Monday, August 10, 2020

DMVPN NOT WORKING

Hello,

I am trying to create a dmvpn tunnel between hub and spoke, however I am having issues.

HUB->CISCO ASA->INTERNET CLOUD-> SPOKE

I have refer to document bellow and followed line by line for BGP on the WAN option:

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Sep2017/CVD-IWANDeployment-SEP17.pdf

FOR THE HUB:

vrf definition IWAN-TRANSPORT-1

!

address-family ipv4

exit-address-family

!

ip multicast-routing distributed

!

crypto ikev2 proposal AES/GCM/256

encryption aes-gcm-256

prf sha512

group 19

!

crypto ikev2 policy AES/GCM/256

match fvrf any

proposal AES/GCM/256

!

crypto ikev2 keyring DMVPN-KEYRING

peer ANY

address 0.0.0.0 0.0.0.0

pre-shared-key 1234

crypto ikev2 profile DMVPN-IKEv2-PROFILE

description PSK Profile

match fvrf any

match identity remote address 0.0.0.0

identity local address 10.6.32.2

authentication remote pre-share

authentication local pre-share

keyring local DMVPN-KEYRING

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 14

crypto isakmp key 1234 address 0.0.0.0

!

crypto ipsec security-association replay window-size 1024

!

crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256

mode transport

!

crypto ipsec profile DMVPN-IPSEC-PROFILE

set transform-set AES256/GCM/TRANSFORM

set ikev2-profile DMVPN-IKEv2-PROFILE

!

interface Loopback0

ip address 10.6.32.2 255.255.255.255

ip pim sparse-mode

!

interface Tunnel10

ip address 10.6.34.1 255.255.254.0

no ip redirects

ip mtu 1400

ip nhrp authentication 1111

ip nhrp network-id 1100

ip nhrp server-only

ip nhrp redirect

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0/1

tunnel mode gre multipoint

tunnel key 1111

tunnel vrf IWAN-TRANSPORT-1

tunnel protection ipsec profile DMVPN-IPSEC-PROFILE

hold-queue 4096 in

hold-queue 4096 out

!

interface GigabitEthernet0/0/1

vrf forwarding IWAN-TRANSPORT-1

ip address 192.168.146.10 255.255.255.0

speed 1000

no negotiation auto

cdp enable

hold-queue 4096 in

hold-queue 4096 out

!

router ospf 100

router-id 10.6.32.2

redistribute bgp 65100 subnets route-map REDIST-BGP-TO-OSPF

passive-interface default

no passive-interface Port-channel1

network 10.6.32.2 0.0.0.0 area 0

network 10.6.0.0 0.1.255.255 area 0

network 192.168.20.0 0.0.0.255 area 0

!

router bgp 65100

bgp router-id 10.6.32.241

bgp log-neighbor-changes

bgp listen range 10.6.34.0/23 peer-group INET1-SPOKES

neighbor INET1-SPOKES peer-group

neighbor INET1-SPOKES remote-as 65100

neighbor INET1-SPOKES description INET1 Spoke Route Reflector

neighbor INET1-SPOKES update-source Tunnel100

neighbor INET1-SPOKES timers 20 60

!

address-family ipv4

bgp redistribute-internal

network 0.0.0.0

network 10.4.0.0 mask 255.252.0.0

network 10.4.0.0 mask 255.255.0.0

network 10.6.0.0 mask 255.255.0.0

network 10.6.32.251 mask 255.255.255.255

neighbor INET1-SPOKES activate

neighbor INET1-SPOKES route-reflector-client

neighbor INET1-SPOKES next-hop-self all

neighbor INET1-SPOKES weight 50000

neighbor INET1-SPOKES soft-reconfiguration inbound

neighbor INET1-SPOKES route-map INET1-IN in

neighbor INET1-SPOKES route-map INET1-OUT out

distance bgp 201 19 200

exit-address-family

!

