kkwong_nyc
asked on
How to configure dmvpn with hub router behind firewall?
I am trying to configure dmvpn with hub 2921 router behind an asa 5520 firewall and the spoke router connected directly to internet.
I got phase one isakmp connected but there is no ipsec traffic; the tunnel interface is not up.
I got phase one isakmp connected but there is no ipsec traffic; the tunnel interface is not up.
ASKER
You need to allow GRE, isakmp, and ESP to the DMVPN hub.
isakmp udp 500
ESP IP protocol 50
GRE Ip protocol 47
harbor235 ;}
ASKER
The hub router is behind an ASA 5520, which:
1. nat hub router's outside interface to a public IP
2. permit udp 500
3. permit udp 4500 (nat-t)
4. permit protocol 50
5. permit protocol 47
6. permit protocol 88 (eigrp)
on the spoke router, I remove the access-list so ip any any is permitted.
Anything else I need to do?
Thanks
kkwong_nyc
1. nat hub router's outside interface to a public IP
2. permit udp 500
3. permit udp 4500 (nat-t)
4. permit protocol 50
5. permit protocol 47
6. permit protocol 88 (eigrp)
on the spoke router, I remove the access-list so ip any any is permitted.
Anything else I need to do?
Thanks
kkwong_nyc
You do not need 88, the routing is encapsulated in GRE, should work
harbor235 ;}
ASKER
Problem is phase one is ok, phase two negotiation failed; PROPOSAL_NOT_CHOSEN return from the hub router. I copy and paste isakmp, ipsec from one router to the other so they should be identical. Don't know why...
debug crypto isakmp
debug crypto ipsec
debug crypto engine
Debug to see why its failing
harbor235 ;}
debug crypto ipsec
debug crypto engine
Debug to see why its failing
harbor235 ;}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Removing the access-list from WAN interface resolved the issue. All tunnels are up and running.
ASKER