Labbing a DMVPN Network, I am able to establish full communication between VyOS(1.4-rolling) Hub and Spoke routers. My problem is a Cisco spoke, I keep getting a “CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 172.16.120.101” message. I’m new to ipsec and I’m not sure if I am just misreading some part of this config guide. I would appreciate any insight into my problem.
Thank You!
Hub: WAN(172.16.120.101) Tunnel(10.0.0.1/29)
Vyos Spoke: WAN(172.16.120.104) Tunnel(10.0.0.2/29)
Cisco Spoke: WAN(172.16.120.102) Tunnel(10.0.0.3/29)
!!!HUB Config!!!
set interfaces tunnel tun0 address ‘10.0.0.1/29’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 multicast ‘enable’
set interfaces tunnel tun0 parameters ip key ‘1’
set interfaces tunnel tun0 source-address ‘172.16.120.101’
set protocols nhrp tunnel tun0 cisco-authentication ‘secret’
set protocols nhrp tunnel tun0 holding-time ‘300’
set protocols nhrp tunnel tun0 multicast ‘dynamic’
set protocols nhrp tunnel tun0 redirect
set protocols nhrp tunnel tun0 shortcut
set vpn ipsec interface ‘eth1’
set vpn ipsec esp-group ESP-DMVPN compression ‘disable’
set vpn ipsec esp-group ESP-DMVPN lifetime ‘1800’
set vpn ipsec esp-group ESP-DMVPN mode ‘transport’
set vpn ipsec esp-group ESP-DMVPN pfs ‘dh-group2’
set vpn ipsec esp-group ESP-DMVPN proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-DMVPN proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKE-DMVPN ikev2-reauth ‘no’
set vpn ipsec ike-group IKE-DMVPN key-exchange ‘ikev1’
set vpn ipsec ike-group IKE-DMVPN lifetime ‘3600’
set vpn ipsec ike-group IKE-DMVPN proposal 1 dh-group ‘2’
set vpn ipsec ike-group IKE-DMVPN proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-DMVPN proposal 1 hash ‘sha1’
set vpn ipsec profile NHRPVPN authentication mode ‘pre-shared-secret’
set vpn ipsec profile NHRPVPN authentication pre-shared-secret ‘secret’
set vpn ipsec profile NHRPVPN bind tunnel ‘tun0’
set vpn ipsec profile NHRPVPN esp-group ‘ESP-DMVPN’
set vpn ipsec profile NHRPVPN ike-group ‘IKE-DMVPN’
!!!Cisco Spoke!!!
crypto keyring DMVPN
pre-shared-key address 172.16.120.101 key secret
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 30 periodic
crypto isakmp profile DMVPN
keyring DMVPN
match identity address 172.16.120.101 255.255.255.255
!
crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set security-association idle-time 720
set transform-set DMVPN-AES256
set isakmp-profile DMVPN
!
interface Tunnel10
ip address 10.0.0.3 255.255.255.248
no ip redirects
ip nhrp authentication secret
ip nhrp map 10.0.0.1 172.16.120.101
ip nhrp map multicast 172.16.120.101
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 10.0.0.1
ip nhrp registration timeout 75
tunnel source F1/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
!!!Vyos Spoke!!!
set interfaces tunnel tun0 address ‘10.0.0.2/29’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 multicast ‘enable’
set interfaces tunnel tun0 parameters ip key ‘1’
set interfaces tunnel tun0 source-address ‘0.0.0.0’
set protocols nhrp tunnel tun0 cisco-authentication ‘secret’
set protocols nhrp tunnel tun0 holding-time ‘300’
set protocols nhrp tunnel tun0 map 10.0.0.1 nbma-address ‘172.16.120.101’
set protocols nhrp tunnel tun0 map 10.0.0.1 register
set protocols nhrp tunnel tun0 multicast ‘nhs’
set protocols nhrp tunnel tun0 redirect
set protocols nhrp tunnel tun0 shortcut
set vpn ipsec interface ‘eth1’
set vpn ipsec esp-group ESP-DMVPN compression ‘disable’
set vpn ipsec esp-group ESP-DMVPN lifetime ‘1800’
set vpn ipsec esp-group ESP-DMVPN mode ‘transport’
set vpn ipsec esp-group ESP-DMVPN pfs ‘dh-group2’
set vpn ipsec esp-group ESP-DMVPN proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-DMVPN proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKE-DMVPN ikev2-reauth ‘no’
set vpn ipsec ike-group IKE-DMVPN key-exchange ‘ikev1’
set vpn ipsec ike-group IKE-DMVPN lifetime ‘3600’
set vpn ipsec ike-group IKE-DMVPN proposal 1 dh-group ‘2’
set vpn ipsec ike-group IKE-DMVPN proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-DMVPN proposal 1 hash ‘sha1’
set vpn ipsec profile NHRPVPN authentication mode ‘pre-shared-secret’
set vpn ipsec profile NHRPVPN authentication pre-shared-secret ‘secret’
set vpn ipsec profile NHRPVPN bind tunnel ‘tun0’
set vpn ipsec profile NHRPVPN esp-group ‘ESP-DMVPN’
set vpn ipsec profile NHRPVPN ike-group ‘IKE-DMVPN’