1. Check basic connectivity
ping traceroute
2. Following protocols are allowed through DMVPN
UDP: port no 500 for ike phase 1 by default use that for negotiation
UDP: port no 4500: used in case of nat traversal
L4 protocol no 50 which is used by ESP ipsec traffic ie ike phase 2
3.Do we have compatible ike phase1 policies
Do we have compatible transform-set
Do we have correct auth setup
! Prep to break R2
conf t
interface gig 1/0
shutdown
interface Tunnel0
tunnel key 7683
exit
crypto isakmp policy 5
encr aes 128
exit
no crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
no crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set OURSET esp-aes 256 esp-md5-hmac
mode transport
exit
logging console 7
end
clear crypto sa
undebug all
clear log
FIX R2
interface gig 1/0
no shutdown
interface Tunnel0
tunnel key 6783
exit
crypto isakmp policy 5
encr aes 256
exit
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set OURSET esp-aes 256 esp-sha-hmac
mode transport
exit
Troubleshooting Steps:
! R2:
ping 15.0.0.1
show ip int brief | exclude unassigned
conf t
int gig 1/0
no shutdown
exit
do ping 15.0.0.1
! R1
show ip nhrp
show run interface tunnel 0
! R2
do show run interface tunnel 0
interface Tunnel0
tunnel key 6783
exit
do ping 10.1.1.1 repeat 1
do show ip route
do show ip protocols
do show ip eigrp neighbor
! Remove ipsec profiles for testing
do show run interface tunnel 0
interface tunnel 0
no tunnel protection ipsec profile OUR_IPSec_PROFILE
! R1
conf t
do show run int tunnel 0
interface tunnel 0
no tunnel protection ipsec profile OUR_IPSec_PROFILE
! R2
do show ip route eigrp
do ping 10.1.1.1 repeat 1
! R1
tunnel protection ipsec profile OUR_IPSec_PROFILE
end
! R2
tunnel protection ipsec profile OUR_IPSec_PROFILE
exit
interface gig 1/0
shutdown
exit
logging buffered 7
no logging console
do clear log
! R1
conf t
logging buffered 7
logging console 7
do debug crypto isakmp
! R2
interface gig 1/0
no shutdown
exit
! R1
no logging console
end
undebug all
show crypto isakmp policy
! R2
do show crypto isakmp policy
crypto isakmp policy 5
encr aes 256
exit
do show crypto isakmp policy
do show crypto isakmp sa
! R1
conf t
logging console 7
do clear log
do debug crypto isakmp
! R2
interface gig 1/0
shutdown
do show crypto isakmp sa
do clear crypto isakmp
do show crypto isakmp sa
no shutdown
exit
! R1
no logging console
do undebug all
do show crypto isakmp key
! R2
do show crypto isakmp key
! R2
do show run | section crypto
no crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
do show crypto isakmp sa
do show crypto engine connections active
do show crypto ipsec sa
! IKE Phase 2
! R1
do clear log
do show debug
do debug crypto isakmp
do debug crypto ipsec
logging console 7
! R2
interface gig 1/0
shutdown
no shutdown
exit
! R1
no logging console
do undebug all
do show crypto ipsec transform-set
do show run | section crypto
! R2
do show crypto ipsec transform-set
do show run | section transform
crypto ipsec transform-set OURSET esp-aes 256 esp-sha-hmac
mode transport
end
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active
ping 10.3.3.3 source 10.2.2.2 repeat 1
show dmvpn detail : mapping between gre address and actual internet ip address.
No comments:
Post a Comment