Académique Documents
Professionnel Documents
Culture Documents
DSVPN Interworking
Between the AR and Cisco
Device
1 Abstract .................................................................................................3
1 Abstract
This document provides guidance to DSVPN interworking between the AR and Cisco device.
The scenarios mainly involve Central Bank of Egypt, TravelSky Technology Limited, and
This document records the device configuration and version information during DSVPN
interworking between the AR G3 router and Cisco device, which can be used as the
reference for test personnel of customers, technical support engineers, and R&D.
Card type:
Actual Networking
G0/0
Spoke
Core G0/0
network
Hub
G0/0
Spoke
tunnel 172.168.0.2
192.168.2.2
G0/0/2
tunnel 172.168.0.1
192.168.2.1 192.168.1.2 192.168.1.1
AR1(Spoke)
G0/0/2
G0/0/1 G0/1
G1/0/0
192.168.4.1 AR2 CISCO(Hub)
CISCO(Spoke)
G0/1
192.168.4.2
tunnel 172.168.0.4
Scenario without the shortcut function: Branches learn routes from each other.
A small- or medium-sized network has a few branches, and the branches can learn routes from
each other by deploying DSVPN without the shortcut function. In this scenario, the next hop to a
destination subnet is the tunnel address of the destination branch. This deployment has a low
requirement on the performance of the hub and spokes because the devices only have to learn a
2. Configuration Roadmap
# duplex auto
ospf 1 speed auto
area 0.0.0.0 !
network 192.168.2.0 0.0.0.255 router ospf 1
# network 192.168.1.0 0.0.0.255 area 0
!
DSVPN configuration:
CISCO (Spoke)
!
interface Tunnel5
ip address 172.168.0.4 255.255.255.0
ip nhrp authentication test
ip nhrp map 172.168.0.1 192.168.1.1
ip nhrp network-id 1000
ip nhrp nhs 172.168.0.1
ip ospf network broadcast
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
!
interface Loopback5
ip address 5.5.5.5 255.255.255.255
!
router ospf 2
router-id 172.168.0.4
network 5.5.5.5 0.0.0.0 area 0
network 172.168.0.0 0.0.0.255 area 0
!
3. Test Result
Huawei:
[Huawei]display nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
172.168.0.1 32 192.168.1.1 172.168.0.1 static hub
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/5
Created time : 03d:21h:30m:20s
Expire time : --
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.1.1 172.168.0.1 UP 02:16:06 S
1 192.168.2.2 172.168.0.2 UP 00:05:31 D
CISCO (Hub):
Router#show ip nhrp
172.168.0.2/32 via 172.168.0.2
Tunnel5 created 02:22:11, expire 00:08:51
Type: dynamic, Flags: registered
NBMA address: 192.168.2.2
172.168.0.4/32 via 172.168.0.4
Tunnel5 created 02:22:18, expire 00:10:11
Type: dynamic, Flags: registered
NBMA address: 192.168.4.2
Router#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
===================================================================
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.2.2 172.168.0.2 UP 02:20:07 D
1 192.168.4.2 172.168.0.4 UP 02:19:39 D
Actual Networking
G0/0
Spoke
Core G0/0
network
Hub
G0/0
Spoke
tunnel 172.168.0.2
192.168.2.2
G0/0/2
tunnel 172.168.0.1
192.168.2.1 192.168.1.2 192.168.1.1
AR1(Spoke)
G0/0/2
G0/0/1 G0/1
G1/0/0
192.168.4.1 AR2 CISCO(Hub)
CISCO(Spoke)
G0/1
192.168.4.2
tunnel 172.168.0.4
DSVPN with the shortcut function: Branches have only summarized routes to the central office.
On a large-sized network with many branch subnets, spokes need to learn many routes from other
branches. If the shortcut function is not configured, the spokes must save routing information on
the entire network. This requires spokes to maintain a large routing table and provide high
performance because many CPU and memory resources are consumed for computing of dynamic
routing protocols. To reduce the number of routes saved on spokes, DSVPN with the shortcut
function can be deployed. In this scenario, the next hop to a destination subnet is the tunnel
2. Configuration Roadmap
CISCO (Spoke)
!
interface Tunnel5
ip address 172.168.0.4 255.255.255.0
ip nhrp authentication test
ip nhrp map 172.168.0.1 192.168.1.1
ip nhrp network-id 1000
ip nhrp nhs 172.168.0.1
ip nhrp shortcut
ip ospf network point-to-multipoint
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
!
interface Loopback5
ip address 5.5.5.5 255.255.255.255
!
router ospf 2
router-id 172.168.0.4
network 5.5.5.5 0.0.0.0 area 0
network 172.168.0.0 0.0.0.255 area 0
!
