DMVPN debugs
Debugs on both sides at the same time:
Debug crypto condition peer ipv4 (public ip of peer)
Debug crypto isakmp
Debug crypto ipsec
Clear DMVPN session and Crypto
Interface tunnel0
Shut
Clear dmvpn sesssion interface tunnel0
Clear crypto isa
DMVPN Sample Scripts
These scripts assume that you have the router base configuration already done. They just give you some of the base info to create a DMVPN configuration and are not anything more than base. For the ACL on the inbound interface the script has "any any" on it but should be locked down to the remote IP address of the other spokes and hub.DMVPN HUB Sample Script
crypto keyring dmvpnspokesdescription For DMVPN Tunnel
pre-shared-key address 0.0.0.0 0.0.0.0 key "PRE_SHARED_KEY" (This should be a strong key)
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
hash md5
crypto isakmp profile DMVPNIsakmpProfile
keyring dmvpnspokes
match identity address 0.0.0.0
crypto ipsec transform-set ESP-AES-MD5 esp-aes 256 esp-md5-hmac
mode transport
crypto ipsec profile DMVPNIpsecProfile
set transform-set dmvpn-aes-sha
set isakmp-profile DMVPNIsakmpProfile
interface Tunnel0
description DMVPN_HUB
ip address "IP_ADDRESS" 255.255.255.255
ip mtu 1400
ip nhrp authentication "NHRP_PASSWORD"(This password is configured all Tunnel interfaces i.e.)
ip nhrp map multicast dynamic
ip nhrp network-id "NETWORK_ID"(i.e. 10010100)
ip nhrp holdtime 600
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
no shutdown
qos pre-classify
tunnel source "INTERFACE"(Interface that will be making the DMVPN Connection)
tunnel mode gre multipoint
tunnel key "KEY"(i.e 10010100)
tunnel protection ipsec profile DMVPNIpsecProfile
ip access-list extended inbound
permit gre any any
permit icmp any any
permit udp any any eq isakmp
permit udp any eq isakmp any
permit udp any any eq non500-isakmp
permit esp any any
permit tcp any any established
DMVPN Spoke Script
crypto keyring dmvpnspokesdescription For DMVPN Tunnel
pre-shared-key address 0.0.0.0 0.0.0.0 key "PRE_SHARED_KEY" (This should be a strong key)
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
hash md5
crypto isakmp profile DMVPNIsakmpProfile
keyring dmvpnspokes
match identity address 0.0.0.0
crypto ipsec transform-set ESP-AES-MD5 esp-aes 256 esp-md5-hmac
mode transport
crypto ipsec profile DMVPNIpsecProfile
set transform-set dmvpn-aes-sha
set isakmp-profile DMVPNIsakmpProfile
interface Tunnel0
description DMVPN_SPOKE
ip address "IP_ADDRESS" 255.255.255.255
ip mtu 1400
ip nhrp authentication "NHRP_PASSWORD"(This password is configured all Tunnel interfaces i.e.)
ip nhrp map multicast "HUB_EXTERNAL_IP"
ip nhrp map "HUB_TUNNEL_IP" "HUB_EXTERNAL_IP"(i.e. 10.10.10.10 8.8.8.8)
ip nhrp network-id "NETWORK_ID"(i.e. 10010100)
ip nhrp holdtime 600
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
no shutdown
qos pre-classify
tunnel source "INTERFACE"(Interface that will be making the DMVPN Connection)
tunnel mode gre multipoint
tunnel key "KEY"(i.e 10010100)
tunnel protection ipsec profile DMVPNIpsecProfile
ip access-list extended inbound
permit gre any any
permit icmp any any
permit udp any any eq isakmp
permit udp any eq isakmp any
permit udp any any eq non500-isakmp
permit esp any any
permit tcp any any established
