Anmelka

Hallo, habe die Lösung gefunden. Man muss in der ACL ausschließen das GDOI verschlüsselt wird. Dann klappts. Das selbe gilt übrigens für Routing Protokolle, telnet/ssh etc... Gruß Anmelka

Hallo, hat jemand von euch bereits Erfahrung mit GetVPN? Ich habe folgendes Problem. Habe mir ein kleines Lab bestehend aus 3745er mit der IOS c3745-advipservicesk9-mz.124-15.T8.bin. Für den Anfang nur 1 KS und 1 GM. Der GM registriert sich auf dem KS ohne Probleme. Nur das Rekey funktioniert nicht. Aus welchem Grunde auch immer bekomme ich ständig die folgende Meldung auf dem GM sobald der KS den rekey prozess startet: .Mar 5 16:01:09.121: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.0.0.5, src_addr= 10.0.0.1, prot= 17 Die crypto map (eine gdoi crypto map) ist auf dem outside interface des GM. Da es keine crypto map auf dem KS gibt, ist auch keine auf dem outside interface des KS. Das crypto ipsec profile ist dem sa unter gdoi zugeordnet. Entferne ich die sa konfiguration aus der gdoi gruppe, funktioniert das rekey ohne probleme. Sobald die sa ipsec konfiguration dem gdoi zugeordnet ist, fehtl das rekey fehl. Teil meiner KS Konfig: crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key GM1 address 10.0.0.5 ! ! crypto ipsec transform-set AES esp-aes esp-sha-hmac ! crypto ipsec profile gdoi-profile-getvpn set security-association lifetime seconds 600 set transform-set AES ! crypto gdoi group australia identity number 1234 server local rekey algorithm aes 256 rekey lifetime seconds 300 rekey retransmit 20 number 2 rekey authentication mypubkey rsa getvpn-export-general rekey transport unicast sa ipsec 1 profile gdoi-profile-getvpn match address ipv4 199 replay time window-size 5 address ipv4 10.0.0.1 Teil meiner GM Konfig: crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key GM1 address 10.0.0.1 ! ! crypto gdoi group australia identity number 1234 server address ipv4 10.0.0.1 ! ! crypto map getvpn 10 gdoi set group australia interface FastEthernet0/0 ip address 10.0.0.5 255.255.255.252 crypto map getvpn Für Ideen/Anregungen/Hilfe wäre ich euch sehr dankbar. Gruß

und EU-HUB: ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname EU-HUB ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 clock timezone CET 1 clock summer-time CEST recurring ip cef ! ! ip domain name login ! multilink bundle-name authenticated ! ! crypto pki trustpoint RootCA enrollment url http://123.123.123.30:80 revocation-check crl ! ! crypto pki certificate chain RootCA certificate 0B nvram:RootCA#B.cer certificate ca 01 nvram:RootCA#3CA.cer ! ! archive log config hidekeys ! ! crypto isakmp policy 20 encr 3des group 2 lifetime 14400 crypto isakmp keepalive 10 3 ! ! crypto ipsec transform-set 3DES esp-3des esp-sha-hmac mode transport crypto ipsec fragmentation after-encryption ! crypto ipsec profile DMVPN1 set transform-set 3DES ! ! interface Tunnel1 description DMVPN Cloud 1 - EU Hub spoke to dmvpn1 bandwidth 1024 ip address 172.26.170.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 172.26.170.1 123.123.123.1 ip nhrp map multicast 123.123.123.1 ip nhrp network-id 100000 ip nhrp holdtime 120 ip nhrp nhs 172.26.170.1 ip nhrp shortcut ip tcp adjust-mss 1360 delay 100000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile DMVPN1 shared ! interface Tunnel2 description DMVPN Cloud 2 - EU bandwidth 1024 ip address 172.26.180.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test2 ip nhrp map multicast dynamic ip nhrp network-id 200000 ip nhrp holdtime 120 ip nhrp redirect ip tcp adjust-mss 1360 no ip split-horizon eigrp 999 ip summary-address eigrp 999 172.29.0.0 255.255.0.0 5 ip summary-address eigrp 999 172.26.0.0 255.255.0.0 5 delay 50000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 200000 tunnel protection ipsec profile DMVPN1 shared ! interface Tunnel100 description Hub Link ip address 10.1.1.2 255.255.255.0 no ip redirects ip nhrp authentication test ip nhrp map multicast 123.123.234.1 ip nhrp map 10.1.1.1 123.123.234.1 ip nhrp network-id 100000 ip nhrp redirect shutdown tunnel source FastEthernet1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile DMVPN1 ! interface FastEthernet0/0 description LAN ip address 123.123.123.5 255.255.255.252 ip policy route-map DMVPN speed 100 full-duplex ! interface FastEthernet0/1 ip address 172.29.123.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/0 description Test ip address 123.123.234.2 255.255.255.0 speed 100 full-duplex ! router eigrp 999 redistribute static network 10.1.1.0 0.0.0.255 network 172.26.170.0 0.0.0.255 network 172.26.180.0 0.0.0.255 no auto-summary ! ip local policy route-map DMVPN ip forward-protocol nd ! ! ip http server no ip http secure-server ! access-list 100 permit icmp any any access-list 123 permit ip host 123.123.123.5 any ! ! ! route-map DMVPN permit 10 match ip address 123 set ip next-hop 123.123.123.6 ! ! control-plane ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login ! ntp clock-period 17179713 ntp server 123.123.123.30 ! end Danke

Hallo, anbei die 2 configs. 2 Hubs ohne static routes. US-HUB: ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname US-HUB ! boot-start-marker boot-end-marker ! logging buffered 64000 ! no aaa new-model memory-size iomem 5 clock timezone EST -5 clock summer-time EDT recurring ip cef ! ! no ip domain lookup ip domain name login ! multilink bundle-name authenticated ! ! crypto pki trustpoint RootCA enrollment url http://123.123.123.30:80 revocation-check crl ! ! crypto pki certificate chain RootCA certificate 0A nvram:RootCA#A.cer certificate ca 01 nvram:RootCA#3CA.cer ! ! archive log config hidekeys ! ! crypto isakmp policy 20 encr 3des group 2 lifetime 14400 crypto isakmp keepalive 10 3 ! ! crypto ipsec transform-set 3DES esp-3des esp-sha-hmac mode transport crypto ipsec fragmentation after-encryption ! crypto ipsec profile DMVPN1 set transform-set 3DES ! ! interface Loopback0 ip address 172.29.254.254 255.255.255.255 ! interface Tunnel1 description DMVPN Cloud 1 - US bandwidth 1024 ip address 172.26.170.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 120 ip nhrp redirect ip tcp adjust-mss 1360 no ip split-horizon eigrp 999 ip summary-address eigrp 999 172.29.0.0 255.255.0.0 5 ip summary-address eigrp 999 172.26.0.0 255.255.0.0 5 delay 50000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile DMVPN1 shared ! interface Tunnel2 description DMVPN Cloud 2 - US HUB Spoke to DMVPN2 bandwidth 1024 ip address 172.26.180.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication test2 ip nhrp map multicast dynamic ip nhrp map multicast 123.123.123.5 ip nhrp map 172.26.180.2 123.123.123.5 ip nhrp network-id 200000 ip nhrp holdtime 120 ip nhrp nhs 172.26.180.2 ip nhrp shortcut ip tcp adjust-mss 1360 delay 100000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 200000 tunnel protection ipsec profile DMVPN1 shared ! interface Tunnel100 description Hub Link ip address 10.1.1.1 255.255.255.0 no ip redirects ip nhrp authentication test ip nhrp map multicast 123.123.234.2 ip nhrp map 10.1.1.2 123.123.234.2 ip nhrp network-id 100000 ip nhrp redirect shutdown tunnel source FastEthernet1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile DMVPN1 ! interface FastEthernet0/0 description Internet Connection ip address 123.123.123.1 255.255.255.252 ip policy route-map DMVPN speed 100 full-duplex ! interface FastEthernet0/1 description LAN ip address 172.26.123.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/0 description :Hub link ip address 123.123.234.1 255.255.255.0 duplex auto speed 100 ! router eigrp 999 redistribute static network 10.1.1.0 0.0.0.255 network 172.26.123.0 0.0.0.255 network 172.26.170.0 0.0.0.255 network 172.26.180.0 0.0.0.255 no auto-summary ! ip local policy route-map DMVPN ip forward-protocol nd ! ! ip http server no ip http secure-server ! access-list 100 permit icmp any any access-list 123 permit ip host 123.123.123.1 any ! ! route-map DMVPN permit 10 match ip address 123 set ip next-hop 123.123.123.2 ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 login ! ntp clock-period 17179652 ntp server 123.123.123.30 ! end