ip default-gateway 192.168.146.1

ip forward-protocol nd

no ip http server

ip http authentication local

ip http secure-server

ip http client source-interface GigabitEthernet0/0/3

ip tftp source-interface GigabitEthernet0/0/1

ip route 10.4.0.0 255.252.0.0 Null0 254

ip route 10.4.0.0 255.255.0.0 Null0 254

ip route 10.6.0.0 255.255.0.0 Null0 254

ip route 192.168.0.0 255.255.248.0 Null0 254

ip route vrf WAN-TRANSPORT-1 0.0.0.0 0.0.0.0 192.168.146.1

ip pim autorp listener

ip pim register-source Loopback0

!

ip prefix-list DEFAULT-ROUTE seq 10 permit 0.0.0.0/0

!

ip prefix-list ENTERPRISE-PREFIX seq 10 permit 10.4.0.0/14

!

ip prefix-list LOCALDC-PREFIX seq 10 permit 10.4.0.0/16

ip prefix-list LOCALDC-PREFIX seq 20 permit 10.6.0.0/16

!

ip prefix-list LOCALMCLOOPBACK seq 10 permit 10.6.32.251/32

!

ip prefix-list TUNNEL-DMVPN seq 10 permit 10.6.36.0/23

access-list 101 permit udp any any eq domain

access-list 101 permit udp any eq domain any

!

route-map INET1-IN deny 10

description All Blocked Prefixes to come IN on BGP

match ip address prefix-list DEFAULT-ROUTE ENTERPRISE-PREFIX LOCALDC-PREFIX LOCALMCLOOPBACK TUNNEL-DMVPN

!

route-map INET1-IN permit 1000

description Allow Everything Else

!

route-map INET1-OUT permit 10

description All Allowed Prefixes to Go OUT on BGP to Spokes

match ip address prefix-list DEFAULT-ROUTE ENTERPRISE-PREFIX LOCALDC-PREFIX LOCALMCLOOPBACK

!

route-map REDIST-BGP-TO-OSPF deny 20

description Block Null routes to be distributed from BGP to OSPF

match ip address prefix-list DEFAULT-ROUTE ENTERPRISE-PREFIX LOCALDC-PREFIX

!

route-map REDIST-BGP-TO-OSPF permit 1000

description Set metric on all routes

set metric 1000

set metric-type type-1

!

TROUBLESHOOTING:

#sh crypto ipsec sa

# (blank, nothing)

#sh dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

T1 - Route Installed, T2 - Nexthop-override

C - CTS Capable, I2 - Temporary

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

UpDn Time --> Up or Down Time for a Tunnel

SPOKE:

!

vrf definition DMVPN-TRANSPORT-1

!

address-family ipv4

exit-address-family

!

crypto ikev2 proposal AES/GCM/256

encryption aes-gcm-256

prf sha512

group 19

!

crypto ikev2 policy AES/GCM/256

match fvrf any

proposal AES/GCM/256

!

crypto ikev2 keyring DMVPN-KEYRING

peer ANY

address 0.0.0.0 0.0.0.0

pre-shared-key 1234

!

!

crypto ikev2 profile DMVPN-IKEv2-PROFILE

description PSK Profile

match fvrf any

match identity remote address 0.0.0.0

identity local address 10.6.36.11

authentication remote pre-share

authentication local pre-share

keyring local DMVPN-KEYRING

dpd 40 5 on-demand

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 14

crypto isakmp key 1234 address 0.0.0.0

!

crypto ipsec security-association replay window-size 1024

!

crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256

mode transport

!

crypto ipsec profile DMVPN-IPSEC-PROFILE

set transform-set AES256/GCM/TRANSFORM

set ikev2-profile DMVPN-IKEv2-PROFILE

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

ip pim sparse-mode

hold-queue 1024 in

hold-queue 1024 out

!

interface Tunnel100

description DMVPN

ip address 10.6.36.11 255.255.254.0

no ip redirects

ip mtu 1400

ip nhrp authentication 1234

ip nhrp network-id 1100

ip nhrp nhs 10.6.34.1 nbma 172.168.1.1 multicast

ip tcp adjust-mss 1360

delay 1000

if-state nhrp

tunnel source GigabitEthernet0/0/0

tunnel mode gre multipoint

tunnel key 1324

tunnel vrf DMVPN

tunnel protection ipsec profile DMVPN-IPSEC-PROFILE

!

interface GigabitEthernet0/0/0

description DMVPN

vrf forwarding DMVPN

ip address 172.168.2.1 255.255.255.0

ip access-group ACL-INET-PUBLIC in

negotiation auto

!

interface GigabitEthernet0/0/1

description sw

ip address 192.168.1.1 255.255.255.0

ip access-group NOSPOOF in

negotiation auto

!

!

af-interface Tunnel100

summary-address 10.7.0.0 255.255.248.0

authentication mode md5

authentication key-chain WAN-KEY

hello-interval 20

hold-time 60

no passive-interface

stub-site wan-interface

exit-af-interface

!

topology base

distribute-list route-map BLOCK_TUNNEL_ROUTES out Tunnel100

exit-af-topology

network 10.6.34.0 0.0.1.255

network 10.7.0.0 0.0.255.255

network 10.255.0.0 0.0.255.255

eigrp router-id 10.255.241.11

eigrp stub-site 200:11

exit-address-family

!

router ospf 100

router-id 1.1.1.1

redistribute bgp 65100 subnets route-map REDIST-BGP-TO-OSPF

network 192.168.22.0 0.0.0.255 area 0

default-information originate

!

router bgp 65100

bgp router-id 1.1.1.1

bgp log-neighbor-changes

neighbor INET1-HUB peer-group

neighbor INET1-HUB remote-as 65100

neighbor INET1-HUB description To IWAN INET1 Hub Router

neighbor INET1-HUB update-source Tunnel100

neighbor INET1-HUB timers 20 60

neighbor 10.6.36.1 peer-group INET1-HUB

!

address-family ipv4

neighbor INET1-HUB next-hop-self all

neighbor INET1-HUB weight 50000

neighbor INET1-HUB soft-reconfiguration inbound

neighbor INET1-HUB route-map SPOKE-OUT out

neighbor 10.6.34.1 activate

exit-address-family

!

ip route 0.0.0.0 0.0.0.0 172.168.2.2

ip route vrf DMVPN 0.0.0.0 0.0.0.0 172.168.2.2

!

ip prefix-list TUNNEL-ROUTES seq 10 permit 10.6.34.0/23

ip access-list extended ACL-INET-PUBLIC

permit tcp any any eq 22

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit esp any any

permit udp any any eq bootpc

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any port-unreachable

permit udp any any gt 1023 ttl eq 1

permit ip any any

ip access-list extended NOSPOOF

permit icmp any any

permit ip any any

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 110 permit icmp host 0.0.0.0 host 0.0.0.0

access-list 110 permit icmp host 0.0.0.0 any echo-reply

access-list 110 permit icmp host 0.0.0.0 any echo

access-list 110 permit ip any any

!

route-map BLOCK_TUNNEL_ROUTES deny 10

description Block the tunnel routes

match ip address prefix-list TUNNEL-ROUTES

route-map BLOCK_TUNNEL_ROUTES permit 20

description Permit the rest of the routes

route-map REDIST-BGP-TO-OSPF deny 10

description Do not redistribute LOCAL SUBNETS into OSPF

match ip address prefix-list LOCAL-SUBNETS

route-map REDIST-BGP-TO-OSPF permit 20

description Identify routes redistributed from BGP

set tag 1

SPOKE SIDE:

#sh dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

T1 - Route Installed, T2 - Nexthop-override

C - CTS Capable, I2 - Temporary

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

UpDn Time --> Up or Down Time for a Tunnel

Interface: Tunnel10, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 172.168.3.110.6.34.1 IKE 1d17h S

#sh crypto ipsec sa

interface: Tunne

Crypto map tag: Tunnel100-head-0, local addr 172.168.2.1

protected vrf: (none)

local ident (addr/mask/prot/port): (172.168.2.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (172.168.3.1/255.255.255.255/47/0)

current_peer 172.168.3.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 8195, #recv errors 0

local crypto endpt.: 172.168.2.1, remote crypto endpt.: 172.168.3.1

plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

IPv6 Crypto ISAKMP SA

spoke side:

Tunnel10 10.6.34.2 YES NVRAM up down

hub side:

Tunnel100 10.6.34.1YES manual up up



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)