Has anyone gotten a BEFVP41 (or any other Linksys router for that matter) to work with a Cisco device in a DMVPN situation? I just spent a good amount of my life trying to figure it out to no avail. This is as far as I've gotten: 2006-11-19 21:08:20 IKE[1] Tx >> MM_I1 : 216.60.13.254 SA 2006-11-19 21:08:21 IKE[1] Rx << MM_R1 : 216.60.13.254 SA 2006-11-19 21:08:21 IKE[1] ISAKMP SA CKI=[d75bde69 8762402e] CKR=[9f7612b1 cd33d349] 2006-11-19 21:08:21 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768 / 86400 sec (*86400 sec) 2006-11-19 21:08:21 IKE[1] Tx >> MM_I2 : 216.60.13.254 KE, NONCE 2006-11-19 21:08:21 IKE[1] Rx << MM_R2 : 216.60.13.254 KE, NONCE, VID, VID, VID, VID 2006-11-19 21:08:21 IKE[1] Tx >> MM_I3 : 216.60.13.254 ID, HASH 2006-11-19 21:08:22 IKE[1] Rx << MM_R3 : 216.60.13.254 ID, HASH 2006-11-19 21:08:22 IKE[1] Tx >> QM_I1 : 216.60.13.254 HASH, SA, NONCE, ID, ID 2006-11-19 21:08:22 IKE[1] Rx << Notify : NO-PROPOSAL-CHOSEN I can post configs if anyone has done this before and would be willing to help me out. Thanks in advance, TheErk
Nope, I'm talking about Dynamic Multipoint VPN. I'm really beginning to wonder if I can do that though. So, any help just getting that model to connect via a normal tunnel to a 3725 running IPSEC 3DES BASIC would be fantastic! Here's what I'm working with currently, and I've gotten 2600 series routers to work great with this: crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key isakmpkey address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 20 ! crypto ipsec security-association idle-time 86400 ! crypto ipsec transform-set nunya esp-3des mode transport ! ! crypto ipsec profile nunya set security-association lifetime seconds 86400 set transform-set nunya ! ! ! ! ! interface Tunnel1 bandwidth 1000 ip address 172.0.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication PASSWORD ip nhrp map multicast dynamic ip nhrp network-id 99 ip nhrp holdtime 300 ip tcp adjust-mss 1360 no ip mroute-cache delay 1000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 9999 tunnel protection ipsec profile nunya Thanks, TheErk
The SA is getting hung up during phase 1, my guess is that the linksys router does not know how to handle the "address" subcommand on the isakmp key string. I know it should not matter but non cisco devices can be very tempermental when it comes to commands outside of the scope that i would term simple. I have never used that particular linksys but i have made linksys work with cisco just not in a DMVPN configuration. I would recommend reconfiguring the router to a basic vpn config without anything that is not 100% necessary to establish the tunnel and then double check the linksys config.
Thanks for the response. On another thread, someone gave me a config on how to set up a basic tunnel. I haven't had a chance to try that out, but I think that I'm going to go that route, as I doubt that the Linksys box will know how to deal with the NHRP stuff. --TheErk
Kewl... Would you mind posting the config in the Cisco Forum? That would be just one more config we have to make available to other users... jay
As a side note i have to agree with Linksys not working in an NHRP environment. I have not yet tried to static route everything to try and make it work, but i can tell you for sure that linksys does not know how to arp for potential hosts across a tunnel and really doesnt like to "relay" data received on the wan port back out the wan port towards a different network or host. A limitation in the code? Yes, but I think more so by design then anything else as most who use vpn get linksys for QuickVPN capabilites and QuickVPN has no way of handling anything other then data being sent directly to the network of the QuickVPN server.
Not sure if you got this but try removing the global key with the zeros and use a isakamp profle crypto keyring dmvpnspokes pre-shared-key address 0.0.0.0 0.0.0.0 key isakmpkey crypto isakmp profile DMVPN keyring dmvpnspokes match identity address 0.0.0.0 crypto ipsec profile nunya set security-association lifetime seconds 86400 set transform-set nunya set isakmp-profile DMVPN