3. Test Result
Huawei:
[Huawei]display nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
172.168.0.1 32 192.168.1.1 172.168.0.1 static hub
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/5
Created time : 03d:21h:46m:38s
Expire time : --
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 192.168.2.2 172.168.0.2 UP 00:02:30 D
172.168.0.2 UP 00:02:30 D
2015-7-17 HUAWEI Confidential Page 14, Total 47
DSVPN Interworking Between the AR and Cisco Device
CISCO (Hub):
Router#show ip nhrp
172.168.0.2/32 via 172.168.0.2
Tunnel5 created 02:47:55, expire 00:13:08
Type: dynamic, Flags: registered
NBMA address: 192.168.2.2
172.168.0.4/32 via 172.168.0.4
Tunnel5 created 02:48:01, expire 00:14:28
Type: dynamic, Flags: registered used
NBMA address: 192.168.4.2
Router#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
===================================================================
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.2.2 172.168.0.2 UP 02:45:52 D
1 192.168.4.2 172.168.0.4 UP 02:45:25 D
Actual Networking
G0/0 NAT
Spoke
Core G0/0
network
Hub
G0/0
Spoke
tunnel 172.168.0.2
192.168.10.2
G0/0/2
192.168.10.1 NAT
E0/0/8
192.168.2.2 tunnel 172.168.0.1
E0/0/0 192.168.2.1 192.168.1.2 192.168.1.1
AR1(Spoke)
G0/0/2
G0/0/1 G0/1
G1/0/0
192.168.4.1 AR2 CISCO(Hub)
CISCO(Spoke)
G0/1
192.168.4.2
tunnel 172.168.0.4
The AR functions as the branch device, and the Cisco device is deployed in the headquarters. The
AR connects to the headquarters through DSVPN, and a NAT device is deployed on the network
between the AR and headquarters. DSVPN packets needs to traverse the NAT device. Here, there
are a few branches. The branches can learn routes from each other so that the next hop to a
destination subnet is the tunnel address of the destination branch. This deployment has a low
requirement on the performance of the hub and spokes because the devices only have to learn a
2. Configuration Roadmap
NAT
#
interface Ethernet0/0/0
undo portswitch
ip address 192.168.2.2 255.255.255.0
nat server global 192.168.2.10 inside
192.168.10.2
#
interface Ethernet0/0/8
ip address 192.168.10.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
#
DSVPN configuration:
CISCO (Spoke)
!
interface Tunnel5
ip address 172.168.0.4 255.255.255.0
ip nhrp authentication test
ip nhrp map 172.168.0.1 192.168.1.1
ip nhrp network-id 1000
ip nhrp nhs 172.168.0.1
ip ospf network broadcast
ip ospf priority 0
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
!
interface Loopback5
ip address 5.5.5.5 255.255.255.255
!
router ospf 2
router-id 172.168.0.4
network 5.5.5.5 0.0.0.0 area 0
network 172.168.0.0 0.0.0.255 area 0
!
3. Test Result
Huawei:
[Huawei]display nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
172.168.0.1 32 192.168.1.1 172.168.0.1 static hub
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/5
Created time : 01d:03h:13m:49s
Expire time : --
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.1.1 172.168.0.1 UP 03:46:40 S
1 192.168.2.10 172.168.0.2 UP 00:04:47 DN
CISCO (Hub):
Router#show ip nhrp
172.168.0.2/32 via 172.168.0.2
Tunnel5 created 2d18h, expire 00:14:45
Type: dynamic, Flags: registered used
NBMA address: 192.168.2.10
(Claimed NBMA address: 192.168.10.2)
172.168.0.4/32 via 172.168.0.4
Tunnel5 created 1d20h, expire 00:06:04
Type: dynamic, Flags: registered
NBMA address: 192.168.4.2
Router #show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
===================================================================
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.2.10 172.168.0.2 UP 00:20:28 DN
1 192.168.4.2 172.168.0.4 UP 1d20h D
Actual Networking
G0/0
Spoke
Core G0/0
network
Hub
G0/0
Spoke
tunnel 172.168.0.2
192.168.2.2
G0/0/2
tunnel 172.168.0.1
192.168.2.1 192.168.1.2 192.168.1.1
AR1(Spoke)
G0/0/2
G0/0/1 G0/1
G1/0/0
192.168.4.1 AR2 CISCO(Hub)
CISCO(Spoke)
G0/1
192.168.4.2
tunnel 172.168.0.4
The AR is a branch device, and the headquarters and another branch use Cisco devices. IPSec is
used on the network to encrypt data. Here, there are a few branches. The branches can learn routes
from each other so that the next hop to a destination subnet is the tunnel address of the destination
branch. This deployment has a low requirement on the performance of the hub and spokes because
2. Configuration Roadmap
DSVPN configuration:
CISCO (Spoke)
!
interface Tunnel5
ip address 172.168.0.4 255.255.255.0
ip nhrp authentication test
ip nhrp map 172.168.0.1 192.168.1.1
ip nhrp network-id 1000
ip nhrp nhs 172.168.0.1
ip ospf network broadcast
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
!
interface Loopback5
ip address 5.5.5.5 255.255.255.255
!
router ospf 2
router-id 172.168.0.4
network 5.5.5.5 0.0.0.0 area 0
network 172.168.0.0 0.0.0.255 area 0
!
2015-7-17 HUAWEI Confidential Page 23, Total 47
DSVPN Interworking Between the AR and Cisco Device
IPSec configuration:
CISCO (Spoke)
!
crypto isakmp policy 100
authentication pre-share
crypto isakmp key huawei123 address 0.0.0.0
!
crypto ipsec transform-set test esp-des
esp-md5-hmac
!
crypto ipsec profile test
set transform-set test
2015-7-17 HUAWEI Confidential Page 24, Total 47
DSVPN Interworking Between the AR and Cisco Device
!
interface Tunnel5
ip address 172.168.0.4 255.255.255.0
no ip redirects
ip nhrp authentication test
ip nhrp map multicast 192.168.1.1
ip nhrp map 172.168.0.1 192.168.1.1
ip nhrp network-id 1000
ip nhrp holdtime 900
ip nhrp nhs 172.168.0.1
ip nhrp registration no-unique
ip nhrp registration timeout 600
ip ospf network broadcast
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile test
!
3. Test Result
Huawei:
[Huawei]display nhrp peer all
-------------------------------------------------------------------------------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-------------------------------------------------------------------------------
172.168.0.1 32 192.168.1.1 172.168.0.1 static hub
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/5
Created time : 04d:22h:07m:57s
Expire time : --
(no-socket)
cisco#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
===================================================================
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.1.1 172.168.0.1 UP 23:40:31 S
1 192.168.2.2 172.168.0.2 UP 00:00:13 D
CISCO (Hub):
Router#show ip nhrp
172.168.0.2/32 via 172.168.0.2
Tunnel5 created 23:18:03, expire 00:06:57
Type: dynamic, Flags: registered
NBMA address: 192.168.2.2
172.168.0.4/32 via 172.168.0.4
Tunnel5 created 1d03h, expire 00:09:09
Type: dynamic, Flags: registered
NBMA address: 192.168.4.2
Router#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
===================================================================
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.2.2 172.168.0.2 UP 23:18:13 D
1 192.168.4.2 172.168.0.4 UP 1d03h D
CISCO (Hub):
Router#show ip nhrp
172.168.0.2/32 via 172.168.0.2
Tunnel5 created 21:55:12, expire 00:09:48
Type: dynamic, Flags: registered
NBMA address: 192.168.2.10
(Claimed NBMA address: 192.168.10.2)
172.168.0.4/32 via 172.168.0.4
Tunnel5 created 03:50:45, expire 00:10:45
Type: dynamic, Flags: registered
NBMA address: 192.168.4.2
Router#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
2015-7-17 HUAWEI Confidential Page 27, Total 47
DSVPN Interworking Between the AR and Cisco Device
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.2.10 172.168.0.2 UP 21:55:14 DN
1 192.168.4.2 172.168.0.4 UP 03:50:25 D
Huawei:
[Huawei]display ike proposal number 1
-------------------------------------------
IKE Proposal: 1
Authentication method : pre-shared
Authentication algorithm : SHA1
Encryption algorithm : DES-CBC
DH group : MODP-768
SA duration : 86400
PRF : PRF-HMAC-SHA
-------------------------------------------
CISCO (Spoke):
cisco#show crypto isakmp policy
Huawei:
[Huawei]display ipsec proposal name test
Huawei:
[Huawei]display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
124 192.168.1.1 0 RD|ST 2
105 192.168.1.1 0 RD|ST 1
126 192.168.4.2 0 RD 2
125 192.168.4.2 0 RD 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
CISCO (Spoke):
cisco#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.2.2 192.168.4.2 QM_IDLE 9012 ACTIVE
192.168.1.1 192.168.4.2 QM_IDLE 9011 ACTIVE
CISCO (Hub):
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.1.1 192.168.4.2 QM_IDLE 9770 ACTIVE
192.168.1.1 192.168.2.2 QM_IDLE 9769 ACTIVE
Check IPSec SAs at both ends.
