Of course, yes. All the underlying network is perfectly working and the PKI infrastructure is completely reliable.
When I rise the tunnel interface with the configuration reported above, the ISAKMP goes up (as usual) and then goes immediatly down (because the iface goes in reset state).
I suppose it can be a hardware problem or a misfunctioning of the simulator.
Sorry for this slow response time, but I am trying to experiment different things with Spoke tunnel interface.
I am not able, unfortunately, to post down Hub and Spoke routers conf, but I have noticed a strange thing.
1. interface tunnel 0 with IPSEC-PROF (standard profile) ---> the isakmp goes UP and then goes DOWN (interface reset);
2. new ipsec profile (NEW-ONE absolutely identical to the IPSEC-PROF)
3. no ipsec profile IPSEC-PROF to tunnel 0;
4. ipsec profile NEW-ONE ---> the interface tunnel 0 comes back UP, the isakmp goes UP;
5. the isakmp sa between peers, however, doesn't still estabilish;
I have to go further, even if the solution can possibly be good and a new issue can be the cause of the missing isakmp sa estabilishment.
However is strange why two equal ipsec profile (apart from the name) can change the soup.
Won't miss to add further details.
The only thing to be concerned about when trying it without IPSec is that you will be seeing protocol 47 in the public area of the network. So be aware of that and adjust any acl's accordingly. Also, be aware that it is in the clear at this point. This will give us an indication if we are looking at an issue with IPSec or mGRE/NHRP.
This sounds like a situation where the router believes the endpoint of the tunnel, should use the tunnel, which causes it to collapse.
Turn on "debug ip routing" and see if this flapping occurs (over and over and over...)
If it does, use one protocol for your normal network, and a second protocol for your DMVPN related networks.
With some additional effort, I have succeded in making this DMVPN standard configuration working.
PROBLEMS: if I put the tunnel protection in ipsec profile without any transform-set (apart from the default one), my Tunnel interface goes in reset state, thus conducting to nothing because it can't even set up the isakmp sa.
- created a new ipsec profile;
- applied a new transform-set to the profile;
- tunnel protection ipsec profile created and applied to the tunnel interface;
- the tunnel goes up and everything is ok (isakmp sa, ipsec sa, nhrp estabilisment).
Unfortunately I can't explain the reason why this could happen.
Just to give an answer to someone who asked me the connectivity of the tunnel without protection, this was not an issue since the connection between peers was ok (ping succesful).
Moreover, PKI and RSA-SIG don't matter at all.
- Router 3750 with IOS 12.4(9) T (Both Hub and Spoke);
Let me know your idea, if something comes up.
In my version of IOS, after completing the set-up of the IPSEC profile with a default transform set, the command:
show crypto ipsec profile
gave me the following:
IPSEC profile NNNNN
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Now, I wonder if this means "absence of a valid transform-set" or simply "use an (implicit) default trasnform-set".
I am more for the first option, however the official cert guide says that creating a new ipsec profile is enough.
Official documentation on Cisco.com makes you create a transform-set.
Probably an issue of IOS version, I don't know.
From now on, I will declare a transform-set.
Hope to be helpful.