DMVPN and BEFVP41 V2 config help

Discussion in 'Other Cisco Equipment' started by TheErk, Nov 20, 2006.

  1. TheErk

    TheErk LI Guru Member

    Has anyone gotten a BEFVP41 (or any other Linksys router for that matter) to work with a Cisco device in a DMVPN situation?

    I just spent a good amount of my life trying to figure it out to no avail. This is as far as I've gotten:

    2006-11-19 21:08:20 IKE[1] Tx >> MM_I1 : SA
    2006-11-19 21:08:21 IKE[1] Rx << MM_R1 : SA
    2006-11-19 21:08:21 IKE[1] ISAKMP SA CKI=[d75bde69 8762402e] CKR=[9f7612b1 cd33d349]
    2006-11-19 21:08:21 IKE[1] ISAKMP SA 3DES / SHA / PreShared / MODP_768 / 86400 sec (*86400 sec)
    2006-11-19 21:08:21 IKE[1] Tx >> MM_I2 : KE, NONCE
    2006-11-19 21:08:21 IKE[1] Rx << MM_R2 : KE, NONCE, VID, VID, VID, VID
    2006-11-19 21:08:21 IKE[1] Tx >> MM_I3 : ID, HASH
    2006-11-19 21:08:22 IKE[1] Rx << MM_R3 : ID, HASH
    2006-11-19 21:08:22 IKE[1] Tx >> QM_I1 : HASH, SA, NONCE, ID, ID
    2006-11-19 21:08:22 IKE[1] Rx << Notify : NO-PROPOSAL-CHOSEN

    I can post configs if anyone has done this before and would be willing to help me out.

    Thanks in advance,
  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    When you say "DMVPN," do you mean "DMV VPN?"

  3. TheErk

    TheErk LI Guru Member

    Nope, I'm talking about Dynamic Multipoint VPN. I'm really beginning to wonder if I can do that though. So, any help just getting that model to connect via a normal tunnel to a 3725 running IPSEC 3DES BASIC would be fantastic!

    Here's what I'm working with currently, and I've gotten 2600 series routers to work great with this:

    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    crypto isakmp key isakmpkey address
    crypto isakmp keepalive 20
    crypto ipsec security-association idle-time 86400
    crypto ipsec transform-set nunya esp-3des
    mode transport
    crypto ipsec profile nunya
    set security-association lifetime seconds 86400
    set transform-set nunya
    interface Tunnel1
    bandwidth 1000
    ip address
    no ip redirects
    ip mtu 1400
    ip nhrp authentication PASSWORD
    ip nhrp map multicast dynamic
    ip nhrp network-id 99
    ip nhrp holdtime 300
    ip tcp adjust-mss 1360
    no ip mroute-cache
    delay 1000
    tunnel source FastEthernet0/0
    tunnel mode gre multipoint
    tunnel key 9999
    tunnel protection ipsec profile nunya

  4. ifican

    ifican Network Guru Member

    The SA is getting hung up during phase 1, my guess is that the linksys router does not know how to handle the "address" subcommand on the isakmp key string. I know it should not matter but non cisco devices can be very tempermental when it comes to commands outside of the scope that i would term simple. I have never used that particular linksys but i have made linksys work with cisco just not in a DMVPN configuration. I would recommend reconfiguring the router to a basic vpn config without anything that is not 100% necessary to establish the tunnel and then double check the linksys config.
  5. TheErk

    TheErk LI Guru Member

    Thanks for the response. On another thread, someone gave me a config on how to set up a basic tunnel. I haven't had a chance to try that out, but I think that I'm going to go that route, as I doubt that the Linksys box will know how to deal with the NHRP stuff.

  6. DocLarge

    DocLarge Super Moderator Staff Member Member

    Kewl... :)

    Would you mind posting the config in the Cisco Forum? That would be just one more config we have to make available to other users...

  7. ifican

    ifican Network Guru Member

    As a side note i have to agree with Linksys not working in an NHRP environment. I have not yet tried to static route everything to try and make it work, but i can tell you for sure that linksys does not know how to arp for potential hosts across a tunnel and really doesnt like to "relay" data received on the wan port back out the wan port towards a different network or host. A limitation in the code? Yes, but I think more so by design then anything else as most who use vpn get linksys for QuickVPN capabilites and QuickVPN has no way of handling anything other then data being sent directly to the network of the QuickVPN server.
  8. bschlegel

    bschlegel Guest

    Not sure if you got this but try removing the global key with the zeros and use a isakamp profle

    crypto keyring dmvpnspokes
    pre-shared-key address key isakmpkey

    crypto isakmp profile DMVPN
    keyring dmvpnspokes
    match identity address

    crypto ipsec profile nunya
    set security-association lifetime seconds 86400
    set transform-set nunya
    set isakmp-profile DMVPN
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice