This time I decided to build a DMVPN lab and dang my tunnel does not show up. I understand these are mGRE and might show down but I am unable to communicate from 192.168.47.48 to 10.10.20.50 i.e from R1–> R5—>R2
Am I missing anything here? Scratched my head for about more than hour but did not find any clue hence thought to have a another pair of eyes to look at it.
R1
set interfaces ethernet eth0 address '100.1.1.10/24'
set interfaces ethernet eth1 address '192.168.47.10/24'
set interfaces tunnel tun1 address '10.11.12.1/24'
set interfaces tunnel tun1 encapsulation 'gre'
set interfaces tunnel tun1 local-ip '100.1.1.10'
set interfaces tunnel tun1 multicast 'enable'
set interfaces tunnel tun1 parameters ip key '1144'
set protocols nhrp tunnel tun1 cisco-authentication 'admin@123'
set protocols nhrp tunnel tun1 holding-time '10'
set protocols nhrp tunnel tun1 multicast 'dynamic'
set protocols nhrp tunnel tun1 redirect
set protocols static route 0.0.0.0/0 next-hop 100.1.1.50
set protocols static route 10.10.20.0/24 next-hop 10.11.12.2
set vpn ipsec esp-group ESPDM compression 'disable'
set vpn ipsec esp-group ESPDM lifetime '3600'
set vpn ipsec esp-group ESPDM mode 'transport'
set vpn ipsec esp-group ESPDM pfs 'dh-group2'
set vpn ipsec esp-group ESPDM proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESPDM proposal 1 hash 'sha256'
set vpn ipsec esp-group ESPDM proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESPDM proposal 2 hash 'sha256'
set vpn ipsec ike-group IKEDM close-action 'none'
set vpn ipsec ike-group IKEDM ikev2-reauth 'no'
set vpn ipsec ike-group IKEDM key-exchange 'ikev1'
set vpn ipsec ike-group IKEDM lifetime '3600'
set vpn ipsec ike-group IKEDM proposal 1 dh-group '2'
set vpn ipsec ike-group IKEDM proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKEDM proposal 1 hash 'sha256'
set vpn ipsec ike-group IKEDM proposal 2 dh-group '2'
set vpn ipsec ike-group IKEDM proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKEDM proposal 2 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile DMVPN authentication pre-shared-secret 'admin@123'
set vpn ipsec profile DMVPN bind tunnel 'tun1'
set vpn ipsec profile DMVPN esp-group 'ESPDM'
set vpn ipsec profile DMVPN ike-group 'IKEDM'
R2
set interfaces ethernet eth0 address '200.1.1.20/24'
set interfaces ethernet eth1 address '10.10.20.20/24'
set interfaces tunnel tun1 address '10.11.12.2/24'
set interfaces tunnel tun1 encapsulation 'gre'
set interfaces tunnel tun1 local-ip '200.1.1.20'
set interfaces tunnel tun1 multicast 'enable'
set interfaces tunnel tun1 parameters ip key '1144'
set protocols nhrp tunnel tun1 cisco-authentication 'admin@123'
set protocols nhrp tunnel tun1 map 10.11.12.1/24 nbma-address '100.1.1.1'
set protocols nhrp tunnel tun1 map 10.11.12.1/24 register
set protocols nhrp tunnel tun1 multicast 'nhs'
set protocols nhrp tunnel tun1 redirect
set protocols nhrp tunnel tun1 shortcut
set protocols static route 0.0.0.0/0 next-hop 200.1.1.50
set protocols static route 192.168.47.0/24 next-hop 10.11.12.1
set vpn ipsec esp-group ESPSP compression 'disable'
set vpn ipsec esp-group ESPSP lifetime '3600'
set vpn ipsec esp-group ESPSP mode 'transport'
set vpn ipsec esp-group ESPSP pfs 'dh-group2'
set vpn ipsec esp-group ESPSP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESPSP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESPSP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESPSP proposal 2 hash 'sha256'
set vpn ipsec ike-group IKESP close-action 'none'
set vpn ipsec ike-group IKESP ikev2-reauth 'no'
set vpn ipsec ike-group IKESP key-exchange 'ikev1'
set vpn ipsec ike-group IKESP lifetime '3600'
set vpn ipsec ike-group IKESP proposal 1 dh-group '2'
set vpn ipsec ike-group IKESP proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKESP proposal 1 hash 'sha256'
set vpn ipsec ike-group IKESP proposal 2 dh-group '2'
set vpn ipsec ike-group IKESP proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKESP proposal 2 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile DMVPN authentication pre-shared-secret 'admin@123'
set vpn ipsec profile DMVPN bind tunnel 'tun1'
set vpn ipsec profile DMVPN esp-group 'ESPSP'
set vpn ipsec profile DMVPN ike-group 'IKESP'
R5
vyos@R5:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 100.1.1.50/24 u/u
eth1 200.1.1.50/24 u/u
eth2 150.1.1.50/24 u/u
eth3 175.1.1.50/24 u/u
vyos@R1:~$ show vpn ipsec sa
Connection State Up Bytes In/Out Remote address Remote ID Proposal
---------------- ------- ---- -------------- ---------------- ----------- ----------
dmvpn-DMVPN-tun1 down N/A N/A N/A N/A N/A
vyos@R2:~$ show vpn ipsec sa
Connection State Up Bytes In/Out Remote address Remote ID Proposal
---------------- ------- ---- -------------- ---------------- ----------- ----------
dmvpn-DMVPN-tun1 down N/A N/A N/A N/A N/A
You are trying to use ikev1 or ikev2? Because as see hash “sha256” which is ikev2.
Try to change ikev1 to ikev2. Also Change dh-group to 14, and encryption to “aes256gcm128”
vyos@R1# traceroute 200.1.1.20
traceroute to 200.1.1.20 (200.1.1.20), 30 hops max, 60 byte packets
1 100.1.1.50 (100.1.1.50) 0.547 ms 0.390 ms 0.242 ms
2 200.1.1.20 (200.1.1.20) 0.648 ms 0.500 ms 0.424 ms
R2
vyos@R2# traceroute 100.1.1.10
traceroute to 100.1.1.10 (100.1.1.10), 30 hops max, 60 byte packets
1 200.1.1.50 (200.1.1.50) 0.244 ms 0.218 ms 0.210 ms
2 100.1.1.10 (100.1.1.10) 0.449 ms 0.444 ms 0.322 ms
[edit]
@blason The connection must be symmetrical
Make sure please that configuration such as encryption, hash and dh-group is the same on both sides and try to reset with “run reset vpn”
Only time I learned NHRP was cisco exam years ago.
I’d first fix this
set protocols nhrp tunnel tun1 map 10.11.12.1/24 nbma-address ‘100.1.1.1’
100.1.1.1 is used nowhere else , and probably should be 100.1.1.10