Huawei:
[Huawei]display ipsec sa
===============================
Interface: Tunnel0/0/5
Path MTU: 1500
===============================
-----------------------------
IPSec profile name: "test"
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 124
Encapsulation mode: Tunnel
2015-7-17 HUAWEI Confidential Page 29, Total 47
DSVPN Interworking Between the AR and Cisco Device
-----------------------------
IPSec profile name: "test"
Mode : PROF-Template
-----------------------------
Connection ID : 126
Encapsulation mode: Tunnel
Tunnel local : 192.168.2.2
Tunnel remote : 192.168.4.2
Qos pre-classify : Disable
Qos group :-
inbound ah sas:
outbound ah sas:
inbound ah sas:
outbound ah sas:
interface: Tunnel5
Crypto map tag: Tunnel5-head-0, local addr 192.168.1.1
inbound ah sas:
outbound ah sas:
Status: ACTIVE
inbound ah sas:
outbound ah sas:
Actual Networking
G0/0 NAT
Spoke
Core G0/0
network
Hub
G0/0
Spoke
tunnel 172.168.0.2
192.168.10.2
G0/0/2
192.168.10.1 NAT
E0/0/8
192.168.2.2 tunnel 172.168.0.1
E0/0/0 192.168.2.1 192.168.1.2 192.168.1.1
AR1(Spoke)
G0/0/2
G0/0/1 G0/1
G1/0/0
192.168.4.1 AR2 CISCO(Hub)
CISCO(Spoke)
G0/1
192.168.4.2
tunnel 172.168.0.4
The AR is a branch device, and the headquarters and another branch use Cisco devices. IPSec is
used on the network to encrypt data. Here, there are a few branches. The branches can learn routes
from each other so that the next hop to a destination subnet is the tunnel address of the destination
branch. This deployment has a low requirement on the performance of the hub and spokes because
2. Configuration Roadmap
NAT
#
acl number 3000
rule 5 permit ip
#
interface Ethernet0/0/0
undo portswitch
ip address 192.168.2.2 255.255.255.0
nat outbound 3000
#
interface Ethernet0/0/8
ip address 192.168.10.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
#
DSVPN configuration:
CISCO (Spoke)
!
interface Tunnel5
ip address 172.168.0.4 255.255.255.0
ip nhrp authentication test
ip nhrp map 172.168.0.1 192.168.1.1
ip nhrp network-id 1000
ip nhrp nhs 172.168.0.1
ip ospf network broadcast
ip ospf priority 0
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
!
interface Loopback5
ip address 5.5.5.5 255.255.255.255
!
router ospf 2
router-id 172.168.0.4
network 5.5.5.5 0.0.0.0 area 0
network 172.168.0.0 0.0.0.255 area 0
!
IPSec configuration:
# !
ike local-name spoke hostname hub
# !
ipsec proposal test crypto isakmp policy 10
# authentication pre-share
ike proposal 1 crypto isakmp key huawei address 0.0.0.0
# 0.0.0.0
ike peer test v1 !
exchange-mode aggressive !
pre-shared-key simple huawei crypto ipsec transform-set test esp-des
ike-proposal 1 esp-md5-hmac
nat traversal !
# crypto ipsec profile test
ipsec profile test set transform-set test
ike-peer test !
proposal test interface Tunnel5
# ip address 172.168.0.1 255.255.255.0
interface Tunnel0/0/5 no ip redirects
ip address 172.168.0.2 255.255.255.0 ip nhrp authentication test
tunnel-protocol gre p2mp ip nhrp map multicast dynamic
source GigabitEthernet0/0/2 ip nhrp network-id 1000
ospf network-type broadcast ip nhrp holdtime 900
ospf dr-priority 0 ip ospf network broadcast
ipsec profile test tunnel source GigabitEthernet0/1
nhrp authentication simple test tunnel mode gre multipoint
nhrp registration no-unique tunnel protection ipsec profile test
nhrp registration interval 600 !
nhrp network-id 1000
nhrp entry holdtime seconds 900
nhrp entry 172.168.0.1 192.168.1.1 register
#
CISCO (Spoke)
!
hostname spoke
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key huawei address 0.0.0.0
0.0.0.0
!
!
2015-7-17 HUAWEI Confidential Page 38, Total 47
DSVPN Interworking Between the AR and Cisco Device
3. Test Result
-------------------------------------------------------------------------------
172.168.0.4 32 192.168.4.2 172.168.0.4 dynamic route tunnel
-------------------------------------------------------------------------------
Tunnel interface: Tunnel0/0/5
Created time : 00:03:00
Expire time : 00:12:51
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 192.168.1.1 172.168.0.1 UP 18:31:43 S
172.168.0.2 UP 00:02:13 D
CISCO (Hub):
hub#show ip nhrp
172.168.0.2/32 via 172.168.0.2
Tunnel5 created 1d16h, expire 00:09:36
Type: dynamic, Flags: registered
NBMA address: 192.168.10.2
172.168.0.4/32 via 172.168.0.4
Tunnel5 created 18:32:35, expire 00:12:58
Type: dynamic, Flags: registered
NBMA address: 192.168.4.2
hub#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
===================================================================
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2015-7-17 HUAWEI Confidential Page 40, Total 47
DSVPN Interworking Between the AR and Cisco Device
Huawei:
[Huawei]display ike proposal number 1
-------------------------------------------
IKE Proposal: 1
Authentication method : pre-shared
Authentication algorithm : SHA1
Encryption algorithm : DES-CBC
DH group : MODP-768
SA duration : 86400
PRF : PRF-HMAC-SHA
-------------------------------------------
CISCO (Spoke):
spoke#show crypto isakmp policy
CISCO (Hub):
hub#show crypto ipsec transform-set test
Transform set test: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
Check the IKE status at both ends.
Huawei:
[Huawei]dis ike sa
Conn-ID Peer VPN Flag(s) Phase
2015-7-17 HUAWEI Confidential Page 41, Total 47
DSVPN Interworking Between the AR and Cisco Device
---------------------------------------------------------------
240 192.168.4.2 0 RD|ST 2
236 192.168.4.2 0 RD|ST 1
220 192.168.1.1 0 RD|ST 2
201 192.168.1.1 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
CISCO (Spoke):
spoke#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.4.2 192.168.2.2 QM_IDLE 9080 ACTIVE
192.168.1.1 192.168.4.2 QM_IDLE 9069 ACTIVE
CISCO (Hub):
hub#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.1.1 192.168.4.2 QM_IDLE 9076 ACTIVE
192.168.1.1 192.168.2.2 QM_IDLE 9077 ACTIVE
192.168.1.1 192.168.2.2 QM_IDLE 9075 ACTIVE
Check IPSec SAs at both ends.
Huawei:
[Huawei]display ipsec sa
===============================
Interface: Tunnel0/0/5
Path MTU: 1500
===============================
-----------------------------
IPSec profile name: "test"
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 241
Encapsulation mode: Tunnel
Tunnel local : 192.168.10.2
Tunnel remote : 192.168.1.1
Qos pre-classify : Disable
Qos group :-
-----------------------------
IPSec profile name: "test"
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 246
Encapsulation mode: Tunnel
Tunnel local : 192.168.10.2
Tunnel remote : 192.168.4.2
Qos pre-classify : Disable
Qos group :-
CISCO (Spoke):
spoke#show crypto ipsec sa
interface: Tunnel5
Crypto map tag: Tunnel5-head-0, local addr 192.168.4.2
inbound ah sas:
outbound ah sas:
inbound ah sas:
outbound ah sas:
interface: Tunnel5
Crypto map tag: Tunnel5-head-0, local addr 192.168.1.1
inbound ah sas:
outbound ah sas:
inbound ah sas:
outbound ah sas: