Virtual Router/ Firewall/ VPN

Reply
Occasional Visitor
Posts: 1
Registered: ‎03-11-2015

vyatta dmvpn

hi,

i am new to vyatta as well as to networking .

 

i am following the link

http://www.brocade.com/downloads/documents/html_product_manuals/vyatta/vyatta_5600_manual/VPN_DMVPN/wwhelp/wwhimpl/common/html/wwhelp.htm#href=DMVPN%20Config%20Examples.3.07.html&single=true

 

it works fine but when ever i reboot a node, all settings for that node stop working .

 

(i am unable to ping the hub after reboot )

 

please guide thanks

Occasional Contributor
Posts: 8
Registered: ‎06-13-2016

Re: vyatta dmvpn

Hi Experts,

   I am trying to bring DMVPN b/w Vyatta 5600 as Hub and Cisco CSR1000v as Spoke and its not working.

 

Previouly we were using 5400 Router and there was a known issue which we figured out as Bug .

 

--We have two bugs related to the issue in vRouter 5600 . The bug VRVDR-26487 is reported in 5600 4.1R3 and VRVDR-11476 is reported in 5600 3.5R3.

--These bugs are fixed in 5600 4.2R1.

 

--The details of the BUG VRVDR-26487 is below:

 

- Spoke behind NAT fails to connect to hub in DMVPN.

 

 

Now we are running 5600 and the recommended code but still its not working will really appreciate if u could help in resolving the issue.

 

 

vyatta@vyatta:~$ show configuration commands | grep tunn

set interfaces tunnel tun0 address '172.16.1.1/24'

set interfaces tunnel tun0 encapsulation 'gre-multipoint'

set interfaces tunnel tun0 local-ip '52.25.134.3'

set interfaces tunnel tun0 multicast 'disable'

set interfaces tunnel tun0 nhrp 'redirect'

set security vpn ipsec profile DMVPN bind tunnel 'tun0'

vyatta@vyatta:~$ show configuration commands | grep vpn

set security vpn ipsec esp-group ESP-1H compression 'disable'

set security vpn ipsec esp-group ESP-1H lifetime '3600'

set security vpn ipsec esp-group ESP-1H mode 'transport'

set security vpn ipsec esp-group ESP-1H pfs 'dh-group5'

set security vpn ipsec esp-group ESP-1H proposal 2 encryption '3des'

set security vpn ipsec esp-group ESP-1H proposal 2 hash 'md5'

set security vpn ipsec ike-group IKE-1H lifetime '86400'

set security vpn ipsec ike-group IKE-1H proposal 1 encryption 'aes256'

set security vpn ipsec ike-group IKE-1H proposal 1 hash 'md5'

set security vpn ipsec nat-traversal 'enable'

set security vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'

set security vpn ipsec profile DMVPN authentication pre-shared-secret 'NET123'

set security vpn ipsec profile DMVPN bind tunnel tun0

set security vpn ipsec profile DMVPN esp-group 'ESP-1H'

set security vpn ipsec profile DMVPN ike-group 'IKE-1H'

vyatta@vyatta:~$ 

vyatta@vyatta:~$ show configuration commands | grep bgp

set protocols bgp 1 neighbor 172.16.1.2 password cisco

set protocols bgp 1 neighbor 172.16.1.2 remote-as '2'

 

vyatta@vyatta:~$ 

 

 

Jul 02 12:52:32 vyatta charon[5041]: 11[ENC] <30> generating INFORMATIONAL_V1 request 2479204548 [ N(NO_PROP) ]

Jul 02 12:52:32 vyatta charon[5041]: 11[NET] <30> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

Jul 02 12:52:48 vyatta charon[5041]: 14[NET] <31> received packet: from 52.34.117.175[500] to 172.31.1.103[500] (168 bytes)

Jul 02 12:52:48 vyatta charon[5041]: 14[ENC] <31> parsed ID_PROT request 0 [ SA V V V V ]

Jul 02 12:52:48 vyatta charon[5041]: 14[IKE] <31> no IKE config found for 172.31.1.103...52.34.117.175, sending NO_PROPOSAL_CHOSEN

Jul 02 12:52:48 vyatta charon[5041]: 14[ENC] <31> generating INFORMATIONAL_V1 request 2030699292 [ N(NO_PROP) ]

Jul 02 12:52:48 vyatta charon[5041]: 14[NET] <31> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

Jul 02 12:52:58 vyatta charon[5041]: 13[NET] <32> received packet: from 52.34.117.175[500] to 172.31.1.103[500] (168 bytes)

Jul 02 12:52:58 vyatta charon[5041]: 13[ENC] <32> parsed ID_PROT request 0 [ SA V V V V ]

Jul 02 12:52:58 vyatta charon[5041]: 13[IKE] <32> no IKE config found for 172.31.1.103...52.34.117.175, sending NO_PROPOSAL_CHOSEN

Jul 02 12:52:58 vyatta charon[5041]: 13[ENC] <32> generating INFORMATIONAL_V1 request 2973056783 [ N(NO_PROP) ]

