DMVPN Setup assistance...anyone got a how-to? 1

[makemorebeer]

i've got three cisco 1811 routers and three ADSL lines. i need our two remote sites to connect via VPN, or anything that may work over ADSL to the main office. my plan is to use a dynamic multipoint GRE tunnel from each remote site to the main office and i'm having trouble getting a good how to on the setup. i do have a functional GRE tunnel between one of the remote sites and the main office right now but i need bi-directional traffic flow from both sites to the same router. SDM won't allow setup of two GRE tunnels, and the DMVPN setup in SDM is a waste of time. If i can get one fo the multipoint links up, i'm sure i can get the other up so i'll post the config from the main facility and the first remote site. Also to add a bit of wonder to it, the remote site i'm working with right now is the same subnet as the main facilitys subnet and they are connected at a different point by a wireless bridge. (am i shooting myself in the foot here)

Main facility configuration

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed-
certificate self-signed 01

quit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key {removed} address 64.91.x.x 255.255.255.252
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set hisec esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA1
!
crypto ipsec profile SDM_Profile2
set transform-set ESP-3DES-SHA
!
crypto ipsec profile citybrew
set transform-set hisec
!
no ip source-route
!
!
ip cef
!
!
no ip bootp server
ip domain name {removed}
ip name-server x.x.x.x
ip name-server x.x.x.x
!
multilink bundle-name authenticated
vpdn enable
!
!
!

ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface Tunnel0
bandwidth 1000
ip address 10.10.1.3 255.255.255.0
no ip redirects
ip mtu 1492
ip nhrp authentication {removed}
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp cache non-authoritative
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile DMVPN
!
interface Null0
no ip unreachables


Remote Facility config


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LAX-R4
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
!
crypto pki trustpoint self-signed-cert
enrollment selfsigned
ip-address 10.1.254.246
revocation-check crl
rsakeypair self-signed-cert
!
!
crypto pki certificate chain self-signed-cert
certificate self-signed 01

!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key {removed} address 69.29.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set hisec esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN
set transform-set hisec
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
no ip source-route
!
!
ip cef
!
!
no ip bootp server
ip domain name {removed}
ip name-server 10.1.x.x
ip name-server 10.1.x.x
!
multilink bundle-name authenticated
vpdn enable
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh version 1
!
!
bba-group pppoe global
!
!
interface Tunnel0
bandwidth 1000
ip address 10.10.1.4 255.255.0.0
no ip redirects
ip mtu 1440
ip nhrp authentication {removed}
ip nhrp map multicast dynamic
ip nhrp map 10.10.1.3 69.29.x.x
ip nhrp map multicast 69.29.x.x
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp nhs 10.10.1.3
ip nhrp cache non-authoritative
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0
description Primary Connection
ip address 10.1.254.246 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description ADSL$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
no ip address
ip verify unicast reverse-path
no ip redirects
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1

interface Dialer0
description $FW_OUTSIDE$
mtu 1492
bandwidth 10000
ip address 64.91.x.x 255.255.255.252
ip nat outside
ip irdp
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username password 7
!
router eigrp 2
network 10.1.0.0 0.0.255.255
network 10.10.1.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list Outmap interface Dialer0 overload
!
ip access-list extended Outmap
remark SDM_ACL Category=2
remark permit 10.1 traffic out to internet
permit ip 10.1.0.0 0.0.255.255 any
remark implicit deny
deny ip any any

end

 

[garnetbobcat]

Here are some docs on the setup:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html#wp1040545

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml

SDM, but if you scroll down there's CLI:

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd801af458.html

-----

It's not clear what you mean when you say "i need bi-directional traffic flow from both sites to the same router."

Because you're doing multipoint GRE, you only need one tunnel interface on each router. int tun0 on the Hub can connect with both spokes.

-----

Overlapping networks will present a problem, but you might be able to solve this with NAT. It might work if you NAT the spoke network to something else and then advertise that network via EIGRP to the hub.

It sounds like you have an opportunity for a routing loop, too. Be sure to consider your routing topology carefully.

-----

I think your config looks good with two exceptions.

1. Your transform set/ipsec profile relationships. They look a little confused and you have several of them.

You should be using a transform set with "mode transport" in your ipsec profile. My suggestion would be to do something like the following on each router (gleaned from your configs above):

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
   mode transport

crypto ipsec profile DMVPN
   set transform set ESP-3DES-SHA

int tunnel 0
   tunnel protection ipsec profile DMVPN

2. I don't see your EIGRP config on the Hub



Matt
CCIE Security

http://www.wr-mem.com

 

[makemorebeer]

at one point i was able to ping from the remote to the hub, but not the other way around. then the bottom fell out and i cna't get them reconnected for some reason. i did go ahead and impliment the changes you suggested above and it's still not connecting like it should. the eigrp config is the same on both routers. sorry bout that, i accidentaly cut it out. one thing that i've noticed and i'm not sure if it's got a meaning or not but when i do a show int t0, it lists the source as 0.0.0.0 and the destination as unknown. it also says line protocol down.

 

[makemorebeer]

alright, hey i got the tunnel half-way up. it was the tunnels ource identifier. it gave an ip address of 0.0.0.0. the outbound interface has the ip assigned to the dialer interface. chagned tunnel source to dialer0 on both sides and the tunnel came up. now i'm having trouble gettign the SA's associated. i've got the hub saying

State = MN_SA_SETUP

and i'm getting this on the spoke

02-21-2008 14:30:23 Local7.Warning 10.1.254.246 189: 001107: *Feb 21 14:28:14.550 PCtime: %CRYPTO-4-IKMP_NO_SA: IKE message from 69.29.16.113 has no SA and is not an initialization offer

Anywone know what i've done wrong here?

 

[garnetbobcat]

Clear out your IKE and IPsec associations. That error is saying that .16.113 is sending packets that are encrypted, but not the beginning of the conversation.

If you don't have other production tunnels:

clear cry isa

clear cry sa

If you do have other production tunnels:

sho cry isa sa
clear cry isa <connection ID>

sho cry ipsec sa
clear cry sa peer <peer IP>



Matt
CCIE Security

http://www.wr-mem.com

 

[makemorebeer]

unfortinatly that's what i thought so i did that already and i still get the problem. if i do a "show crypto ipsec SA" on the hub there are none listed. however the same command on the spoke shows a listing. I beleive i should be seeing these on both sides shouldn't I? lucky for me these two routers are not in production yet so i can do whatever i want to them. i'm thinking all my fumbling around trying to figure out the tunnels may have screwed something up. where do you think the problem resides, the spoke, or the hub. personally i'm leaning towards the hub myself. just for fun i'll include the configs from both routers again. maybe i missed something on the reconfig.


Hub Router

version 12.4
!
aaa new-model
!
!
aaa authentication login default local group radius
aaa authentication login local_authen local
aaa authorization exec default local
aaa authorization exec local_author local
aaa authorization network default group radius
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed-
certificate self-signed 01
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key brewgods address 64.91.77.125
crypto isakmp key brewgods address 69.29.16.113
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set ESP-3DES-SHA
!
!
no ip source-route
!
ip cef
!
multilink bundle-name authenticated
vpdn enable
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface Tunnel0
bandwidth 10000
ip address 10.10.1.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication brewgods
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 100
ip nhrp cache non-authoritative
ip tcp adjust-mss 1330
delay 1000
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0
description 10.1 network$FW_INSIDE$$ES_LAN$$ETH-LAN$
ip address 10.1.x.x 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description $ETH-WAN$
no ip address
ip verify unicast reverse-path
no ip redirects
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer0
description $FW_OUTSIDE$
mtu 1492
bandwidth 10000
ip address 69.29.x.x 255.255.255.248
ip information-reply
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password
ppp pap sent-username password
!
router eigrp 2
network 10.1.0.0 0.0.255.255
network 10.10.1.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static 10.10.1.3 69.29.x.x extendable
!
logging dmvpn rate-limit 20


Spoke Router

version 12.4
!
aaa new-model
!
!
aaa authentication login default local group radius
aaa authentication login local_authen local
aaa authorization exec default local
aaa authorization exec local_author local
aaa authorization network default group radius
!
!
aaa session-id common
!
crypto pki trustpoint self-signed-cert
enrollment selfsigned
ip-address 10.1.254.246
revocation-check crl
rsakeypair self-signed-cert
!
!
crypto pki certificate chain self-signed-cert
certificate self-signed 01
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key brewgods address 69.29.x.x 255.255.255.248
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set ESP-3DES-SHA
!
!
no ip source-route
!
!
ip cef
!
multilink bundle-name authenticated
vpdn enable
!

!
bba-group pppoe global
!
!
interface Tunnel0
ip address 10.10.1.4 255.255.255.0
no ip redirects
ip nhrp authentication brewgods
ip nhrp map 10.10.1.3 69.29.x.x
ip nhrp map multicast 69.29.x.x
ip nhrp network-id 1
ip nhrp cache non-authoritative
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0
description Primary Connection
ip address 10.1.254.246 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description ADSL$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
no ip address
ip verify unicast reverse-path
no ip redirects
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer0
description $FW_OUTSIDE$
mtu 1492
bandwidth 10000
ip address 64.91.x.x 255.255.255.252
ip nat outside
ip irdp
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password
ppp pap sent-username password
!
router eigrp 2
network 10.1.0.0 0.0.255.255
network 10.10.1.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source static 10.10.1.4 64.91.x.x

 

[garnetbobcat]

What you have looked right to me on first pass, but I just took out The Complete Cisco VPN Configuration Guide to double check. One thing that Richard Deal does differently is that he disables XAUTH on his ISAMKP key statements. From the book, p.715:

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth

You could try the same thing with your keys.

-----

Ultimately to get EIGRP to work right, you're also going to need the following commands on the hub tunnel interface:

interface tunnel 0
   no ip split-horizon eigrp 2
   no ip next-hop-seld eigrp 2

-----

Beyond that, things look right I think. I happened to have an off-line conversation with someone about this, though, and we were both concerned that your overlapping networks behind each endpoint could be interfering with the crypto associations. Since this is a lab (hooray!) can you try changing the local network behind the spoke to rule that out?

Matt
CCIE Security

http://www.wr-mem.com

 

[makemorebeer]

Talk about frustrating. i've added the config changes you suggested above and still nothing. i Also tried changing the subnet on the other end to no avail. same response isakmp sa's show up as setup, and the hub has no ipsec SA's listed. i'm concerned that maybe my IOS is corrupt or something. i'm going to wipe the config, reload the IOS and give it another go. it just seems like this should be working. are there any Nat concernes i'm not addressing? i'm not running any type of ACL's, or inspection yet. and i've configured static nat for the two external IP's i'm using. well let me know what you think cause i'm drowning here. If i get a chance i may just try doing a point to point tunnel like i've got on my other router. (that one works too) then if i can get that going i'll try to transition it into a DMVPN tunnel. as a side note i've discussed with my boss about the possability of seperating our remote site onto a seperate subnet, and this will not be a problem if it comes to it.

 

[garnetbobcat]

When you say that you've "configured static nat for the two external IP's i'm using." What do you mean?

Also, before you pull any more hair out, is DMVPN really the right solution here? As you can see, it can be a bit of a bear. I don't mean to be discouraging, but consider the following:

Do you need direct spoke-to-spoke communication, for an application like Voice?

Do you plan on adding many more spokes in the future?

If yes to both, then you'll probably want to keep on working with DMVPN. If you don't think you'll be adding spokes then maybe L2L tunnels is the right approach. Even if you need spoke-to-spoke communication, a full mesh of three points isn't too much to manage.

CAVEAT to what I just said: If your spoke IP addresses are dynamic, spoke to spoke won't be workable without DMVPN.

Matt
CCIE Security

http://www.wr-mem.com

 

[makemorebeer]

ip nat inside source static 10.10.1.3 69.29.x.x extendable
ip nat inside source static 10.10.1.4 64.91.x.x

i figure since these are ADSL lines' i've got to inturpret for the router external and internal, right? as for needing it. if i could figure out another way i'd use it but at this point i've got a GRE tunnel connecting our main office with our out of state office. the intention here is to change that tunnel onto this new router so we'll be running both of our remote sites via tunnel into a single router. it's my understanding that you can not create two static tunnels to a single interface. if I can get this thing up i fugre the maintenance on it should be pretty light as we're not planning to further scale the network at this time. It does need to be an always up connection too.

do you know of a way to use two static tunnels to a single interface? i'm more than happy to work a different angle if it gets me the desired reults in the end. from what i've read though this just seemed to be the most feasible.

 

[garnetbobcat]

You're NATing the tunnel interfaces? Yikes! That could very well be your problem. There is no need to do that.

It's tough to describe here, but the tunnel interfaces are part of a virtual network that lives within the encrypted tunnels. The 10.10.1.x is how the endpoints expect to speak NHRP/Routing with each other.

You took care of the "real" IP addressing with your nhrp map and nhrp nhs commands on the spokes. The routers use public IP addresses as the destinations for the encrypted GRE packets.

Remove your static NAT configuration for the tunnel IP addresses and see what happens.

-----

Also, you can most definitely have more than one tunnel terminate on an interface. Each tunnel gets a different sequence number in the same crypto map. Here is an example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

Matt
CCIE Security

http://www.wr-mem.com

 

[makemorebeer]

imagine that, the SDM lied to me. though, i probably should have known better. well at any rate after removing the nat entries the SA's seems to have authenticated and the tunnel is listing as up. however my syslog server is displaying messages that EIGRP adjeceny is up/down, max retries reached/new adjacency. and i'm not seeing any eigrp routes in the routing table. most likly because it's an overlapping subnet. i also can't ping from one tunnel interface to another. i might jsut change over to the driect tunnels as i've got one fo them already and am somewhat familier.

 

[garnetbobcat]

Excellent! The overlapping networks could be the culprit, but I would think the adjacency would stay up, the routers would just ignore the routes.

Make sure that all your NHRP commands are correct, especially the map commands.

Looking at your second set of configs, it appears that you're missing the nhrp nhs command on the spoke:

ip nhrp nhs 10.10.1.3

Matt
CCIE Security

http://www.wr-mem.com

 

[makemorebeer]

you're a geniouse. put that into the spokes tunnel interface and what was reading incomplete on the hub is now reading dynamic and i'm able to ping. now i just need to figure out how we're going to manage this section fo the network.

thanks for all the help.

 

[garnetbobcat]

You're welcome! DMVPN is pretty cool once you get it up and running.

As you're messing with EIGRP, don't forget the following on the tunnel interface of the hub:

interface tunnel 0
   no ip split-horizon eigrp 2
   no ip next-hop-self eigrp 2

If you don't have those, then the hub won't share routes between the spokes and the spokes will send traffic through the hub instead of spoke-to-spoke.

Matt
CCIE Security

http://www.wr-mem.com

 

[burtsbees]

Matt---is it possible to use ptp subinterfaces with a vpn config like this to avoid split-horizon issues?
BTW, excellent site you have there! I have bookmarked it.

Burt

 

[garnetbobcat]

Burt, thanks for the kind words about the site. Joe and I need to get back to work on it. We've been slacking. ;-)

I don't think you can avoid the split-horizon issue. This is because you're actually routing on the one multipoint gre tunnel interface. Thus, because each of the spokes connects to the same interface, you need to disable split-horizon (or use OSPF) to receive and send routing updates on the one mGRE interface.



Matt
CCIE Security

http://www.wr-mem.com