Link to home
Start Free TrialLog in
Avatar of kkwong_nyc
kkwong_nyc

asked on

How to configure dmvpn with hub router behind firewall?

I am trying to configure dmvpn with hub 2921 router behind an asa 5520 firewall and the spoke router connected directly to internet.
I got phase one isakmp connected but there is no ipsec traffic; the tunnel interface is not up.
Avatar of kkwong_nyc
kkwong_nyc

ASKER

Avatar of harbor235

You need to allow GRE, isakmp, and ESP to the DMVPN hub.

isakmp udp 500
ESP IP protocol 50
GRE Ip protocol 47

harbor235 ;}
The hub router is behind an ASA 5520, which:
1. nat hub router's outside interface to a public IP
2. permit udp 500
3. permit udp 4500 (nat-t)
4. permit protocol 50
5. permit protocol 47
6. permit protocol 88 (eigrp)

on the spoke router, I remove the access-list so ip any any is permitted.

Anything else I need to do?

Thanks
kkwong_nyc


You do not need 88, the routing is encapsulated in GRE, should work

harbor235 ;}
Problem is phase one is ok, phase two negotiation failed; PROPOSAL_NOT_CHOSEN return from the hub router. I copy and paste isakmp, ipsec from one router to the other so they should be identical. Don't know why...
debug crypto isakmp
debug crypto ipsec
debug crypto engine

Debug to see why its failing

harbor235 ;}
ASKER CERTIFIED SOLUTION
Avatar of kkwong_nyc
kkwong_nyc

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Removing the access-list from WAN interface resolved the issue. All tunnels are up and running.