Jul 02 12:52:58 vyatta charon[5041]: 13[NET] <32> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

Jul 02 12:53:08 vyatta charon[5041]: 10[NET] <33> received packet: from 52.34.117.175[500] to 172.31.1.103[500] (168 bytes)

Jul 02 12:53:08 vyatta charon[5041]: 10[ENC] <33> parsed ID_PROT request 0 [ SA V V V V ]

Jul 02 12:53:08 vyatta charon[5041]: 10[IKE] <33> no IKE config found for 172.31.1.103...52.34.117.175, sending NO_PROPOSAL_CHOSEN

Jul 02 12:53:08 vyatta charon[5041]: 10[ENC] <33> generating INFORMATIONAL_V1 request 2515714400 [ N(NO_PROP) ]

Jul 02 12:53:08 vyatta charon[5041]: 10[NET] <33> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

Jul 02 12:53:18 vyatta charon[5041]: 12[NET] <34> received packet: from 52.34.117.175[500] to 172.31.1.103[500] (168 bytes)

Jul 02 12:53:18 vyatta charon[5041]: 12[ENC] <34> parsed ID_PROT request 0 [ SA V V V V ]

Jul 02 12:53:18 vyatta charon[5041]: 12[IKE] <34> no IKE config found for 172.31.1.103...52.34.117.175, sending NO_PROPOSAL_CHOSEN

Jul 02 12:53:18 vyatta charon[5041]: 12[ENC] <34> generating INFORMATIONAL_V1 request 702257603 [ N(NO_PROP) ]

Jul 02 12:53:18 vyatta charon[5041]: 12[NET] <34> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

Jul 02 12:53:28 vyatta charon[5041]: 15[NET] <35> received packet: from 52.34.117.175[500] to 172.31.1.103[500] (168 bytes)

Jul 02 12:53:28 vyatta charon[5041]: 15[ENC] <35> parsed ID_PROT request 0 [ SA V V V V ]

Jul 02 12:53:28 vyatta charon[5041]: 15[IKE] <35> no IKE config found for 172.31.1.103...52.34.117.175, sending NO_PROPOSAL_CHOSEN

Jul 02 12:53:28 vyatta charon[5041]: 15[ENC] <35> generating INFORMATIONAL_V1 request 3084676352 [ N(NO_PROP) ]

Jul 02 12:53:28 vyatta charon[5041]: 15[NET] <35> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

Jul 02 12:53:38 vyatta charon[5041]: 11[NET] <36> received packet: from 52.34.117.175[500] to 172.31.1.103[500] (168 bytes)

Jul 02 12:53:38 vyatta charon[5041]: 11[ENC] <36> parsed ID_PROT request 0 [ SA V V V V ]

Jul 02 12:53:38 vyatta charon[5041]: 11[IKE] <36> no IKE config found for 172.31.1.103...52.34.117.175, sending NO_PROPOSAL_CHOSEN

Jul 02 12:53:38 vyatta charon[5041]: 11[ENC] <36> generating INFORMATIONAL_V1 request 3325119730 [ N(NO_PROP) ]

Jul 02 12:53:38 vyatta charon[5041]: 11[NET] <36> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

Jul 02 12:53:59 vyatta charon[5041]: 09[NET] <37> received packet: from 52.34.117.175[500] to 172.31.1.103[500] (168 bytes)

Jul 02 12:53:59 vyatta charon[5041]: 09[ENC] <37> parsed ID_PROT request 0 [ SA V V V V ]

Jul 02 12:53:59 vyatta charon[5041]: 09[IKE] <37> no IKE config found for 172.31.1.103...52.34.117.175, sending NO_PROPOSAL_CHOSEN

Jul 02 12:53:59 vyatta charon[5041]: 09[ENC] <37> generating INFORMATIONAL_V1 request 338436711 [ N(NO_PROP) ]

Jul 02 12:53:59 vyatta charon[5041]: 09[NET] <37> sending packet: from 172.31.1.103[500] to 52.34.117.175[500] (40 bytes)

 

 

 

 

 

ip-172-31-16-49#show configuration 

Using 2496 out of 33554432 bytes

!

! Last configuration change at 13:10:43 UTC Sat Jul 2 2016 by cisco

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

platform console virtual

!

hostname ip-172-31-16-49

!

boot-start-marker

boot-end-marker

!

!

logging persistent size 1000000 filesize 8192 immediate

enable secret 5 $1$9PeV$1j4dIgXEBPstJ9XX41p4Y/

!

no aaa new-model

!

!

!

!

!

!

!

!

!

!

!

 

 

 

!

!

!

!

!

!

!

!

!

!

subscriber templating

!         

multilink bundle-name authenticated

!         

!

!

!

!

crypto pki trustpoint TP-self-signed-3665350130

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3665350130

 revocation-check none

 rsakeypair TP-self-signed-3665350130

!

!

crypto pki certificate chain TP-self-signed-3665350130

 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

!

!

!

!

!

!

!

license udi pid CSR1000V sn 9SEIKH49AL3

license boot level ax

!

spanning-tree extend system-id

!

username ec2-user privilege 15 secret 5 $1$.z71$cvzUFgNgND5o9m3itdvLH/

username cisco privilege 15 password 0 cisco

 

!

redundancy

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 10

 encr aes 256

 hash md5 

 authentication pre-share

 group 5

crypto isakmp key NET123 address 0.0.0.0        

!

!

crypto ipsec transform-set xform esp-3des esp-md5-hmac 

 mode transport

!

crypto ipsec profile DMVPN

 set transform-set xform 

 set pfs group5

!

!

!

!

!

!

!

!

interface Loopback0

 ip address 192.168.175.1 255.255.255.252

!

interface Tunnel0

 ip address 172.16.0.1 255.255.255.0

 no ip redirects

 ip nhrp map multicast dynamic

 ip nhrp network-id 1

 ip nhrp nhs 172.16.1.1 nbma 52.25.134.3 multicast

 ip nhrp shortcut

 ip nhrp redirect

 tunnel source GigabitEthernet1

 tunnel mode gre multipoint

 tunnel protection ipsec profile DMVPN

!

interface GigabitEthernet1

 ip address dhcp

 negotiation auto

!

router bgp 2

 bgp log-neighbor-changes

 neighbor 172.16.1.1 remote-as 1

 neighbor 172.16.1.1 password cisco

!

!

virtual-service csr_mgmt

 ip shared host-interface GigabitEthernet1

 activate

!

ip forward-protocol nd

!

no ip http server

ip http secure-server

ip ssh rsa keypair-name ssh-key

ip ssh logging events

ip ssh version 2

ip ssh pubkey-chain

  username ec2-user

   key-hash ssh-rsa 0FEE591E87368E16E69219BEDE1E77BD CSR1000V-KEY-BOYL

ip scp server enable

!

!

!

!

!

control-plane

!

 !

 !

 !

 !

!

!

!

!

!

line con 0

 stopbits 1

line vty 0 4

 login local

 transport input ssh

!

!

end

          

ip-172-31-16-49#   

*Jul  2 13:18:20.908: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

*Jul  2 13:18:20.908: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Jul  2 13:18:20.908: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

*Jul  2 13:18:20.908: ISAKMP-PAK: (0):sending packet to 52.25.134.3 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jul  2 13:18:20.908: ISAKMP: (0)ending an IKE IPv4 Packet.

*Jul  2 13:18:20.908: IPSECSESSION ID = 221) (key_engine) request timer fired: count = 1,

  (identity) local= 172.31.16.49:0, remote= 52.25.134.3:0,

    local_proxy= 172.31.16.49/255.255.255.255/47/0,

    remote_proxy= 52.25.134.3/255.255.255.255/47/0

*Jul  2 13:18:20.908: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 172.31.16.49:500, remote= 52.25.134.3:500,

    local_proxy= 172.31.16.49/255.255.255.255/47/0,

    remote_proxy= 52.25.134.3/255.255.255.255/47/0,

    protocol= ESP, transform= esp-3des esp-md5-hmac  (Transport), 

    lifedur= 3600s and 4608000kb, 

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Jul  2 13:18:20.909: ISAKMP: (0):set new node 0 to QM_IDLE      

*Jul  2 13:18:20.909: ISAKMP-ERROR: (0)A is still budding. Attached new ipsec request to it. (local 172.31.16.49, remote 52.25.134.3)

*Jul  2 13:18:20.909: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA

*Jul  2 13:18:20.909: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.

*Jul  2 13:18:20.912: ISAKMP-PAK: (0):received packet from 52.25.134.3 dport 500 sport 500 Global (I) MM_NO_STATE

*Jul  2 13:18:20.912: ISAKMP-ERROR: (0):Couldn't find node: message_id 4096195092

*Jul  2 13:18:20.913: ISAKMP-ERROR: (0)0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1

*Jul  2 13:18:20.914: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jul  2 13:18:20.914: ISAKMP: (0)ld State = IKE_I_MM1  New State = IKE_I_MM1 

 

*Jul  2 13:18:30.909: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

*Jul  2 13:18:30.909: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Jul  2 13:18:30.909: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

*Jul  2 13:18:30.909: ISAKMP-PAK: (0):sending packet to 52.25.134.3 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jul  2 13:18:30.909: ISAKMP: (0)ending an IKE IPv4 Packet.

*Jul  2 13:18:30.913: ISAKMP-PAK: (0):received packet from 52.25.134.3 dport 500 sport 500 Global (I) MM_NO_STATE

*Jul  2 13:18:30.913: ISAKMP-ERROR: (0):Couldn't find node: message_id 4181198011

*Jul  2 13:18:30.915: ISAKMP-ERROR: (0)0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1

*Jul  2 13:18:30.923: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jul  2 13:18:30.923: ISAKMP: (0)ld State = IKE_I_MM1  New State = IKE_I_MM1 

 

 

Regards

Syed

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.