I had to take 2 minutes and blog this. Last night I set up DMVPN. It all looked ok but I could not get the spoke to spoke connectivity. Then today I find Petr Lupakhovs – DMVPN Explained blog post on CCIE Blog at Internetwork expert. (You can find it here)
I didnt even make it all the way through and I see this on Petrs Example:
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 123
no ip split-horizon eigrp 123
ip summary-address eigrp 123 0.0.0.0 0.0.0.0 5
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 123
r1#sh run int t0
Building configuration...
Current configuration : 344 bytes
!
interface Tunnel0
bandwidth 1024
ip address 123.123.123.1 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip nhrp holdtime 60
no ip split-horizon
delay 100
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
end
r1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
r1(config)#int t0
r1(config-if)#no ip sp
r1(config-if)#no ip split-horizon e
r1(config-if)#no ip split-horizon eigrp 100
r1(config-if)#
r2#
*Mar 2 03:01:32.605: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 123.123.123.1 (Tunnel0) is up: new adjacencysh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
136.8.0.0/24 is subnetted, 1 subnets
C 136.8.0.0 is directly connected, Serial0/0
123.0.0.0/24 is subnetted, 1 subnets
C 123.123.123.0 is directly connected, Tunnel0
D 192.168.1.0/24 [90/2653440] via 123.123.123.1, 00:00:03, Tunnel0
C 192.168.2.0/24 is directly connected, Loopback1
150.8.0.0/24 is subnetted, 3 subnets
C 150.8.2.0 is directly connected, Loopback0
R 150.8.3.0 [120/2] via 136.8.0.3, 00:00:16, Serial0/0
R 150.8.1.0 [120/1] via 136.8.0.1, 00:00:16, Serial0/0
D 192.168.3.0/24 [90/2679040] via 123.123.123.1, 00:00:04, Tunnel0
r2#p 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
*Mar 2 03:01:48.475: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /150.8.2.2, src_addr= 150.8.3.3, prot= 47..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 188/189/193 ms
r2#p 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 184/184/185 ms
r2#sh cry isa sa
dst src state conn-id slot
150.8.2.2 150.8.3.3 QM_IDLE 2 0
150.8.2.2 150.8.1.1 QM_IDLE 1 0
r2#sh cry ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr. 150.8.2.2
protected vrf:
local ident (addr/mask/prot/port): (150.8.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (150.8.1.1/255.255.255.255/47/0)
current_peer: 150.8.1.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 23342, #pkts encrypt: 23342, #pkts digest 23342
#pkts decaps: 20213, #pkts decrypt: 20213, #pkts verify 20213
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 150.8.2.2, remote crypto endpt.: 150.8.1.1
path mtu 1500, media mtu 1500
current outbound spi: 7FAB6DEA
inbound esp sas:
spi: 0xA65DD270(2791166576)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
slot: 0, conn id: 2056, flow_id: 57, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4435657/3098)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7FAB6DEA(2141941226)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
slot: 0, conn id: 2057, flow_id: 58, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4435653/3098)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
protected vrf:
local ident (addr/mask/prot/port): (150.8.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (150.8.3.3/255.255.255.255/47/0)
current_peer: 150.8.3.3:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 150.8.2.2, remote crypto endpt.: 150.8.3.3
path mtu 1500, media mtu 1500
current outbound spi: 35A8F2BC
inbound esp sas:
spi: 0x367950CD(913920205)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
slot: 0, conn id: 2058, flow_id: 59, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4420642/3580)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x35A8F2BC(900264636)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
slot: 0, conn id: 2059, flow_id: 60, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4420643/3578)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Hey, what version of IOS are you using?
If you are using the correct lab version you will have a problem with CEF.
There is a fairly well known bug with the lab version. Turn off CEF on the spokes and you will be able to get direct spoke to spoke tunnels.
@Tim- thanks. I’ll make note of that. IOS is Version 12.2(15)T14 on the IE graded lab system