DMVPN and BEFVP41 V2 config help

Has anyone gotten a BEFVP41 (or any other Linksys router for that matter) to work with a Cisco device in a DMVPN situation?

I just spent a good amount of my life trying to figure it out to no avail. This is as far as I've gotten:

2006-11-19 21:08:20 IKE[1] Tx >> MM_I1 : 216.60.13.254 SA
2006-11-19 21:08:21 IKE[1] Rx << MM_R1 : 216.60.13.254 SA
2006-11-19 21:08:21 IKE[1] ISAKMP SA CKI=[d75bde69 8762402e] CKR=[9f7612b1 cd33d349]
2006-11-19 21:08:21 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768 / 86400 sec (*86400 sec)
2006-11-19 21:08:21 IKE[1] Tx >> MM_I2 : 216.60.13.254 KE, NONCE
2006-11-19 21:08:21 IKE[1] Rx << MM_R2 : 216.60.13.254 KE, NONCE, VID, VID, VID, VID
2006-11-19 21:08:21 IKE[1] Tx >> MM_I3 : 216.60.13.254 ID, HASH
2006-11-19 21:08:22 IKE[1] Rx << MM_R3 : 216.60.13.254 ID, HASH
2006-11-19 21:08:22 IKE[1] Tx >> QM_I1 : 216.60.13.254 HASH, SA, NONCE, ID, ID
2006-11-19 21:08:22 IKE[1] Rx << Notify : NO-PROPOSAL-CHOSEN

I can post configs if anyone has done this before and would be willing to help me out.

Thanks in advance,
TheErk

 

Nope, I'm talking about Dynamic Multipoint VPN. I'm really beginning to wonder if I can do that though. So, any help just getting that model to connect via a normal tunnel to a 3725 running IPSEC 3DES BASIC would be fantastic!


Here's what I'm working with currently, and I've gotten 2600 series routers to work great with this:

crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key isakmpkey address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 20
!
crypto ipsec security-association idle-time 86400
!
crypto ipsec transform-set nunya esp-3des
mode transport
!
!
crypto ipsec profile nunya
set security-association lifetime seconds 86400
set transform-set nunya
!
!
!
!
!
interface Tunnel1
bandwidth 1000
ip address 172.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication PASSWORD
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 300
ip tcp adjust-mss 1360
no ip mroute-cache
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 9999
tunnel protection ipsec profile nunya


Thanks,
TheErk

 

The SA is getting hung up during phase 1, my guess is that the linksys router does not know how to handle the "address" subcommand on the isakmp key string. I know it should not matter but non cisco devices can be very tempermental when it comes to commands outside of the scope that i would term simple. I have never used that particular linksys but i have made linksys work with cisco just not in a DMVPN configuration. I would recommend reconfiguring the router to a basic vpn config without anything that is not 100% necessary to establish the tunnel and then double check the linksys config.

 

Thanks for the response. On another thread, someone gave me a config on how to set up a basic tunnel. I haven't had a chance to try that out, but I think that I'm going to go that route, as I doubt that the Linksys box will know how to deal with the NHRP stuff.

--TheErk

 

As a side note i have to agree with Linksys not working in an NHRP environment. I have not yet tried to static route everything to try and make it work, but i can tell you for sure that linksys does not know how to arp for potential hosts across a tunnel and really doesnt like to "relay" data received on the wan port back out the wan port towards a different network or host. A limitation in the code? Yes, but I think more so by design then anything else as most who use vpn get linksys for QuickVPN capabilites and QuickVPN has no way of handling anything other then data being sent directly to the network of the QuickVPN server.

 

Not sure if you got this but try removing the global key with the zeros and use a isakamp profle

crypto keyring dmvpnspokes
pre-shared-key address 0.0.0.0 0.0.0.0 key isakmpkey

crypto isakmp profile DMVPN
keyring dmvpnspokes
match identity address 0.0.0.0

crypto ipsec profile nunya
set security-association lifetime seconds 86400
set transform-set nunya
set isakmp-profile DMVPN