Virtual Router/ Firewall/ VPN

Reply
Occasional Visitor
Posts: 1
Registered: ‎03-11-2015

vyatta dmvpn

hi,

i am new to vyatta as well as to networking .

 

i am following the link

http://www.brocade.com/downloads/documents/html_product_manuals/vyatta/vyatta_5600_manual/VPN_DMVPN/wwhelp/wwhimpl/common/html/wwhelp.htm#href=DMVPN%20Config%20Examples.3.07.html&single=true

 

it works fine but when ever i reboot a node, all settings for that node stop working .

 

(i am unable to ping the hub after reboot )

 

please guide thanks

Occasional Contributor
Posts: 9
Registered: ‎06-13-2016

Re: vyatta dmvpn

Hi Experts,

   I am trying to bring DMVPN b/w Vyatta 5600 as Hub and Cisco CSR1000v as Spoke and its not working.

 

Previouly we were using 5400 Router and there was a known issue which we figured out as Bug .

 

--We have two bugs related to the issue in vRouter 5600 . The bug VRVDR-26487 is reported in 5600 4.1R3 and VRVDR-11476 is reported in 5600 3.5R3.

--These bugs are fixed in 5600 4.2R1.

 

--The details of the BUG VRVDR-26487 is below:

 

- Spoke behind NAT fails to connect to hub in DMVPN.

 

 

Now we are running 5600 and the recommended code but still its not working will really appreciate if u could help in resolving the issue.

 

 

vyatta@vyatta:~$ show configuration commands | grep tunn

set interfaces tunnel tun0 address '172.16.1.1/24'

set interfaces tunnel tun0 encapsulation 'gre-multipoint'

set interfaces tunnel tun0 local-ip '52.25.134.3'

set interfaces tunnel tun0 multicast 'disable'

set interfaces tunnel tun0 nhrp 'redirect'

set security vpn ipsec profile DMVPN bind tunnel 'tun0'

vyatta@vyatta:~$ show configuration commands | grep vpn

set security vpn ipsec esp-group ESP-1H compression 'disable'

set security vpn ipsec esp-group ESP-1H lifetime '3600'

set security vpn ipsec esp-group ESP-1H mode 'transport'

set security vpn ipsec esp-group ESP-1H pfs 'dh-group5'

set security vpn ipsec esp-group ESP-1H proposal 2 encryption '3des'

set security vpn ipsec esp-group ESP-1H proposal 2 hash 'md5'

set security vpn ipsec ike-group IKE-1H lifetime '86400'

set security vpn ipsec ike-group IKE-1H proposal 1 encryption 'aes256'

set security vpn ipsec ike-group IKE-1H proposal 1 hash 'md5'

set security vpn ipsec nat-traversal 'enable'

set security vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'

set security vpn ipsec profile DMVPN authentication pre-shared-secret 'NET123'

set security vpn ipsec profile DMVPN bind tunnel tun0

set security vpn ipsec profile DMVPN esp-group 'ESP-1H'

set security vpn ipsec profile DMVPN ike-group 'IKE-1H'

vyatta@vyatta:~$ 

vyatta@vyatta:~$ show configuration commands | grep bgp

set protocols bgp 1 neighbor 172.16.1.2 password cisco

set protocols bgp 1 neighbor 172.16.1.2 remote-as '2'

 

vyatta@vyatta:~$ 

 

 

Jul 02 12:52:32 vyatta charon[5041]: 11[ENC] <30> generating INFORMATIONAL_V1 request 2479204548 [ N(NO_PROP) ]

Jul 02 12:52:32 vyatta charon[5041]: 11[NET] <30> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

Jul 02 12:52:48 vyatta charon[5041]: 14[NET] <31> received packet: from 52.34.117.175[500] to 172.31.1.103[500] (168 bytes)

Jul 02 12:52:48 vyatta charon[5041]: 14[ENC] <31> parsed ID_PROT request 0 [ SA V V V V ]

Jul 02 12:52:48 vyatta charon[5041]: 14[IKE] <31> no IKE config found for 172.31.1.103...52.34.117.175, sending NO_PROPOSAL_CHOSEN

Jul 02 12:52:48 vyatta charon[5041]: 14[ENC] <31> generating INFORMATIONAL_V1 request 2030699292 [ N(NO_PROP) ]

Jul 02 12:52:48 vyatta charon[5041]: 14[NET] <31> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

Jul 02 12:52:58 vyatta charon[5041]: 13[NET] <32> received packet: from 52.34.117.175[500] to 172.31.1.103[500] (168 bytes)

Jul 02 12:52:58 vyatta charon[5041]: 13[ENC] <32> parsed ID_PROT request 0 [ SA V V V V ]

Jul 02 12:52:58 vyatta charon[5041]: 13[IKE] <32> no IKE config found for 172.31.1.103...52.34.117.175, sending NO_PROPOSAL_CHOSEN

Jul 02 12:52:58 vyatta charon[5041]: 13[ENC] <32> generating INFORMATIONAL_V1 request 2973056783 [ N(NO_PROP) ]

