We help IT Professionals succeed at work.

How to configure dmvpn with hub router behind firewall?

kkwong_nyc
kkwong_nyc asked
on
I am trying to configure dmvpn with hub 2921 router behind an asa 5520 firewall and the spoke router connected directly to internet.
I got phase one isakmp connected but there is no ipsec traffic; the tunnel interface is not up.
Comment
Watch Question

Author

Commented:

Author

Commented:
CERTIFIED EXPERT

Commented:

You need to allow GRE, isakmp, and ESP to the DMVPN hub.

isakmp udp 500
ESP IP protocol 50
GRE Ip protocol 47

harbor235 ;}

Author

Commented:
The hub router is behind an ASA 5520, which:
1. nat hub router's outside interface to a public IP
2. permit udp 500
3. permit udp 4500 (nat-t)
4. permit protocol 50
5. permit protocol 47
6. permit protocol 88 (eigrp)

on the spoke router, I remove the access-list so ip any any is permitted.

Anything else I need to do?

Thanks
kkwong_nyc
CERTIFIED EXPERT

Commented:


You do not need 88, the routing is encapsulated in GRE, should work

harbor235 ;}

Author

Commented:
Problem is phase one is ok, phase two negotiation failed; PROPOSAL_NOT_CHOSEN return from the hub router. I copy and paste isakmp, ipsec from one router to the other so they should be identical. Don't know why...
CERTIFIED EXPERT

Commented:
debug crypto isakmp
debug crypto ipsec
debug crypto engine

Debug to see why its failing

harbor235 ;}
Access-list was removed but still applied on the WAN interface, which has implicit deny. Removed access-group from F4 resolved the issue.

Thank you all for your attention.

Author

Commented:
Removing the access-list from WAN interface resolved the issue. All tunnels are up and running.