.Cisco.com/wiki/PfR3:solutions:Iwan

Maybe you are looking for