Jul 02 12:52:58 vyatta charon[5041]: 13[NET] <32> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

Jul 02 12:53:08 vyatta charon[5041]: 10[NET] <33> received packet: from 52.34.117.175[500] to 172.31.1.103[500] (168 bytes)

Jul 02 12:53:08 vyatta charon[5041]: 10[ENC] <33> parsed ID_PROT request 0 [ SA V V V V ]

Jul 02 12:53:08 vyatta charon[5041]: 10[IKE] <33> no IKE config found for 172.31.1.103...52.34.117.175, sending NO_PROPOSAL_CHOSEN

Jul 02 12:53:08 vyatta charon[5041]: 10[ENC] <33> generating INFORMATIONAL_V1 request 2515714400 [ N(NO_PROP) ]

Jul 02 12:53:08 vyatta charon[5041]: 10[NET] <33> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

Jul 02 12:53:18 vyatta charon[5041]: 12[NET] <34> received packet: from 52.34.117.175[500] to 172.31.1.103[500] (168 bytes)

Jul 02 12:53:18 vyatta charon[5041]: 12[ENC] <34> parsed ID_PROT request 0 [ SA V V V V ]

Jul 02 12:53:18 vyatta charon[5041]: 12[IKE] <34> no IKE config found for 172.31.1.103...52.34.117.175, sending NO_PROPOSAL_CHOSEN

Jul 02 12:53:18 vyatta charon[5041]: 12[ENC] <34> generating INFORMATIONAL_V1 request 702257603 [ N(NO_PROP) ]

Jul 02 12:53:18 vyatta charon[5041]: 12[NET] <34> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

Jul 02 12:53:28 vyatta charon[5041]: 15[NET] <35> received packet: from 52.34.117.175[500] to 172.31.1.103[500] (168 bytes)

Jul 02 12:53:28 vyatta charon[5041]: 15[ENC] <35> parsed ID_PROT request 0 [ SA V V V V ]

Jul 02 12:53:28 vyatta charon[5041]: 15[IKE] <35> no IKE config found for 172.31.1.103...52.34.117.175, sending NO_PROPOSAL_CHOSEN

Jul 02 12:53:28 vyatta charon[5041]: 15[ENC] <35> generating INFORMATIONAL_V1 request 3084676352 [ N(NO_PROP) ]

Jul 02 12:53:28 vyatta charon[5041]: 15[NET] <35> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

Jul 02 12:53:38 vyatta charon[5041]: 11[NET] <36> received packet: from 52.34.117.175[500] to 172.31.1.103[500] (168 bytes)

Jul 02 12:53:38 vyatta charon[5041]: 11[ENC] <36> parsed ID_PROT request 0 [ SA V V V V ]

Jul 02 12:53:38 vyatta charon[5041]: 11[IKE] <36> no IKE config found for 172.31.1.103...52.34.117.175, sending NO_PROPOSAL_CHOSEN

Jul 02 12:53:38 vyatta charon[5041]: 11[ENC] <36> generating INFORMATIONAL_V1 request 3325119730 [ N(NO_PROP) ]

Jul 02 12:53:38 vyatta charon[5041]: 11[NET] <36> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

Jul 02 12:53:59 vyatta charon[5041]: 09[NET] <37> received packet: from 52.34.117.175[500] to 172.31.1.103[500] (168 bytes)

Jul 02 12:53:59 vyatta charon[5041]: 09[ENC] <37> parsed ID_PROT request 0 [ SA V V V V ]

Jul 02 12:53:59 vyatta charon[5041]: 09[IKE] <37> no IKE config found for 172.31.1.103...52.34.117.175, sending NO_PROPOSAL_CHOSEN

Jul 02 12:53:59 vyatta charon[5041]: 09[ENC] <37> generating INFORMATIONAL_V1 request 338436711 [ N(NO_PROP) ]

Jul 02 12:53:59 vyatta charon[5041]: 09[NET] <37> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

 

 

 

 

 

ip-172-31-16-49#show configuration 

Using 2496 out of 33554432 bytes

!

! Last configuration change at 13:10:43 UTC Sat Jul 2 2016 by cisco

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

platform console virtual

!

hostname ip-172-31-16-49

!

boot-start-marker

boot-end-marker

!

!

logging persistent size 1000000 filesize 8192 immediate

enable secret 5 $1$9PeV$1j4dIgXEBPstJ9XX41p4Y/

!

no aaa new-model

!

!

!

!

!

!

!

!

!

!

!

 

 

 

!

!

!

!

!

!

!

!

!

!

subscriber templating

!         

multilink bundle-name authenticated

!         

!

!

!

!

crypto pki trustpoint TP-self-signed-3665350130

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3665350130

 revocation-check none

 rsakeypair TP-self-signed-3665350130

!

!

crypto pki certificate chain TP-self-signed-3665350130

 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

!

!

!

!

!

!

!

license udi pid CSR1000V sn 9SEIKH49AL3

license boot level ax

!

spanning-tree extend system-id

!

username ec2-user privilege 15 secret 5 $1$.z71$cvzUFgNgND5o9m3itdvLH/

username cisco privilege 15 password 0 cisco

 

!

redundancy

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 10

 encr aes 256

 hash md5 

 authentication pre-share

 group 5

crypto isakmp key NET123 address 0.0.0.0        

!

!

crypto ipsec transform-set xform esp-3des esp-md5-hmac 

 mode transport

!

crypto ipsec profile DMVPN

 set transform-set xform 

 set pfs group5

!

!

!

!

!

!

!

!

interface Loopback0

 ip address 192.168.175.1 255.255.255.252

!

interface Tunnel0

 ip address 172.16.0.1 255.255.255.0

 no ip redirects

 ip nhrp map multicast dynamic

 ip nhrp network-id 1

 ip nhrp nhs 172.16.1.1 nbma 52.25.134.3 multicast

 ip nhrp shortcut

 ip nhrp redirect

 tunnel source GigabitEthernet1

 tunnel mode gre multipoint

 tunnel protection ipsec profile DMVPN

!

interface GigabitEthernet1

 ip address dhcp

 negotiation auto

!

router bgp 2

 bgp log-neighbor-changes

 neighbor 172.16.1.1 remote-as 1

 neighbor 172.16.1.1 password cisco

!

!

virtual-service csr_mgmt

 ip shared host-interface GigabitEthernet1

 activate

!

ip forward-protocol nd

!

no ip http server

ip http secure-server

ip ssh rsa keypair-name ssh-key

ip ssh logging events

ip ssh version 2

ip ssh pubkey-chain

  username ec2-user

   key-hash ssh-rsa 0FEE591E87368E16E69219BEDE1E77BD CSR1000V-KEY-BOYL

ip scp server enable

!

!

!

!

!

control-plane

!

 !

 !

 !

 !

!

!

!

!

!

line con 0

 stopbits 1

line vty 0 4

 login local

 transport input ssh

!

!

end

          

ip-172-31-16-49#   

*Jul  2 13:18:20.908: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

*Jul  2 13:18:20.908: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Jul  2 13:18:20.908: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

*Jul  2 13:18:20.908: ISAKMP-PAK: (0):sending packet to 52.25.134.3 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jul  2 13:18:20.908: ISAKMP: (0)ending an IKE IPv4 Packet.

*Jul  2 13:18:20.908: IPSECSESSION ID = 221) (key_engine) request timer fired: count = 1,

  (identity) local= 172.31.16.49:0, remote= 52.25.134.3:0,

    local_proxy= 172.31.16.49/255.255.255.255/47/0,

    remote_proxy= 52.25.134.3/255.255.255.255/47/0

*Jul  2 13:18:20.908: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 172.31.16.49:500, remote= 52.25.134.3:500,

    local_proxy= 172.31.16.49/255.255.255.255/47/0,

    remote_proxy= 52.25.134.3/255.255.255.255/47/0,

    protocol= ESP, transform= esp-3des esp-md5-hmac  (Transport), 

    lifedur= 3600s and 4608000kb, 

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Jul  2 13:18:20.909: ISAKMP: (0):set new node 0 to QM_IDLE      

*Jul  2 13:18:20.909: ISAKMP-ERROR: (0)A is still budding. Attached new ipsec request to it. (local 172.31.16.49, remote 52.25.134.3)

*Jul  2 13:18:20.909: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA

*Jul  2 13:18:20.909: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.

*Jul  2 13:18:20.912: ISAKMP-PAK: (0):received packet from 52.25.134.3 dport 500 sport 500 Global (I) MM_NO_STATE

*Jul  2 13:18:20.912: ISAKMP-ERROR: (0):Couldn't find node: message_id 4096195092

*Jul  2 13:18:20.913: ISAKMP-ERROR: (0)0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1

*Jul  2 13:18:20.914: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jul  2 13:18:20.914: ISAKMP: (0)ld State = IKE_I_MM1  New State = IKE_I_MM1 

 

*Jul  2 13:18:30.909: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

*Jul  2 13:18:30.909: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Jul  2 13:18:30.909: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

*Jul  2 13:18:30.909: ISAKMP-PAK: (0):sending packet to 52.25.134.3 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jul  2 13:18:30.909: ISAKMP: (0)ending an IKE IPv4 Packet.

*Jul  2 13:18:30.913: ISAKMP-PAK: (0):received packet from 52.25.134.3 dport 500 sport 500 Global (I) MM_NO_STATE

*Jul  2 13:18:30.913: ISAKMP-ERROR: (0):Couldn't find node: message_id 4181198011

*Jul  2 13:18:30.915: ISAKMP-ERROR: (0)0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1

*Jul  2 13:18:30.923: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jul  2 13:18:30.923: ISAKMP: (0)ld State = IKE_I_MM1  New State = IKE_I_MM1 

 

 

Regards

Syed

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook