Hi,
Sorry, I missed your earlier point about it all working until you apply IPSec.
On Tue, May 12, 2009 at 11:18 PM, olumayokun fowowe
<olumayokun_at_gmail.com> wrote:
> Hello Dale
>
> I did tunnel mode gre multipoint as you suggested but I'm sitll having the
> same error as indcated below:
Try:
crypto ipsec transform-set cisco_vpnset esp-3des esp-sha-hmac
mode transport
The other differences I see in your config to my working config are:
crypto ipsec profile cisco_vpnprof
set pfs group2
(but it's probably not that)
int tun0
ip mtu 1420
(you need that, but it's probably not that)
on the spokes:
int tun0
ip nhrp nhs 10.x.x.1
(you need that, but I don't think that'll stop a spoke-to-hub tunnel forming)
Take it back to basics.. are you sure you've got the IPSec stuff
configured properly on all routers? 'tunnel protection ipsec' is
configured on all tunnel interfaces?
Troubleshoot it as an IPSec problem and forget about DMVPN. Enable
some debugs -- 'debug crypto isakmp' first, then 'debug crypto ipsec',
then maybe 'debug crypto engine'
I'm not sure why you're seeing a GRE packet (protocol 47) there..
If all else fails, gather your configs again, except this time post
the underlying physical interface config used by your tunnels.
cheers,
Dale
Blogs and organic groups at http://www.ccie.net
Received on Tue May 12 2009 - 23:50:31 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:42 ART