I know most of you have heard already, but if not, I passed the CCIE Security exam in RTP on March 13th, 2009. I wanted to take a moment to recap my journey.

I have been a Cisco Instructor for 8 years now. I have been teaching the CCSP track since it’s inception, and taught various courses of the CSS-1 prior to that. Although I was a CCSP, I didn’t take the CCIE Security Written exam until March 21, 2007. I passed with an 85 on my first attempt. I used the CCBootcamp written exam guide to prepare for that, along with my existing knowledge as a CCSP/Instructor.

Studying for the lab is a whole new ball game. It’s weird because there is a total difference between knowing the book material that Cisco tests you on for the Professional level certifications, and being able to teach it, and knowing the material that is on the CCIE lab exam and being able to implement it. Don’t get me wrong, I knew the material, and the concept of why things were happening were easy to me. What was difficult is putting it all together. When you teach an ASA class, IPS class, or any other security class for that matter, it doesn’t cover how all these things work together. Thats where the CCIE will get you!

Anyhow, I know people are wondering what material I used in preparing for the lab exam. I made a video to show you, mainly because I think the spread of material is impressive. Please do not get mad at me for killing a tree. In the future I’ll use PDFs. Also, forgive me for the quality of the video. I am to cheap to buy an HD camera. I made the video at 6-am so don’t expect much.

So, assuming you watched that video and know what I used to prepare, I’ll give you the run down of the lab.

First time was in San Jose. I was overwhelmed. I had a decent understanding but no strategy. I ran out of time and had maybe 50 points.

Second time was in San Jose as well. It went better than the first but still there were some grey areas for me and even though I took the InternetworkExpert Online Bootcamp and used Brian’s strategy I still was missing something.

The Third, and Final attempt was in RTP, North Carolina. There is no particular reason I switch to RTP. It’s not closer to me by any means. I live in Seattle. But I wanted something fresh. I stayed at the Wingate hotel which was great. The bed was comfortable and the rate was fair. I flew in the night before the exam. I arrived at the hotel at 9pm, took half of a sleeping pill (Melatonin) and crashed. I woke up refreshed and ready to go.

The hotel had a continental breakfast and I didn’t eat much but forced myself to eat a little. I stopped at Starbucks on the way, and headed over to the Cisco office. Now when you get there you should know that the building will remain dark until right around 7am. There is nobody there to meet you in the lobby. Someone from Cisco was taking the lab as well and they let me in the lobby using their badge. At about 7:10 the proctor came out. He was very nice and much more chatty than Tom (nice guy) in San Jose.

We were led back to the room and from there its your standard lab exam stuff. We broke at about 11 for lunch. I say about 11 because they cater in lunch and there wasn’t a set time. You still only get 30 minutes for lunch. I ate a bit and tried to work out some issues in my head.

I finished about 45 minutes early but left 15 minutes before the Proctor called it a day. That includes my clean up and so on. I didn’t use the last 45 minutes to do any extra verifications because I didn’t want to break anything. Then I went to dinner at the Angus Barn. I had Alaskan King Crab Claws, a 24oz New York Strip and an Oatmeal Stout. Pass or fail I was going to enjoy that meal.

The wait was excruciating. I didn’t get my results until about 8:30 on Sunday night, so if you are planning on taking the lab on Friday you should be aware of that.

Now that its over I am enjoying the fact that I don’t have a deadline staring me in the face, but I still love the technology and want to learn more. I think the next track that I am going to pursue is the CCIE voice, but I have the CCVP in between that I have to get up to Instructor level on. I already have the IPexpert CCIE Voice BLS and plan on renting from Proctor Labs.

The big kicker for me was the bootcamp at ipexpert and the labs i did after that. Without the information I gained from IPexperts Jared Scrivener I dont think I would have passed. Im not going to give away all of his tricks because thats what he gets paid to do. But Seriously, Jared- You are the man!.

Also I can’t say enough about the support that I received from Ted Wagner at Ascolta. He really stood behind me even though there were other things he probably wanted me working on.

Wayne Lawson at IPexpert was another key player in my success along with Matt Brooks, Neil Apolzan, and Drew LaPla.

I can’t forget to mention Mike Down. Before Mike started pinging me online I only owned the IPexpert Volume 4.1 and the Proctor Guide, and I wasn’t really looking at using IPexpert.

One last person I have to mention is my wife. She was patient with me even though the family would take a hit from time to time while I was studying. The CCIE is not easy on a family but the accomplishment and the job security afterwards was the payoff I was looking for. I think I got it. Time will tell. At least I have her if the other stuff doesn’t pan out.

Thats about it for this rant. I’m going to keep blogging about topics that come up in my classes as well as through the contact form. When I start to study for the Voice IE I’ll try to blog it all here as well. In the mean time I am going to spend some time posting on Network World for the CCNA Wireless candidates and catching up on my sleep/socializing/theocratic activities/yard work/home improvement projects/reading/DVR/family videos/familiy photos/email/projects at work/fitness/weight loss/rss feeds/staring into space/day dreaming/playing darts with tyrel/texting my daughter/emailing my mom/calling my grandma/netflix/and enjoying whatever comes my way.

It is possible to configure a L2L session on a VPN3k using CLI only.  It is a completley different configuration.  Here is the summation of it:

1. Create an SA
2. Create inbound and Outbound rules for the hosts to be encrypted.
3. Apply the rules to the public filter with the action of “Apply IPSec” and attach the Security Association.
4. Create a group with the preshared key.
5. Set it to type L2L.

Now it seems like a short list but jumping around in the CLI menus makes it tough.

TIP:

When you are looking at the public filter you want to see the
IPSec Rules applied with the Security Association Attached.

Uploaded with plasq‘s Skitch!

Tonight I worked on the ASA Per-flow policing.  The configuration is fairly straight forward.  After ensuring that the VPN works create a class-map to match the tunnel-group and the destination-address like so:

class-map vpn_data
match flow ip destination-address
match tunnel-group ezvpn

Next create the policy map to police based on the class we just created:

policy-map outside
class vpn_voice
priority
class vpn_data
police output 256000
class class-default
police output 2000000

Finally activate it on the interface:

service-policy outside interface outside

So while that is pretty simple I did come across a gotcha.  In the IE lab workbook volume 1 it has you create a class-map for vpn_voice, match dscp=ef and the same tunnel-group.  It then wants to apply priority queueing to it.  Here is where it could cause some issues.  When you apply the policy-map to the interface with the priority command configured for a class it give you a really nice error:

asa1(config-pmap-c)# service-policy outside int outside
ERROR: Class vpn_voice has 'priority' set
without 'priority-queue' in any interface

A quick show service-policy indicates that it was not actually enabled:

asa1(config)# sh service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0

So watch out!

TIP:

if you are telling a class that it should priority queue packets
 you need to enable the priority queue on that interface:

asa1(config-if)# priority-queue outside
asa1(config-priority-queue)#

Has anyone done IE volume 1 page 532? It’s ASA SSL vpn with the SVC. I have used sslclient-win-1.0.0.179.pkg, sslclient-win-1.0.2.127.pkg, and sslclient-win-1.1.3.173.pkg and each of them fail. using 1.0.0.179 the browser dies when it tried to download. Using the other two I just get an error pop-up that it failed. See the image below. Any ideas why? Is it a browser setting? Is it something with a windows update? Its really getting on my nerves. I’ve used scrack1 and now scrack6.

Anyhow, I guess everyone knows what I am working on right now. I can tell you this, the anyconnect client works much better!

Spinning my wheels for two lab sessions with this now.  The first time I labbed this it worked.  next two times it bombs.  Dont know what Im doing wrong.  Here is the config:

asa1(config-username)# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname asa1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 136.1.123.12 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 136.1.121.12 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list split_tunnel standard permit 136.1.121.0 255.255.255.0
access-list OUTSIDE_IN extended permit udp any any eq isakmp
access-list OUTSIDE_IN extended permit udp any any eq 4500
access-list OUTSIDE_IN extended permit esp any any
pager lines 24
logging enable
logging console debugging
mtu outside 1500
mtu inside 1500
ip local pool mypool 20.0.0.1-20.0.0.254
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN in interface outside
!
router rip
network 136.1.0.0
redistribute static metric 1
version 2
no auto-summary
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server aaa protocol radius
aaa-server aaa (outside) host 10.0.0.100
key CISCO
radius-common-pw CISCO
group-policy ezvpn external server-group aaa password CISCO
username bcarroll password 8QAYyQeRI6l.X61w encrypted
username bcarroll attributes
vpn-group-policy ezvpn
username cisoc password Bn4.yL6RmqN0ezJL encrypted
username cisco password aKPiPFm6dYuj.C5/ encrypted
username cisco attributes
vpn-group-policy ezvpn
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 3des_md5 esp-3des esp-md5-hmac
crypto dynamic-map dynamic 10 set transform-set 3des_md5
crypto dynamic-map dynamic 10 set reverse-route
crypto map vpn 10 ipsec-isakmp dynamic dynamic
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group ezvpn type ipsec-ra
tunnel-group ezvpn general-attributes
address-pool mypool
default-group-policy ezvpn
tunnel-group ezvpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9b2252bb685ae17c9b748c4034fbede9
: end
%ASA-7-111009: User 'enable_15' executed cmd: show running-config
asa1(config-username)#

Here is the error:

%ASA-7-715047: Group = ezvpn, Username = bcarroll, IP = 136.1.100.200, processing notify payload
%Dec 02 06:26:33 [IKEAv1]: Group = ezvpn, Username = bcarroll, IP = 136.1.100.200S, Removing peer from peer table failed, no match!

Here is the ACS Server- the group authenticates fine according to the passed authention logs:

Any one see what I am doing wrong?  Thanks in advance to anyone that throws their thoughts in.

Tonight I was sitting here wishing I had booked a session so I could run through some labs. Since I couldn’t get a session at IE or IPexperts PL I decided to look at the resources on the two vendor web sites. Anyhow, on the IE web site I found something that I have always wondered about but nobody had ever told me about.

So, What is it?

The Answer: Recommended Reading. You may be wondering why this is such a big deal to me. Well if you have the IE workbooks you will find a box at the end of each lab that says “Further Reading.” Up until now I thought that these were just search terms for the Cisco Web site. Wrong!

Check out this link for the list.

Here is the CCIE Security Vol 1 list and here is the CCIE Security Vol2 list.

Now compare to the Further readings listed at the end of each lab. SWEET!

Now enough blogging, I have some further reading to do.

Thanks IE!

IOS Lan-to-Lan with PSK through an ASA.
***The Catch: Nat configured and Dynamic Crypto Maps configured.

Uploaded with plasq‘s Skitch!

I ran into an Intersting situation:

r1#sh cry map
Crypto Map "vpn" 10 ipsec-isakmp
	Peer = 136.5.122.2
	Extended IP access list r1tor2
	    access-list r1tor2 permit ip 150.1.1.0 0.0.0.255 150.2.2.0 0.0.0.255
	Current peer: 136.5.122.2
	Security association lifetime: 4608000 kilobytes/3600 seconds
	PFS (Y/N): N
	Transform sets={
		3des-esp,
	}
	Interfaces using crypto map vpn:
		FastEthernet0/0

Pings fail:

r1#ping 150.2.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
.....
Success rate is 0 percent (0/5)

But it looks like its working based on the stats:

local  ident (addr/mask/prot/port): (150.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (150.2.2.0/255.255.255.0/0/0)
   current_peer: 136.5.122.2:4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 29, #pkts encrypt: 29, #pkts digest 29
    #pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 136.5.121.1, remote crypto endpt.: 136.5.122.2
     path mtu 1500, media mtu 1500
     current outbound spi: 674293ED

     inbound esp sas:
      spi: 0xBD012AAD(3170970285)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4590553/3219)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x674293ED(1732416493)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4590551/3219)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

r1#

A little tweaking on the ASA, clear the ASA and try again:

r1#clear cry sa
r1#
r1#
r1#sh cry isa sa
dst             src             state          conn-id slot
136.5.122.2     136.5.121.1     MM_NO_STATE          1    0 (deleted)

r1#ping 150.2.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/9/12 ms
r1#sh cry isa sa
dst             src             state          conn-id slot
136.5.122.2     136.5.121.1     QM_IDLE              2    0
136.5.122.2     136.5.121.1     MM_NO_STATE          1    0 (deleted)

r1#

So what was the problem? Access-list on the ACL didn’t allow NAT-T.

On another note the interesting thing about this configuration is that you have to initiate the connection from the inside since R2 is using a dynamic crypto map.

Final Configs (zipped)

IOS to IOS with PSK thru an ASA without NAT

The topology:

Uploaded with plasq‘s Skitch!

Allow ESP and ISAKMP thru the ASA:

ciscoasa(config-router)# conf t
ciscoasa(config)# access-l outside_in permit esp any any
ciscoasa(config)# access-l outside_in permit udp any any eq isakmp
ciscoasa(config)# access-g outside_in in int outside
ciscoasa(config)#

Over on R2 I create a loopback to encrypt traffic to R1:

r2(config)#int lo0
r2(config-if)#ip add 150.1.2.2 255.255.255.0
r2(config-if)#

Next create and isakmp policy:
Continue Reading »

Some of you know that I just went to San Jose for my second Security Lab attempt.  While I did better than the first attempt I will be taking it one more time.  Yes, one more time.  I know some areas that I really want to nail down.  I think that VPN is taking me too long.  It’s not that I can’t do it, its just that I should do it faster.

So here is the Game Plan:

On the right side of this blog I have placed a countdown timer to my third lab date.  This is the one I am going to pass. (It’s ok, I can delete this post if I fail again)

Between now and then I am resolved to go back through the Internetwork Expert Volume 1 Lab guide and do every VPN lab in it until I can see the configs in my sleep.  Then, I want to firm up the MPF on the PIX and ASA.  Mostly just the ones that use regex in them.  I want to be able to burn through those configs.  Finally, Network Attacks I think I should work on.  What I may end up doing between now and then is ALL of Volume 1 and Volume 2 again.

I am also scheduled for the ipexpert bootcamp.  If work doesn’t hassle me that should put me over the top.

There is however one little catch.  I have a CCNA Wireless Quick Reference Sheet due into Cisco Press by November 1st.  I better go wrap that up.

Today I am working on some specific areas that I feel I lack in. Right now I’m working on DMVPN using IEs Volume 1 Workbook. I’ve done this lab before and had no issues. Right now R1 is the Hub (NHS) and r2 and r3 are both coming into R1 over a frame relay network. Here is the issue. R1 to R2- no problems. R1 to R3- the vpn us up but no EIGRP neighbor. Here are the configs. Anyone see what I am doing wrong?

r1#sh run
Building configuration...

Current configuration : 1857 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
logging queue-limit 100
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
mpls ldp logging neighbor-changes
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set 3DES_MD5_TRANS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile VPN
!
crypto ipsec profile DMVPN
set transform-set 3DES_MD5_TRANS
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 150.6.1.1 255.255.255.0
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
bandwidth 1024
ip address 123.123.123.1 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip nhrp holdtime 60
no ip split-horizon eigrp 100
no ip split-horizon
delay 100
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 136.6.0.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 136.6.0.2 102 broadcast
frame-relay map ip 136.6.0.3 103 broadcast
no frame-relay inverse-arp
!
interface Serial0/1
no ip address
shutdown
!
router eigrp 100
network 123.0.0.0
network 192.168.1.0
no auto-summary
!
router rip
version 2
network 136.6.0.0
network 150.6.0.0
no auto-summary
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

r1#

R2:

r2#sh run
Building configuration...

Current configuration : 1844 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
logging queue-limit 100
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
mpls ldp logging neighbor-changes
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set 3DES_MD5_TRANS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set 3DES_MD5_TRANS
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 150.6.2.2 255.255.255.0
!
interface Loopback1
ip address 192.168.2.2 255.255.255.0
!
interface Tunnel0
bandwidth 1024
ip address 123.123.123.2 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast 150.6.1.1
ip nhrp map 123.123.123.1 150.6.1.1
ip nhrp network-id 123
ip nhrp holdtime 60
ip nhrp nhs 123.123.123.1
delay 100
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 136.6.0.2 255.255.255.0
encapsulation frame-relay
frame-relay map ip 136.6.0.1 201 broadcast
frame-relay map ip 136.6.0.3 201 broadcast
no frame-relay inverse-arp
!
interface Serial0/1
no ip address
shutdown
!
router eigrp 100
network 123.0.0.0
network 192.168.2.0
no auto-summary
!
router rip
version 2
network 136.6.0.0
network 150.6.0.0
no auto-summary
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

R3:

r3#sh run
Building configuration...

Current configuration : 2012 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r3
!
logging queue-limit 100
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
mpls ldp logging neighbor-changes
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set 3DES_MD5_TRANS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set 3DES_MD5_TRANS
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 150.6.3.3 255.255.255.0
!
interface Loopback1
ip address 192.168.3.3 255.255.255.0
!
interface Tunnel0
bandwidth 1024
ip address 123.123.123.3 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast 150.6.1.1
ip nhrp map 123.123.123.1 150.6.1.1
ip nhrp network-id 123
ip nhrp holdtime 60
ip nhrp nhs 150.6.1.1
delay 100
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 136.6.0.3 255.255.255.0
encapsulation frame-relay
frame-relay map ip 136.6.0.1 301 broadcast
frame-relay map ip 136.6.0.2 301 broadcast
no frame-relay inverse-arp
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
router eigrp 100
network 123.0.0.0
network 192.168.3.0
no auto-summary
!
router rip
version 2
network 136.6.0.0
network 150.6.0.0
no auto-summary
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

r3#

Error on R1:

r1#
*Mar 1 01:36:44.458: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 123.123.123.3 (Tunnel0) is down: retry limit exceeded
*Mar 1 01:36:44.458: destroy peer: 123.123.123.3
*Mar 1 01:36:48.068: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 123.123.123.3 (Tunnel0) is up: new adjacency
*Mar 1 01:38:07.587: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 123.123.123.3 (Tunnel0) is down: retry limit exceeded
*Mar 1 01:38:07.587: destroy peer: 123.123.123.3
*Mar 1 01:38:12.226: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 123.123.123.3 (Tunnel0) is up: new adjacency
*Mar 1 01:39:31.749: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 123.123.123.3 (Tunnel0) is down: retry limit exceeded

The answer was simple but my eyes didn’t see it even though I looked at the interface a number of times. The nhrp nhs should be the tunnel interface, not the loopback.

Here is the change being made ans as you can tell, EIGRP established as soon as it was fixed.

r3#sh run int t0
Building configuration...

Current configuration : 385 bytes
!
interface Tunnel0
 bandwidth 1024
 ip address 123.123.123.3 255.255.255.0
 no ip redirects
 ip nhrp authentication CISCO
 ip nhrp map multicast 150.6.1.1
 ip nhrp map 123.123.123.1 150.6.1.1
 ip nhrp network-id 123
 ip nhrp holdtime 60
 ip nhrp nhs 150.6.1.1
 delay 100
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile DMVPN
end

r3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r3(config)#int t0
r3(config-if)#no  ip nhrp nhs 150.6.1.1
r3(config-if)#no  ip nhrp nhs 150.6.1.1
*Mar  1 01:56:50.836: %LINK-3-BADMACREG: Interface Serial1/0, non-existent MACADDR registry for link 74
-Process= "NHRP", ipl= 0, pid= 99
-Traceback= 809A9698 809A94E0 8085EB28 8085EDF4 80862200 8086548C 8  ip nhrp nhs 150.6.1.1
*Mar  1 01:56:52.391: %LINK-3-BADMACREG: Interface Serial1/0, non-existent MACADDR registry for link 74
-Process= "NHRP", ipl= 0, pid= 99
-Traceback= 809A9698 809A94E0 8085EB28 8085EDF4 80862200 8086548C 808657B4 80865950 803CE314
r3(config-if)#
r3(config-if)#
r3(config-if)#
r3(config-if)#
*Mar  1 01:56:56.201: %LINK-3-BADMACREG: Interface Serial1/0, non-existent MACADDR registry for link 74
-Process= "NHRP", ipl= 0, pid= 99
-Traceback= 809A9698 809A94E0 8085EB28 8085EDF4 80862200 8086548C 808657B4 80865950 803CE314
*Mar  1 01:57:02.704: %LINK-3-BADMACREG: Interface Serial1/0, non-existent MACADDR registry for link 74
-Process= "NHRP", ipl= 0, pid= 99
-Traceback= 809A9698 809A94E0 8085EB28 8085EDF4 80862200 8086548C 808657B4 80865950 803CE314
r3(config-if)#
*Mar  1 01:57:16.322: %LINK-3-BADMACREG: Interface Serial1/0, non-existent MACADDR registry for link 74
-Process= "NHRP", ipl= 0, pid= 99
-Traceback= 809A9698 809A94E0 8085EB28 8085EDF4 80862200 8086548C 808657B4 80865950 803CE314
r3(config-if)#
r3(config-if)#
r3(config-if)#
r3(config-if)#  ip nhrp nhs 123.123.123.1
r3(config-if)#''
*Mar  1 01:57:35.469: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 123.123.123.1 (Tunnel0) is up: new adjacen
*Mar  1 01:57:35.477: IP-EIGRP(Default-IP-Routing-Table:100): 123.123.123.0/24 - do advertise out Tunnel0
*Mar  1 01:57:35.477: IP-EIGRP(Default-IP-Routing-Table:100): 192.168.3.0/24 - do advertise out Tunnel0
*Mar  1 01:57:35.477: IP-EIGRP(Default-IP-Routing-Table:100): Int 192.168.3.0/24 metric 128256 - 256 128000
r3(config-if)#
r3(config-if)#
r3(config-if)#
r3(config-if)# 

Thanks PacketU!