Am I missing something here in my DMVPN setup? Please help

General questions
1

Hi Team,

This time I decided to build a DMVPN lab and dang my tunnel does not show up. I understand these are mGRE and might show down but I am unable to communicate from 192.168.47.48 to 10.10.20.50 i.e from R1–> R5—>R2

Am I missing anything here? Scratched my head for about more than hour but did not find any clue hence thought to have a another pair of eyes to look at it.

R1

set interfaces ethernet eth0 address '100.1.1.10/24'
set interfaces ethernet eth1 address '192.168.47.10/24'
set interfaces tunnel tun1 address '10.11.12.1/24'
set interfaces tunnel tun1 encapsulation 'gre'
set interfaces tunnel tun1 local-ip '100.1.1.10'
set interfaces tunnel tun1 multicast 'enable'
set interfaces tunnel tun1 parameters ip key '1144'
set protocols nhrp tunnel tun1 cisco-authentication 'admin@123'
set protocols nhrp tunnel tun1 holding-time '10'
set protocols nhrp tunnel tun1 multicast 'dynamic'
set protocols nhrp tunnel tun1 redirect
set protocols static route 0.0.0.0/0 next-hop 100.1.1.50
set protocols static route 10.10.20.0/24 next-hop 10.11.12.2
set vpn ipsec esp-group ESPDM compression 'disable'
set vpn ipsec esp-group ESPDM lifetime '3600'
set vpn ipsec esp-group ESPDM mode 'transport'
set vpn ipsec esp-group ESPDM pfs 'dh-group2'
set vpn ipsec esp-group ESPDM proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESPDM proposal 1 hash 'sha256'
set vpn ipsec esp-group ESPDM proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESPDM proposal 2 hash 'sha256'
set vpn ipsec ike-group IKEDM close-action 'none'
set vpn ipsec ike-group IKEDM ikev2-reauth 'no'
set vpn ipsec ike-group IKEDM key-exchange 'ikev1'
set vpn ipsec ike-group IKEDM lifetime '3600'
set vpn ipsec ike-group IKEDM proposal 1 dh-group '2'
set vpn ipsec ike-group IKEDM proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKEDM proposal 1 hash 'sha256'
set vpn ipsec ike-group IKEDM proposal 2 dh-group '2'
set vpn ipsec ike-group IKEDM proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKEDM proposal 2 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile DMVPN authentication pre-shared-secret 'admin@123'
set vpn ipsec profile DMVPN bind tunnel 'tun1'
set vpn ipsec profile DMVPN esp-group 'ESPDM'
set vpn ipsec profile DMVPN ike-group 'IKEDM'

R2

set interfaces ethernet eth0 address '200.1.1.20/24'
set interfaces ethernet eth1 address '10.10.20.20/24'
set interfaces tunnel tun1 address '10.11.12.2/24'
set interfaces tunnel tun1 encapsulation 'gre'
set interfaces tunnel tun1 local-ip '200.1.1.20'
set interfaces tunnel tun1 multicast 'enable'
set interfaces tunnel tun1 parameters ip key '1144'
set protocols nhrp tunnel tun1 cisco-authentication 'admin@123'
set protocols nhrp tunnel tun1 map 10.11.12.1/24 nbma-address '100.1.1.1'
set protocols nhrp tunnel tun1 map 10.11.12.1/24 register
set protocols nhrp tunnel tun1 multicast 'nhs'
set protocols nhrp tunnel tun1 redirect
set protocols nhrp tunnel tun1 shortcut
set protocols static route 0.0.0.0/0 next-hop 200.1.1.50
set protocols static route 192.168.47.0/24 next-hop 10.11.12.1
set vpn ipsec esp-group ESPSP compression 'disable'
set vpn ipsec esp-group ESPSP lifetime '3600'
set vpn ipsec esp-group ESPSP mode 'transport'
set vpn ipsec esp-group ESPSP pfs 'dh-group2'
set vpn ipsec esp-group ESPSP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESPSP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESPSP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESPSP proposal 2 hash 'sha256'
set vpn ipsec ike-group IKESP close-action 'none'
set vpn ipsec ike-group IKESP ikev2-reauth 'no'
set vpn ipsec ike-group IKESP key-exchange 'ikev1'
set vpn ipsec ike-group IKESP lifetime '3600'
set vpn ipsec ike-group IKESP proposal 1 dh-group '2'
set vpn ipsec ike-group IKESP proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKESP proposal 1 hash 'sha256'
set vpn ipsec ike-group IKESP proposal 2 dh-group '2'
set vpn ipsec ike-group IKESP proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKESP proposal 2 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile DMVPN authentication pre-shared-secret 'admin@123'
set vpn ipsec profile DMVPN bind tunnel 'tun1'
set vpn ipsec profile DMVPN esp-group 'ESPSP'
set vpn ipsec profile DMVPN ike-group 'IKESP'

R5

vyos@R5:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             100.1.1.50/24                     u/u
eth1             200.1.1.50/24                     u/u
eth2             150.1.1.50/24                     u/u
eth3             175.1.1.50/24                     u/u

vyos@R1:~$ show vpn ipsec sa
Connection        State    Up    Bytes In/Out    Remote address    Remote ID    Proposal
----------------  -------  ----  --------------  ----------------  -----------  ----------
dmvpn-DMVPN-tun1  down     N/A   N/A             N/A               N/A          N/A

vyos@R2:~$ show vpn ipsec sa
Connection        State    Up    Bytes In/Out    Remote address    Remote ID    Proposal
----------------  -------  ----  --------------  ----------------  -----------  ----------
dmvpn-DMVPN-tun1  down     N/A   N/A             N/A               N/A          N/A

dmvpn
dmvpn1280×720 46.7 KB

2

Hi, @blason!

You are trying to use ikev1 or ikev2? Because as see hash “sha256” which is ikev2.
Try to change ikev1 to ikev2. Also Change dh-group to 14, and encryption to “aes256gcm128”

Will wait your answer on this one.

3

Surprising - I have given

set vpn ipsec ike-group IKESP key-exchange 'ikev1'

On both the peers - Still you want me to check with ikev2?

4

No luck :frowning:

R2

set vpn ipsec esp-group ESPDM pfs 'dh-group14'
set vpn ipsec esp-group ESPDM proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group ESPSP compression 'disable'
set vpn ipsec esp-group ESPSP lifetime '3600'
set vpn ipsec esp-group ESPSP mode 'transport'
set vpn ipsec esp-group ESPSP pfs 'dh-group2'
set vpn ipsec esp-group ESPSP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESPSP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESPSP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESPSP proposal 2 hash 'sha256'
set vpn ipsec ike-group IKESP close-action 'none'
set vpn ipsec ike-group IKESP ikev2-reauth 'no'
set vpn ipsec ike-group IKESP key-exchange 'ikev2'
set vpn ipsec ike-group IKESP lifetime '3600'
set vpn ipsec ike-group IKESP proposal 1 dh-group '2'
set vpn ipsec ike-group IKESP proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKESP proposal 1 hash 'sha256'
set vpn ipsec ike-group IKESP proposal 2 dh-group '2'
set vpn ipsec ike-group IKESP proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKESP proposal 2 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile DMVPN authentication pre-shared-secret 'admin@123'
set vpn ipsec profile DMVPN bind tunnel 'tun1'
set vpn ipsec profile DMVPN esp-group 'ESPSP'
set vpn ipsec profile DMVPN ike-group 'IKESP'

And here is R1

R1

set vpn ipsec esp-group ESPDM compression 'disable'
set vpn ipsec esp-group ESPDM lifetime '3600'
set vpn ipsec esp-group ESPDM mode 'transport'
set vpn ipsec esp-group ESPDM pfs 'dh-group14'
set vpn ipsec esp-group ESPDM proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group ESPDM proposal 1 hash 'sha256'
set vpn ipsec esp-group ESPDM proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESPDM proposal 2 hash 'sha256'
set vpn ipsec ike-group IKEDM close-action 'none'
set vpn ipsec ike-group IKEDM ikev2-reauth 'no'
set vpn ipsec ike-group IKEDM key-exchange 'ikev2'
set vpn ipsec ike-group IKEDM lifetime '3600'
set vpn ipsec ike-group IKEDM proposal 1 dh-group '2'
set vpn ipsec ike-group IKEDM proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKEDM proposal 1 hash 'sha256'
set vpn ipsec ike-group IKEDM proposal 2 dh-group '2'
set vpn ipsec ike-group IKEDM proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKEDM proposal 2 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile DMVPN authentication pre-shared-secret 'admin@123'
set vpn ipsec profile DMVPN bind tunnel 'tun1'
set vpn ipsec profile DMVPN esp-group 'ESPDM'
set vpn ipsec profile DMVPN ike-group 'IKEDM'

I am using proposal 1

Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.142-amd64-vyos, x86_64):
  uptime: 88 minutes, since Jun 24 08:28:24 2021
  malloc: sbrk 1871872, mmap 0, used 778736, free 1093136
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  100.1.1.10
Connections:
dmvpn-DMVPN-tun1:  %any...%any  IKEv2
dmvpn-DMVPN-tun1:   local:  uses pre-shared key authentication
dmvpn-DMVPN-tun1:   remote: uses pre-shared key authentication
       dmvpn:   child:  dynamic[gre] === dynamic[gre] TRANSPORT
Security Associations (0 up, 0 connecting):
  none
5

@blason your dh-group, encryption and hash is the same

set vpn ipsec esp-group ESPSP pfs ‘dh-group2’
set vpn ipsec esp-group ESPSP proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESPSP proposal 1 hash ‘sha256’

6

I really doubt that is the issue. Though i changed those parameters but tunnels are still down.

vyos@R1# run show configuration commands | match vpn
set vpn ipsec esp-group ESPDM compression 'disable'
set vpn ipsec esp-group ESPDM lifetime '3600'
set vpn ipsec esp-group ESPDM mode 'transport'
set vpn ipsec esp-group ESPDM pfs 'dh-group14'
set vpn ipsec esp-group ESPDM proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group ESPDM proposal 1 hash 'sha512'
set vpn ipsec esp-group ESPDM proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESPDM proposal 2 hash 'sha256'
set vpn ipsec ike-group IKEDM close-action 'none'
set vpn ipsec ike-group IKEDM ikev2-reauth 'no'
set vpn ipsec ike-group IKEDM key-exchange 'ikev2'
set vpn ipsec ike-group IKEDM lifetime '3600'
set vpn ipsec ike-group IKEDM proposal 1 dh-group '14'
set vpn ipsec ike-group IKEDM proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEDM proposal 1 hash 'sha512'
set vpn ipsec ike-group IKEDM proposal 2 dh-group '2'
set vpn ipsec ike-group IKEDM proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKEDM proposal 2 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile DMVPN authentication pre-shared-secret 'admin@123'
set vpn ipsec profile DMVPN bind tunnel 'tun1'
set vpn ipsec profile DMVPN esp-group 'ESPDM'
set vpn ipsec profile DMVPN ike-group 'IKEDM'
[edit]
vyos@R1# run show vo

  Invalid command: show [vo]

[edit]
vyos@R1# run show vpn ipsec sa
Connection        State    Up    Bytes In/Out    Remote address    Remote ID    Proposal
----------------  -------  ----  --------------  ----------------  -----------  ----------
dmvpn-DMVPN-tun1  down     N/A   N/A             N/A               N/A          N/A
[edit]

AND R2

vyos@R2# save
Saving configuration to '/config/config.boot'...
Done
[edit]
vyos@R2# run show configuration commands | match vpn
set vpn ipsec esp-group ESPDM pfs 'dh-group14'
set vpn ipsec esp-group ESPDM proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group ESPSP compression 'disable'
set vpn ipsec esp-group ESPSP lifetime '3600'
set vpn ipsec esp-group ESPSP mode 'transport'
set vpn ipsec esp-group ESPSP pfs 'dh-group14'
set vpn ipsec esp-group ESPSP proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group ESPSP proposal 1 hash 'sha512'
set vpn ipsec esp-group ESPSP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESPSP proposal 2 hash 'sha256'
set vpn ipsec ike-group IKESP close-action 'none'
set vpn ipsec ike-group IKESP ikev2-reauth 'no'
set vpn ipsec ike-group IKESP key-exchange 'ikev2'
set vpn ipsec ike-group IKESP lifetime '3600'
set vpn ipsec ike-group IKESP proposal 1 dh-group '14'
set vpn ipsec ike-group IKESP proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group IKESP proposal 1 hash 'sha512'
set vpn ipsec ike-group IKESP proposal 2 dh-group '2'
set vpn ipsec ike-group IKESP proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKESP proposal 2 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile DMVPN authentication pre-shared-secret 'admin@123'
set vpn ipsec profile DMVPN bind tunnel 'tun1'
set vpn ipsec profile DMVPN esp-group 'ESPSP'
set vpn ipsec profile DMVPN ike-group 'IKESP'
[edit]
vyos@R2# run show vpn ipsec sa
Connection        State    Up    Bytes In/Out    Remote address    Remote ID    Proposal
----------------  -------  ----  --------------  ----------------  -----------  ----------
dmvpn-DMVPN-tun1  down     N/A   N/A             N/A               N/A          N/A
[edit]
7

Even I do have connectivity established

vyos@R1# traceroute 200.1.1.20
traceroute to 200.1.1.20 (200.1.1.20), 30 hops max, 60 byte packets
 1  100.1.1.50 (100.1.1.50)  0.547 ms  0.390 ms  0.242 ms
 2  200.1.1.20 (200.1.1.20)  0.648 ms  0.500 ms  0.424 ms

R2

vyos@R2# traceroute 100.1.1.10
traceroute to 100.1.1.10 (100.1.1.10), 30 hops max, 60 byte packets
 1  200.1.1.50 (200.1.1.50)  0.244 ms  0.218 ms  0.210 ms
 2  100.1.1.10 (100.1.1.10)  0.449 ms  0.444 ms  0.322 ms
[edit]
8

@blason The connection must be symmetrical
Make sure please that configuration such as encryption, hash and dh-group is the same on both sides and try to reset with “run reset vpn”

9

Those are for pretty sure - Let me verify that once again.

10

Only time I learned NHRP was cisco exam years ago.
I’d first fix this
set protocols nhrp tunnel tun1 map 10.11.12.1/24 nbma-address ‘100.1.1.1’
100.1.1.1 is used nowhere else , and probably should be 100.1.1.10

btw: afaik, ikev1 can handle aes256 fine

11

aes256 is encryption
I mean sha256 which is hash

12

Dang!! It was such small foolish mistake :wink:

Thanks for pointing out

13

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.