interface: Tunnel2 Crypto map tag: DMVPN1-head-1, local addr 123.123.123.5 protected vrf: (none) local ident (addr/mask/prot/port): (123.123.123.5/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (123.123.123.1/255.255.255.255/47/0) current_peer 123.123.123.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 222, #pkts encrypt: 222, #pkts digest: 222 #pkts decaps: 87, #pkts decrypt: 87, #pkts verify: 87 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 6, #recv errors 0 local crypto endpt.: 123.123.123.5, remote crypto endpt.: 123.123.123.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x6753A659(1733535321) inbound esp sas: spi: 0x549C5B13(1419533075) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 1, flow_id: SW:1, crypto map: DMVPN1-head-1 sa timing: remaining key lifetime (k/sec): (4561615/2881) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x6753A659(1733535321) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2, flow_id: SW:2, crypto map: DMVPN1-head-1 sa timing: remaining key lifetime (k/sec): (4561599/2881) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: EU-HUB(config)# EU-HUB(config)#do sh ip eigrp neigh IP-EIGRP neighbors for process 999 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 172.26.170.1 Tu1 12 00:07:54 465 2790 0 3 0 172.26.180.1 Tu2 10 00:08:05 388 2328 0 6 EU-HUB(config) ----- Also: Wenn ich das ganze ohne static routes und ohne crypto versuche (also mit ip local policy), klappts mit den EIGPR adjacencies. Bei Verwendung von crypto und static route klappts mit den EIGRP adjacencies. In Verbindung crypto und ip local policy (ohne static routes), klappt es nicht mit den EIGRP adjacencies. Irgendwie muss es an der Verbindung crypto, ip local policy und EIGRP liegen. Komme aber nicht drauf. Übrigens habe ich ein ähnliches Problem mit ntp und ip local policy. Nur mit static routes verbinden sich die router zum ntp server, ohne static routes nicht. Wie wenn die ip local policy nicht funktioniert. Danke für eure Hilfe Gruß Anmelka P.S.: Entschuldigung wegen dem deutsch-englisch mix. Manchmal fallen mir einfach die deutschen Wörter nicht ein.

Füge ich auf auf dem Hub und Spoke eine static route hinzu, klappts es sofort mit den EIGRP adjacencies. Siehe: -- EU-HUB(config)#do sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer Tunnel1, Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 123.123.123.1 172.26.170.1 UP 00:00:50 S Tunnel2, Type:Hub, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 123.123.123.1 172.26.180.1 UP never D EU-HUB(config)# EU-HUB(config)# EU-HUB(config)# EU-HUB(config)#do sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 123.123.123.1 123.123.123.5 QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA EU-HUB(config)# EU-HUB(config)# EU-HUB(config)#do sh crypto ipsec sa interface: Tunnel1 Crypto map tag: DMVPN1-head-1, local addr 123.123.123.5 protected vrf: (none) local ident (addr/mask/prot/port): (123.123.123.5/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (123.123.123.1/255.255.255.255/47/0) current_peer 123.123.123.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 221, #pkts encrypt: 221, #pkts digest: 221 #pkts decaps: 87, #pkts decrypt: 87, #pkts verify: 87 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 6, #recv errors 0 local crypto endpt.: 123.123.123.5, remote crypto endpt.: 123.123.123.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x6753A659(1733535321) inbound esp sas: spi: 0x549C5B13(1419533075) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 1, flow_id: SW:1, crypto map: DMVPN1-head-1 sa timing: remaining key lifetime (k/sec): (4561615/2882) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x6753A659(1733535321) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2, flow_id: SW:2, crypto map: DMVPN1-head-1 sa timing: remaining key lifetime (k/sec): (4561599/2882) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:

interface: Tunnel2 Crypto map tag: DMVPN1-head-1, local addr 123.123.123.5 protected vrf: (none) local ident (addr/mask/prot/port): (123.123.123.5/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (123.123.123.1/255.255.255.255/47/0) current_peer 123.123.123.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 652, #pkts encrypt: 652, #pkts digest: 652 #pkts decaps: 342, #pkts decrypt: 342, #pkts verify: 342 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 6, #recv errors 0 local crypto endpt.: 123.123.123.5, remote crypto endpt.: 123.123.123.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x6753A659(1733535321) inbound esp sas: spi: 0x549C5B13(1419533075) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 1, flow_id: SW:1, crypto map: DMVPN1-head-1 sa timing: remaining key lifetime (k/sec): (4561584/1792) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x6753A659(1733535321) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2, flow_id: SW:2, crypto map: DMVPN1-head-1 sa timing: remaining key lifetime (k/sec): (4561545/1792) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: EU-HUB(config)# EU-HUB(config)# EU-HUB(config)#do sh ip eigrp neigh IP-EIGRP neighbors for process 999 EU-HUB(config)# --------- Hellos werden gesendet, kommen aber nie an.

Hallo, nachdem ich das Forum nun schon länger regelmäßig Besuche wird es zeit für meinen ersten Post. Ich teste zur Zeit DMVPN phase 3 auf mehreren 3725 Routern (IOS c3725-advipservicesk9-mz.124-15.T7.bin). Habe auch alles soweit am laufen, aber leider nur mit static routes. Da das ganze am Ende um die 80 spokes haben wird, müsste ich um die 80 static routes auf jedem Hub anlegen. Muss nicht sein (hoffentlich). Aufgrund des Designs kann ich keine default route auf den Hub und Spoke routern verwenden. Meine Idee war also eine "ip local policy" zu verwenden. Anbei die config. ip local policy route-map DMVPN access-list 123 permit ip host 123.123.123.1 any route-map DMVPN permit 10 match ip address 123 set ip next-hop 123.123.123.2 Mein Problem bei der Verwendung der ip local policy ist das zwar crypto aufgebaut wird, aber keine EIGRP adjacencies. -------- EU-HUB(config)#do sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer Tunnel1, Type:Spoke, NHRP Peers:1, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 123.123.123.1 172.26.170.1 NHRP 00:08:15 S EU-HUB(config)# EU-HUB(config)# EU-HUB(config)#do sh crypto isakm sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 123.123.123.1 123.123.123.5 QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA EU-HUB(config)# EU-HUB(config)#do sh crypto ipsec sa interface: Tunnel1 Crypto map tag: DMVPN1-head-1, local addr 123.123.123.5 protected vrf: (none) local ident (addr/mask/prot/port): (123.123.123.5/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (123.123.123.1/255.255.255.255/47/0) current_peer 123.123.123.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 652, #pkts encrypt: 652, #pkts digest: 652 #pkts decaps: 342, #pkts decrypt: 342, #pkts verify: 342 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 6, #recv errors 0 local crypto endpt.: 123.123.123.5, remote crypto endpt.: 123.123.123.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x6753A659(1733535321) inbound esp sas: spi: 0x549C5B13(1419533075) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 1, flow_id: SW:1, crypto map: DMVPN1-head-1 sa timing: remaining key lifetime (k/sec): (4561584/1793) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x6753A659(1733535321) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } conn id: 2, flow_id: SW:2, crypto map: DMVPN1-head-1 sa timing: remaining key lifetime (k/sec): (4561545/1793) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: