February 9, 2012

Posts Comments

You are here: Home / Archives for DMVPN

IE Vol 1 DMVPN w/ PSK- **Solved by PacketU**

October 14, 2008 By Leave a Comment

Today I am working on some specific areas that I feel I lack in. Right now I’m working on DMVPN using IEs Volume 1 Workbook. I’ve done this lab before and had no issues. Right now R1 is the Hub (NHS) and r2 and r3 are both coming into R1 over a frame relay network. Here is the issue. R1 to R2- no problems. R1 to R3- the vpn us up but no EIGRP neighbor. Here are the configs. Anyone see what I am doing wrong? 

r1#sh run
Building configuration...



Current configuration : 1857 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
logging queue-limit 100
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
mpls ldp logging neighbor-changes
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set 3DES_MD5_TRANS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile VPN
!
crypto ipsec profile DMVPN
set transform-set 3DES_MD5_TRANS
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 150.6.1.1 255.255.255.0
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
bandwidth 1024
ip address 123.123.123.1 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip nhrp holdtime 60
no ip split-horizon eigrp 100
no ip split-horizon
delay 100
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 136.6.0.1 255.255.255.0
encapsulation frame-relay
frame-relay map ip 136.6.0.2 102 broadcast
frame-relay map ip 136.6.0.3 103 broadcast
no frame-relay inverse-arp
!
interface Serial0/1
no ip address
shutdown
!
router eigrp 100
network 123.0.0.0
network 192.168.1.0
no auto-summary
!
router rip
version 2
network 136.6.0.0
network 150.6.0.0
no auto-summary
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end



r1#

R2:

r2#sh run
Building configuration...



Current configuration : 1844 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
logging queue-limit 100
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
mpls ldp logging neighbor-changes
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set 3DES_MD5_TRANS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set 3DES_MD5_TRANS
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 150.6.2.2 255.255.255.0
!
interface Loopback1
ip address 192.168.2.2 255.255.255.0
!
interface Tunnel0
bandwidth 1024
ip address 123.123.123.2 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast 150.6.1.1
ip nhrp map 123.123.123.1 150.6.1.1
ip nhrp network-id 123
ip nhrp holdtime 60
ip nhrp nhs 123.123.123.1
delay 100
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 136.6.0.2 255.255.255.0
encapsulation frame-relay
frame-relay map ip 136.6.0.1 201 broadcast
frame-relay map ip 136.6.0.3 201 broadcast
no frame-relay inverse-arp
!
interface Serial0/1
no ip address
shutdown
!
router eigrp 100
network 123.0.0.0
network 192.168.2.0
no auto-summary
!
router rip
version 2
network 136.6.0.0
network 150.6.0.0
no auto-summary
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

R3:

r3#sh run
Building configuration...



Current configuration : 2012 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r3
!
logging queue-limit 100
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
mpls ldp logging neighbor-changes
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set 3DES_MD5_TRANS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set 3DES_MD5_TRANS
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 150.6.3.3 255.255.255.0
!
interface Loopback1
ip address 192.168.3.3 255.255.255.0
!
interface Tunnel0
bandwidth 1024
ip address 123.123.123.3 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map multicast 150.6.1.1
ip nhrp map 123.123.123.1 150.6.1.1
ip nhrp network-id 123
ip nhrp holdtime 60
ip nhrp nhs 150.6.1.1
delay 100
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 136.6.0.3 255.255.255.0
encapsulation frame-relay
frame-relay map ip 136.6.0.1 301 broadcast
frame-relay map ip 136.6.0.2 301 broadcast
no frame-relay inverse-arp
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
router eigrp 100
network 123.0.0.0
network 192.168.3.0
no auto-summary
!
router rip
version 2
network 136.6.0.0
network 150.6.0.0
no auto-summary
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end



r3#

Error on R1:

r1# *Mar 1 01:36:44.458: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 123.123.123.3 (Tunnel0) is down: retry limit exceeded *Mar 1 01:36:44.458: destroy peer: 123.123.123.3 *Mar 1 01:36:48.068: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 123.123.123.3 (Tunnel0) is up: new adjacency *Mar 1 01:38:07.587: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 123.123.123.3 (Tunnel0) is down: retry limit exceeded *Mar 1 01:38:07.587: destroy peer: 123.123.123.3 *Mar 1 01:38:12.226: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 123.123.123.3 (Tunnel0) is up: new adjacency *Mar 1 01:39:31.749: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 123.123.123.3 (Tunnel0) is down: retry limit exceeded

The answer was simple but my eyes didn’t see it even though I looked at the interface a number of times. The nhrp nhs should be the tunnel interface, not the loopback.

Here is the change being made ans as you can tell, EIGRP established as soon as it was fixed. 




r3#sh run int t0
Building configuration...



Current configuration : 385 bytes
!
interface Tunnel0
 bandwidth 1024
 ip address 123.123.123.3 255.255.255.0
 no ip redirects
 ip nhrp authentication CISCO
 ip nhrp map multicast 150.6.1.1
 ip nhrp map 123.123.123.1 150.6.1.1
 ip nhrp network-id 123
 ip nhrp holdtime 60
 ip nhrp nhs 150.6.1.1
 delay 100
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile DMVPN
end



r3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r3(config)#int t0
r3(config-if)#no  ip nhrp nhs 150.6.1.1
r3(config-if)#no  ip nhrp nhs 150.6.1.1
*Mar  1 01:56:50.836: %LINK-3-BADMACREG: Interface Serial1/0, non-existent MACADDR registry for link 74
-Process= "NHRP", ipl= 0, pid= 99
-Traceback= 809A9698 809A94E0 8085EB28 8085EDF4 80862200 8086548C 8  ip nhrp nhs 150.6.1.1
*Mar  1 01:56:52.391: %LINK-3-BADMACREG: Interface Serial1/0, non-existent MACADDR registry for link 74
-Process= "NHRP", ipl= 0, pid= 99
-Traceback= 809A9698 809A94E0 8085EB28 8085EDF4 80862200 8086548C 808657B4 80865950 803CE314
r3(config-if)#
r3(config-if)#
r3(config-if)#
r3(config-if)#
*Mar  1 01:56:56.201: %LINK-3-BADMACREG: Interface Serial1/0, non-existent MACADDR registry for link 74
-Process= "NHRP", ipl= 0, pid= 99
-Traceback= 809A9698 809A94E0 8085EB28 8085EDF4 80862200 8086548C 808657B4 80865950 803CE314
*Mar  1 01:57:02.704: %LINK-3-BADMACREG: Interface Serial1/0, non-existent MACADDR registry for link 74
-Process= "NHRP", ipl= 0, pid= 99
-Traceback= 809A9698 809A94E0 8085EB28 8085EDF4 80862200 8086548C 808657B4 80865950 803CE314
r3(config-if)#
*Mar  1 01:57:16.322: %LINK-3-BADMACREG: Interface Serial1/0, non-existent MACADDR registry for link 74
-Process= "NHRP", ipl= 0, pid= 99
-Traceback= 809A9698 809A94E0 8085EB28 8085EDF4 80862200 8086548C 808657B4 80865950 803CE314
r3(config-if)#
r3(config-if)#
r3(config-if)#
r3(config-if)#  ip nhrp nhs 123.123.123.1
r3(config-if)#''
*Mar  1 01:57:35.469: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 123.123.123.1 (Tunnel0) is up: new adjacen
*Mar  1 01:57:35.477: IP-EIGRP(Default-IP-Routing-Table:100): 123.123.123.0/24 - do advertise out Tunnel0
*Mar  1 01:57:35.477: IP-EIGRP(Default-IP-Routing-Table:100): 192.168.3.0/24 - do advertise out Tunnel0
*Mar  1 01:57:35.477: IP-EIGRP(Default-IP-Routing-Table:100): Int 192.168.3.0/24 metric 128256 - 256 128000
r3(config-if)#
r3(config-if)#
r3(config-if)#
r3(config-if)#
Thanks PacketU!

Filed Under: CCIE Security, IE Labs Tagged With: , ,

DMVPN Notes- ipexpert CCIE Security WB lab 7b.

August 25, 2008 By 1 Comment

First thing to mention about this lab is that the wording is horrible.

“Activate Frame Relay interfaces should have IP address 150.50.99.x/24.”

What??? Oh Well, on with the lab:

  1. I think so far I prefer to break the DMVPN into 4 parts:
    1. GRE Tunnel
    2. NHRP Configuration
    3. Dynamic Routing Protocol
    4. IPSec
  2. GRE needs the following:
    1. IP Address
    2. Tunnel Source
    3. Tunnel Mode since there is not set destination
  3. NHRP is broken down into the HUB Configuration and the Spoke Configuration and they differ slightly.
    1. NHRP HUB Configuration has the following:
      1. ip mtu bytes
      2. ip nhrp authentication string
      3. ip nhrp map multicast dynamic
      4. ip nhrp network-id number
      5. ip nhrp holdtime seconds
    2. NHRP Spoke has the following:
      1. ip mtu bytes
      2. ip nhrp authentication string
      3. ip nhrp map hub-tunnel-ip-address hub-physical-ip-address
      4. ip nhrp map multicast hub-physical-ip-address
      5. ip nhrp nhs hub-tunnel-ip-address (totally unique to the spoke)
      6. ip nhrp network-id number
  4. Dynamic Routing Protocol includes the Private Networks that you want advertised and the Tunnel interface.  Routing Protocol does NOT include the NBMA network.
  5. EIGRP has some gotchas that are hard to find documentation on.
    1. You probably need to turn CEF off on the spokes.  If you dont the NHRP times out and drops the neighbor.  You get a really annoying EIGRP timeout message and routing breaks.  You can confirm the EIGRP thing by shutting the tunnel interface and bringing it back up in which the EIGRP neighbor will come back up.  5 minutes later (default NHRP timer) the neighbor goes away again.  For some reason shutting off CEF fixes this and You only need to do this on the Spokes.
    2. Dont forget to turn off EIGRP split horizon on the HUB and more specifically dont forget to put the AS number on the no ip split-horizon command.
    3. If you want to build a direct spoke to spoke tunnel make sure you do a no ip eigrp next-hop-self or everything will still go through the hub.  You can verify the next-hop with the show ip route command.
  6. The IPSEC configuration could vary:
    1. The ISAKMP policy is pretty much the same as it always is.  Hash, Encryption, Authentication
    2. If you do the easy pre-shared key configuration the command is crypto isakmp key 0 the_key address 0.0.0.0 0.0.0.0
    3. You can also do authentication with XAUTH by creating an isakmp profile.
    4. You need to create an ipsec profile to attach the transform set and optionally the isakmp profile.  You do not need the set peer command or the match address command because its dynamic.
    5. You do not use the crypto map commad to apply ipsec, rather you apply ipsec with the command tunnel protection ipsec profile Name_of_Profile

Well that turned out to be a ton of notes.  But still for posterity sake lets throw in an example. This example uses simple pre-shared keys.

Example 1: DMVPN with Pre-shared Keys

Hub Config:

hostname R6
!
ip cef
!
The Following Creates the ISAKMP Policy and defines the pre-shared key. 
!
crypto isakmp policy 110
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
The following Creates the Transform Set.  This is later tied to the IPSEC profile: 
!



crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
mode transport
!
The following Creates the IPSEC Profile 
!



crypto ipsec profile DMVPN
set transform-set 3DES_MD5
!
The Following Creates the Tunnel Interface on the HUB and sets the NHRP Parameters.  Refer to the bullet list above for the details. 
!
interface Tunnel0
ip address 100.0.0.6 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 7
ip nhrp authentication ccie
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip tcp adjust-mss 1360
no ip split-horizon eigrp 7
tunnel source Serial0/1/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
ip address 60.0.0.6 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1/0
ip address 150.50.99.6 255.255.255.0
encapsulation frame-relay
frame-relay map ip 150.50.99.4 602
frame-relay map ip 150.50.99.5 605
no frame-relay inverse-arp
!
The Following Enables EIGRP.  Since you dont set a Crypto ACL whatever you specify here should be encrypted along with all the EIGRP routes that you learn from other DMVPN devices 
!
router eigrp 7
network 60.0.0.0
network 100.0.0.0 0.0.0.255
no auto-summary
!

Spoke Config:

This configuration will resemble that of the other spokes.  Change the tunnel interface to reflect a unique host IP and of course you will have a different private network. 

hostname R2
!
!
Note on the spoke that CEF has been disabled. 
!



no ip cef
!
!
The Following defines the ISAKMP Policy 
!
!
crypto isakmp policy 110
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
The Following defines the transform set. 
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
mode transport
!
The Following Defines the IPSEC Profile: 
!



crypto ipsec profile DMVPN
set transform-set 3DES_MD5
!
!
!
The following defines the tunnel interface and the NHRP parameters on the spoke. 
!
!
interface Tunnel0
ip address 100.0.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication ccie
ip nhrp map multicast 150.50.99.6
ip nhrp map 100.0.0.6 150.50.99.6
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs 100.0.0.6
tunnel source Serial0/1/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
!
interface Serial0/1/0
ip address 150.50.99.4 255.255.255.0
encapsulation frame-relay
frame-relay map ip 150.50.99.4 206
frame-relay map ip 150.50.99.5 205
frame-relay map ip 150.50.99.6 206
no frame-relay inverse-arp
!
!
interface FastEthernet1/0
no switchport
ip address 192.1.24.4 255.255.255.0
!
!
Enable EIGRP 
!



router eigrp 7
network 100.0.0.0 0.0.0.255
network 192.1.24.0
no auto-summary
Thats it for this example.  I’ll probably add the ISAKMP Profile later or in another post.

For my own personal study I have used the Cisco Documentation, as well as the three books in the Amazon Widget Below.  Of course I used them on my kindle.  :)

Filed Under: CCIE Security, IPExpert Labs Tagged With: