DMVPN and PNDH

Hi friends,

I would like to ask questions about your opinions.

Looking at a package of PNDH Traffic Indication in the section of the Extension of PNDH authentication-> Unit Extension Data, that I can see, there is a Source address field and as a value, there is always 99.105.115.99.

Please, see the attached screenshot.

Could someone give any idea what is this source address and why there is always the same value and significance of this value.

Thank you!

Best regards

Yavor

Ahh :) Well well good job your problem! Also, thank you for taking the time to come back and post the solution here. (+ 5 from me).

Now, given that your issue is resolved, you must mark the thread as "answered" ;)

Tags: Cisco Security

Similar Questions

DMVPN and 861 routers

We have a few customers that tunnel using DMPVN with 831 & 851 routers. Recently, a new order was placed to add a user to an existing tunnel. As 851 routers are no longer available, we went with the model 861 and found that it doesn't have the PNDH in IOS. So how do this work now, and why PNDH is no longer in the last IOS? Seems stupid to not have when used by older models of routers which replaces the 861.

Hello

You are right, the 861 series routers do not support DMVPN (and I tend to agree with you that maybe it's not the smartest marketing decision). For advanced security feature support, such as DMVPN and GETVPN, you must use the routers of the 880 series with all ip services features advanced, see:

http://www.Cisco.com/en/us/prod/collateral/routers/ps380/qa_c67_458826.html

Thank you

Wen

DMVPN and IPsec CLIENT?

Hello

I was wondering if it was possible to use CRYPTOGRAPHY even for both: DMVPN and CLIENT IPsec?

To make it work, I have to use 1 crypto for the DMVPN and 1 crypto for IPsec, both systems operate on the same router, my router TALK can connect to my HUB router and my computer can connect to the router "HUB" via an IPsec tunnel.

Is their any way to make it easier, instead of doing configs in a single router for more or less the same work?

My stitching question may be stupid, sorry for that, I'm still learning, and I love it

Here below the full work DMVPN + IPsec:

Best regards

Didier

ROUTER1841 #sh run

Building configuration...

Current configuration: 9037 bytes

!

! Last configuration change to 21:51:39 gmt + 1 Monday February 7, 2011 by admin

! NVRAM config last updated at 21:53:07 gmt + 1 Monday February 7, 2011 by admin

!

version 12.4

horodateurs service debug datetime localtime

Log service timestamps datetime msec

encryption password service

!

hostname ROUTER1841

!

boot-start-marker

boot-end-marker

!

forest-meter operation of syslog messages

logging buffered 4096 notifications

enable password 7 05080F1C2243

!

AAA new-model

!

!

AAA authentication banner ^ C

THIS SYSTEM IS ONLY FOR THE USE OF AUTHORIZED FOR OFFICIAL USERS

^ C

AAA authentication login userauthen local

AAA authorization groupauthor LAN

!

!

AAA - the id of the joint session

clock time zone gmt + 1 1 schedule

clock daylight saving time gmt + 2 recurring last Sun Mar 02:00 last Sun Oct 03:00

dot11 syslog

no ip source route

!

!

No dhcp use connected vrf ip

DHCP excluded-address IP 192.168.10.1

DHCP excluded-address IP 192.168.20.1

DHCP excluded-address IP 192.168.30.1

DHCP excluded-address IP 192.168.100.1

IP dhcp excluded-address 192.168.1.250 192.168.1.254

!

IP dhcp pool vlan10

import all

network 192.168.10.0 255.255.255.0

default router 192.168.10.1

lease 5

!

IP dhcp pool vlan20

import all

network 192.168.20.0 255.255.255.0

router by default - 192.168.20.1

lease 5

!

IP dhcp pool vlan30

import all

network 192.168.30.0 255.255.255.0

default router 192.168.30.1

!

IP TEST dhcp pool

the host 192.168.100.20 255.255.255.0

0100.2241.353f.5e client identifier

!

internal IP dhcp pool

network 192.168.100.0 255.255.255.0

Server DNS 192.168.100.1

default router 192.168.100.1

!

IP dhcp pool vlan1

network 192.168.1.0 255.255.255.0

Server DNS 8.8.8.8

default router 192.168.1.1

lease 5

!

dhcp MAC IP pool

the host 192.168.10.50 255.255.255.0

0100.2312.1c0a.39 client identifier

!

IP PRINTER dhcp pool

the host 192.168.10.20 255.255.255.0

0100.242b.4d0c.5a client identifier

!

MLGW dhcp IP pool

the host 192.168.10.10 255.255.255.0

address material 0004.f301.58b3

!

pool of dhcp IP pc-vero

the host 192.168.10.68 255.255.255.0

0100.1d92.5982.24 client identifier

!

IP dhcp pool vlan245

import all

network 192.168.245.0 255.255.255.0

router by default - 192.168.245.1

!

dhcp VPN_ROUTER IP pool

0100.0f23.604d.a0 client identifier

!

dhcp QNAP_NAS IP pool

the host 192.168.10.100 255.255.255.0

0100.089b.ad17.8f client identifier

name of the client QNAP_NAS

!

!

IP cef

no ip bootp Server

IP domain name dri

host IP SW12 192.168.1.252

host IP SW24 192.168.1.251

IP host tftp 192.168.10.50

host IP of Router_A 192.168.10.5

host IP of Router_B 10.0.1.1

IP ddns update DynDNS method

HTTP

Add http://dri66: [email protected] / * *//nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=[email protected] / * //nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=

maximum interval 1 0 0 0

minimum interval 1 0 0 0

!

NTP 66.27.60.10 Server

!

Authenticated MultiLink bundle-name Panel

!

!

Flow-Sampler-map mysampler1

Random mode one - out of 100

!

Crypto pki trustpoint TP-self-signed-2996752687

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 2996752687

revocation checking no

rsakeypair TP-self-signed-2996752687

!

!

VTP version 2

username Admin privilege 15 secret 5 $1$ gAFQ$ 2ecAHSYEU9g7b6WYuTY9G.

username cisco password 7 02050D 480809

Archives

The config log

hidekeys

!

!

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

!

ISAKMP crypto client configuration group 3000client

key cisco123

DNS 8.8.8.8

dri.eu field

pool VPNpool

ACL 150

!

!

Crypto ipsec transform-set strong esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

Profile cisco ipsec crypto

define security-association life seconds 120

transformation-strong game

!

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

!

!

map clientmap client to authenticate crypto list userauthen

card crypto clientmap isakmp authorization list groupauthor

client configuration address map clientmap crypto answer

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

!

!

!

property intellectual ssh time 60

property intellectual ssh authentication-2 retries

IP port ssh 8096 Rotary 1

property intellectual ssh version 2

!

!

!

interface Loopback0

IP 192.66.66.66 255.255.255.0

!

interface Tunnel0

172.16.0.1 IP address 255.255.255.0

no ip redirection

IP mtu 1440

no ip next-hop-self eigrp 90

property intellectual PNDH authentication cisco123

dynamic multicast of IP PNDH map

PNDH network IP-1 id

No eigrp split horizon ip 90

source of tunnel FastEthernet0/0

multipoint gre tunnel mode

0 button on tunnel

Cisco ipsec protection tunnel profile

!

interface FastEthernet0/0

DMZ description

IP ddns update hostname mlgw.dyndns.info

IP ddns update DynDNS

DHCP IP address

no ip unreachable

no ip proxy-arp

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

clientmap card crypto

!

interface FastEthernet0/0,241

Description VLAN 241

encapsulation dot1Q 241

DHCP IP address

IP access-group dri-acl-in in

NAT outside IP

IP virtual-reassembly

No cdp enable

!

interface FastEthernet0/0.245

encapsulation dot1Q 245

DHCP IP address

IP access-group dri-acl-in in

NAT outside IP

IP virtual-reassembly

No cdp enable

!

interface FastEthernet0/1

Description INTERNAL ETH - LAN$

IP 192.168.100.1 address 255.255.255.0

no ip proxy-arp

IP nat inside

IP virtual-reassembly

Shutdown

automatic duplex

automatic speed

!

interface FastEthernet0/0/0

switchport access vlan 10

spanning tree portfast

!

interface FastEthernet0/0/1

switchport access vlan 245

spanning tree portfast

!

interface FastEthernet0/0/2

switchport access vlan 30

spanning tree portfast

!

interface FastEthernet0/0/3

switchport mode trunk

!

interface Vlan1

IP address 192.168.1.250 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan10

IP 192.168.10.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan20

address 192.168.20.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

Vlan30 interface

192.168.30.1 IP address 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan245

IP 192.168.245.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

Router eigrp 90

network 172.16.0.0

network 192.168.10.0

No Auto-resume

!

IP pool local VPNpool 172.16.1.1 172.16.1.100

IP forward-Protocol ND

no ip address of the http server

local IP http authentication

IP http secure server

!

IP flow-cache timeout idle 130

IP flow-cache timeout active 20

cache IP flow-aggregation prefix

cache timeout idle 400

active cache expiration time 25

!

!

overload of IP nat inside source list 170 interface FastEthernet0/0

overload of IP nat inside source list interface FastEthernet0/0.245 NAT1

IP nat inside source static tcp 192.168.10.10 80 interface FastEthernet0/0 8095

!

access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 170 permit ip 192.168.10.0 0.0.0.255 any

access-list 180 deny ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 180 permit ip 192.168.10.0 0.0.0.255 any

not run cdp

!

!

!

route NAT allowed 10 map

corresponds to the IP 180

!

!

!

control plan

!

exec banner ^ C

WELCOME YOU ARE NOW LOGED IN

^ C

connection of the banner ^ C

WARNING!

IF YOU ARE NOT:

Didier Ribbens

Please leave NOW!

YOUR IP and MAC address will be LOGGED.

^ C

!

Line con 0

Speed 115200

line to 0

line vty 0 4

access-class 5

privilege level 15

Rotary 1

transport input telnet ssh

line vty 5 15

access-class 5

Rotary 1

!

Scheduler allocate 20000 1000

end

Didier,

Some time ago, I wrote a bit on VT, you should be able to find information about the server ezvpn DVTI it.

https://supportforums.Cisco.com/community/NetPro/security/VPN/blog/2010/12/08/advantages-of-VTI-configuration-for-IPSec-tunnels

The configuartion you have right now is the way to strives for ezvpn, with the new way DMVPN (protection of tunnel).

If it is true for the most part, it is best to go on the learning curve Moose and go everythign new configuration.

With EZVPN you can always assign IP from the pool by group ezvpn or external authorization ;-)

Anyway let me know if you face any problems.

Marcin

DMVPN and INTERNET VIA HUB RENTAL ISSUES

Hello everyone,

I really wish you can help me with the problem I have.

I explain. I test a double Hub - double DMVPN Layout for a client before we set it up in actual production.
The client has sites where routers are behind some ISP routers who do NAT.

How things are configured:

-All rays traffic must go through the location of the hub if no local internet traffic on the rays.
-Hub 1 and 2 hub sends a default route to rays through EIGRP. But only Hub 1 is used.
-Hub 1 is the main router to DMVPN. In case of connection / hardware failure of the Internet Hub 2 become active for DMVPN and Internet.
-Hub 1 and 2 hub are both connected to an ISP and Internet gateway for rays.
-Hub 1 and 2 hub are configured with IOS Firewall.
-On the shelves I used VRF for separate DMVPN routning Global routning table so I could receive a default route of 1 Hub and Hub 2 to carry the traffic of rays to the Internet via the location of the hub

What works:

-All rays can have access to the local network to the location of the hub.
-All the rays can do talk of talk
-Working for DMVPN failover
-Rais NOT behind the router NAT ISP (i.e. the public IP address) directly related to their external interface can go Internet via hub location and all packages are inspected properly by the IOS and Nat firewall properly

What does not work:

-Rays behind the NAT ISP router can not access Internet via Hub location. They can reach a local network to the location of the hub and talk of talks.
IOS Firewall Router hub shows packages from rays of theses (behind a NAT) with a source IP address that is the router og PSI of public IP address outside the interface. Not the private address LAN IP back spoke.
In addition, the packets are never natted. If I do some captge on an Internet Server, the private source IP is the IP LAN to the LAN behind the rays. This means that the hub, router nat never these packages.

How to solve this problem?

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tabel - Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

Well I don't know that's why I need your help/advice :-)

I don't know that if I have to configure a VRF on the location of the hub gets also like things might mess upward.

The problem seems to be NAT - T the rays that are not behind a NAT, among which go over the Internet through a Hub and inspection of Cisco IOS and NAT are trying to find.

I tested today with the customer at the start them talking behind nat could ping different server on the Internet but not open an HTTP session. DNS was to find work. The IOS Firewall has been actually

inspection of packages with private real IP address. Then I thought it was a MTU issue, so I decided to do a ping on the Internet with the largest MTU size and suddenly the pings were no more.

I could see on the router Hub1 IOS Firewall was inspecting the public IP of the ISP NAT router again alongside with rays and not more than the actual IP address private. Really strange!

Attached files:

I attach the following files: a drawing of configuration called drawing-Lab - Setup.jpeg | All files for HUB1, BRANCH1 and BRANCH2 ISP-ROUTER configs, named respectively: HUB1.txt, BRANCH1.txt, BRANCH2.txt and ISP - ROUTER .txt

Hub1 newspapers when ping host 200.200.200.200 on the Internet of Branch2 (behind the NAT ISP router):

Branch2 #ping vrf DMVPN-VRF 200.200.200.200 source vlan 100

Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 200.200.200.200, time-out is 2 seconds:
Packet sent with a source address of 192.168.110.1
.....
Success rate is 0% (0/5)

* 06:04:51.017 Jul 15 UTC: % FW-6-SESS_AUDIT_TRAIL_START: start session icmp: initiator (110.10.10.2:8) - answering machine (200.200.200.200:0)

If the IOS Firewall does not inspect the true private source IP address that can be, in this case: 192.168.110.2. He sess on the public IP address.

HUB1 #sh ip nat translations
Inside global internal local outside global local outdoor Pro
ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500

There is no entry for packets of teas present NAT

Captge on Tunnel 1 on Hub1 interface (incoming packets in):

7 7.355997 192.168.110.1 200.200.200.200 request ICMP (ping) echo
So that the firewall controllable IOS to the 110.10.10.2:8 public IP sniffing capture said that the package come from private real IP address

Inhalation of vapours on the server (200.200.200.200) with wireshark:

114 14.123552 192.168.110.1 200.200.200.200 request ICMP (ping) echo

If the private IP address of source between local network of BRANCH2 is never natted by HUB1

If the server sees the address source IP private not natted although firewall IOS Hub1 inspect the public IP address 110.10.10.2:8

Hub1 newspapers when ping host 200.200.200.200 on the Internet of Branch1 (not behind the NAT ISP router):

Branch1 #ping vrf DMVPN-VRF 200.200.200.200 source vlan 100

Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 200.200.200.200, time-out is 2 seconds:
Packet sent with a source 192.168.100.1 address
!!!!!

* 06:05:18.217 Jul 15 UTC: % FW-6-SESS_AUDIT_TRAIL_START: start session icmp: initiator (192.168.100.1:8) - answering machine (200.200.200.200:0)

This is so the firewall sees the actual private IP which is 192.168.100.1

HUB1 #sh ip nat translations
Inside global internal local outside global local outdoor Pro
ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500
ICMP 80.10.10.2:22 192.168.100.1:22 200.200.200.200:22 200.200.200.200:22

The real private source IP address is also find natted 1 Hub outside the public IP address

Captge on Tunnel 1 on Hub1 interface (incoming packets in):

8 7.379997 192.168.100.1 200.200.200.200 request ICMP (ping) echo

Real same as inspected by IOS Firewall so all private IP address is y find.

Inhalation of vapours on the server (200.200.200.200) with wireshark:

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tabel - Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

67 10.441153 80.10.10.2 200.200.200.200 request ICMP (ping) echo

So, here's all right. The address is natted correctly.

__________________________________________________________________________________________

Best regards

Laurent

Hello

Just saw your message, I hope this isn't too late.

I don't know what your exact problem, but I think we can work through it to understand it.

One thing I noticed was that your NAT ACL is too general. You need to make it more

specific. In particular, you want to make sure that it does not match the coming of VPN traffic

in to / out of the router.

For example you should not really have one of these entries in your NAT translation table.

HUB1 #sh ip nat translations
Inside global internal local outside global local outdoor Pro
ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500

Instead use:

Nat extended IP access list
deny ip any 192.168.0.0 0.0.255.255 connect
allow an ip
deny ip any any newspaper

If you can use:

Nat extended IP access list
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect
IP 192.168.0.0 allow 0.0.255.255 everything
deny ip any any newspaper

Also, I would be very careful with the help of the "log" keyword in an ACL, NAT.

I saw problems.

What are the IOS versions do you use?

Try to make changes to the NAT so that you no longer see the entries of translation NAT

for packages of NAT - T (UDP 4500) in the table of translation NAT on the hub. It may be

This puts a flag on the package structure, that IOS Firewall and NAT is

pick up on and then do the wrong thing in this case.

If this does not work then let me know.

Maybe it's something for which you will need to open a TAC case so that we can

This debug directly on your installation.

Mike.

DMVPN and VRF Lite

Someone at - it an example of use of several networks DMVPN and VRF (no MPLS) interfaces

I have a requirment to use a common link to transmit three talking about networks isolated to the Hub as encrypted data. It could be VTI doesn't bother me, but I can't use MPLS.

Thank you

Hello

"back in the day", I made this config:

of http://isamology.blogspot.com/2010/01/IPSec-and-vrfs-so-who-faire-vrf.html

But normally, I guess you've seen this:
http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03_ps6658_Products_White_Paper.html

Same principles apply to the VRF lite little matter DMVPN/VTI/GREoIPsec configuration.

tunnel vrf VRF door =

IP vrf forwarding = inside the VRF

Now, if you add the cheat of Nico (for isakmp profiles) sheet especially if necessary, you should be all set.

https://supportforums.Cisco.com/docs/doc-13524

Marcin

DMVPN without PNDH

Hi all

The scenario, I am trying to solve is for a product of managed internet access we build where we want the 867VAE to the roll on a mass of small sites scale.

For each of our clients at the present time we have them all a DMVPN complete with talking to talking about a firewall with the exception of internal networks (so we can see our customers from several sites, but customers cannot see each other).

The 867VAE does not yet support the DMVPN, but we still need a simple remote management/access solution.

My thought is:

The head end

1. create love No. PNDH interface, but still activate encryption

2. enable the RIP (only choice on 867VAE)

867VAE CPE:

1. create the TPP WILL interface with encryption and RIP.

Before that I spend hours testing this - can we see a reason why it wouldn't work?

Here, our requirement, is that we want full visibility of the network to the Subscriber (PC / servers) so there need encryption, but we have plenty of voices on this or anything which would need all the DMVPN features.

Thank you

Scott

Scott,

Config and similar to this concept:

https://supportforums.Cisco.com/thread/2089906

And you can run RIP on top.

M.

DMVPN and active directory (logon)

Hi all

We have a DMVPN configuration between a few sites and everything seems fine, except that the logons through the VPN for a new domain active directory are very slow (10-15 minutes). I believe that the problem may be with the fragmentation of tunnel and packages such as AD is configured correctly.

I am looking for some recommendations or advice on the MTU and TCP MSS settings see if it solves the problem.

both the hub and the spokes are currently with the following settings MTU and MSS (ive removed some irrelevant information) Tunnel0 was originally a mtu of 1440 but if whatever it is 1400 is even worse.

Thank you

interface Tunnel0

IP 1400 MTU

IP nat inside

authentication of the PNDH IP SP1

dynamic multicast of IP PNDH map

PNDH network IP-1 id

IP virtual-reassembly in

No cutting of the ip horizon

source of Dialer0 tunnel

multipoint gre tunnel mode

0 button on tunnel

Profile of ipsec protection tunnel 1

interface Dialer0

MTU 1492

the negotiated IP address

NAT outside IP

IP virtual-reassembly in

encapsulation ppp

IP tcp adjust-mss 1452

Dialer pool 1

Dialer-Group 1

Darren,

In general the prolem is due to Kerberos on UDP traffic.

There are several ways you can solve the problem:

(1) transition to Kerberos over TCP. (suggested)

(2) setting the MSS on the interface of tunnel not on telephone transmitter (recommended)

(3) allowing the PMTUD tunnel (strongly recommended).

M.

Cisco 1941 DMVPN and Ipsec

Hello

You start to replace all of our ISA Server with with DMVPN cisco routers. So far, we are happy with everything, but I ran into a problem. I've just set up one of our agencies and the DMVPN works very well, but this location also has a VPN tunnel to another branch that we have not replaced with Cisco equipment yet. The problem I have is that as soon as I associate an ipsec site-to-site VPN on the router, the DMVPN drops.

I create the Ipsec VPN:

map VPN_Crypto 1 ipsec-isakmp crypto

game of transformation-ESP-3DES-SHA

the value of aa.aa.aa.aa peer

match address 103 (where address is allow remote local IP subnet the IP subnet)

and everything works fine. As soon as I do the following:

interface GigabitEthernet0/1

card crypto VPN_Crypto

The DMVPN drops. If I can connect to and run:

interface GigabitEthernet0/1

No crypto card

The DMVPN happens immediately.

What could I do it wrong? Here is the config for the Tunnel0 DMVPN tunnel:

interface Tunnel0

bandwidth 1000

192.168.10.31 IP address 255.255.255.0

no ip redirection

IP 1400 MTU

authentication of the PNDH IP DMVPN_NW

map of PNDH IP xx.xx.xx.xx multicast

property intellectual PNDH card 192.168.10.10 xx.xx.xx.xx

PNDH id network IP-100000

property intellectual PNDH holdtime 360

property intellectual PNDH nhs 192.168.10.10

dmvpn-safe area of Member's area

IP tcp adjust-mss 1360

delay of 1000

source of tunnel GigabitEthernet0/1

multipoint gre tunnel mode

tunnel key 100000

Tunnel CiscoCP_Profile1 ipsec protection profile

If you need anything else the config for help just let me know. Our main site router, I had no problem with him being the DMVPN hub and also having a handful of Ipsec VPN set up on it well. I appreciate a lot of help, I really need to get both of these tunnels running simultaneously as soon as possible.

Yes, but I don't see anything looking for strange (well, configs generated by CCP always sound strange...).

Maybe you run into a bug. Have you tried a different IOS? Personally I wouldn't use 15.2 if I have to. You can try 15.0 (1) M8 and see if it works.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

DMVPN - record PNDH, IPsec

Hi all

I was wondering if rays PNDH entries must be processed by the hub before the tunnel IPsec may form between the hub and the spokes.

Any ideas will be appreciated.

Thank you

David Lai

David,

PNDH and IPSec go hand in hand.

Infact the first IPSec packets to be exchanged between the spokes and hubs are PNDH records and recording answers.

Once PNDH successful registration, routing neighborships come and you'll have full connectivity between Hub and Spoke.

Avinash.

Decision on DMVPN and L2L simple IPsec tunnels

I have a project where I need to make a decision on which solution to implement... environment is as follows...
- 4 branches.
- Each branch has 2 subnets; one for DATA and another for VOICE
- 2 ISPS in each (an Internet access provider and a provider of MPLS)
- Branch #1 isn't necessarily the HUB office that all database servers and files are there are
- Branch #2 is actually where the phone equipment
- Other 2 branches are just branches speaks (may not need never DATA interconnectivy, but they do need interconnection VOICE when they call since we spoke directly to the other)
- MPLS is currently used for telephone traffic.
- ISP provider link is used for site to site tunnels that traverse the internet, and it is the primary path for DATA. Means that all branch DATA subnets use the tunnels from site to site as main road to join the #1 branch where all files and databases are located.
- I'd like to have redundancy in case the network MPLS down for all traffic VOICE switch to L2L tunnels.
My #1 Option

Because it isn't really a star to the need, I don't really know if I want to apply DMVPN, although I read great things about it. In addition, another reason, I would have perhaps against DMVPN is the 'delay' involved, at least during initialization, communications having spoke-to-spoke. There is always a broken package when a department wants to initiate communication with one another.

My #2 Option

My other choice is just deploy L2L IPSec tunnels between all 4 branches. It's certainly much easier to install than DMVPN although DMVPN can without routing protocols that I think I'll need. But with these Plains L2L IPSec tunnels, I can also add the GRE tunnels and the routing of traffic protocols it as well as all multicast traffic. In addition, I can easily install simple IP SLA that will keep all tunnels upwards forever.

Can someone please help to choose one over the other is? or if I'm just okay with the realization of the #2 option

Thanks in advance

Hi ciscobigcat

Yes, OSPF will send periodic packets 'Hello' and they will maintain the tunnels at all times.

The numbers that you see (143 and 1001) are the "cost" of the track, so OSPF (Simplified) will calculate what different paths there are to a destination and assign each of them a 'cost' (by assigning a cost to each segment of the path, for example GigabitEthernet is "lower cost" Fastethernet and then adding the costs of all segments).

Then it will take the path to the lowest cost (143 in your case, in normal operation) and insert this in the routing table.

So since traffic is already going the right way, I don't know if you still need any tweaking? Personally, I would not add a second routing protocol because, generally, makes things more complicated.

QoS, it is important to use "prior qos rank".

See for example

http://www.Cisco.com/en/us/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html

http://www.Cisco.com/en/us/Tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml

HTH

Herbert

DMVPN and VoIP

Are there concerns using VoIP with DMVPN? How is managed quality of Service?

Thank you for your participation.

Dean,

You guessed it! Remember to accept your answer as the answer ;)

Thank you for participating in the dissemination on the Web today, please feel free to post any questions here or in the Ask the Expert wire.

-Frank

DMVPN, PNDH: What certification cisco?

Hi all

I want to know that DMVPN and PNDH reports to which cisco certification?

Eve.

Hello

It is the CCIE Security.

https://learningnetwork.Cisco.com/docs/doc-5273

There will be a link which gives the review program.

I hope this helps.

Kind regards

Anisha.

P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

EasyVPN server and DmVPN

Hi all

I have a router with IOS advanced ip services 12.3.T3 1760 and it is configured as a hub dmvpn and it works very well and the rays work too. I want to know if it is possible to configure easy vpn server on the same router, and both services are running at the same time?

Concerning

Raul Hey how's it going?

The answer to your questions is Yes, remember that the server EzVPN configuration is like the configuration of the device for remote access VPN client.

I don't see why it does not work...

In fact, a Cisco IOS router can be configured as a server EzVPN & Client at the same time restrictions are for EzVPN client, it will be able to connect to a single server of EzVPN and nothing else.

Hope this helps

Frank

DMVPN question "" change btwn CONF_XAUTH & MM_NO_STATE ".

Hi all

can you please help on below: thanks in advance.

HQ which is configured to accept remote vpn client using crypto map and also it is configured for dynamic vpn with branch.

Static public IP HQ is 82.114.179.120, tunnel 10 172.16.10.1 and local lan ip is 192.168.1.0

Branch has dynamic public ip, 10 ip 172.16.10.32 tunnel local lan is 192.168.32.0 It is also configured by using tunnel 0 with an another CA that works very well.

Directorate-General for the Lan (192.168.32.0) is required to access lan (192.168.1.0) HQ...

Debug files attached

HQ:

AAA authentication login local acs
AAA authorization network local acs
!
AAA - the id of the joint session
!
IP cef
!

8.8.8.8 IP name-server
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!

redundancy
!

VDSL 0/1/0 controller
!

cryptographic keys ccp-dmvpn-keyring keychain
pre-shared key address 0.0.0.0 0.0.0.0 key [email protected] / * /
!
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto 5 3600 keepalive
ISAKMP crypto nat keepalive 3600
ISAKMP xauth timeout 60 crypto

!
ISAKMP crypto client configuration group NAMA
namanama key
pool mypool
ACL 101
Save-password
Profile of crypto isakmp dmvpn-ccp-isakmprofile
CCP-dmvpn-keyring keychain
function identity address 0.0.0.0
!
Crypto ipsec transform-set esp-3des esp-md5-hmac test
tunnel mode
Crypto ipsec transform-set ESP-AES-MD5-esp - aes esp-md5-hmac comp-lzs
transport mode
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-AES-MD5
define the profile of isakmp dmvpn-ccp-isakmprofile
!

card dynamic crypto map 10
Set transform-set test
market arriere-route
!
the i-card card crypto client authentication list acs
card crypto i-card isakmp authorization list acs
card crypto i-map client configuration address respond
card crypto i-card 10 isakmp ipsec dynamic map

!
interface Tunnel10
bandwidth 1000
address 172.16.10.1 IP 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
dynamic multicast of IP PNDH map
PNDH id network IP-100000
property intellectual PNDH holdtime 360
IP tcp adjust-mss 1360
delay of 1000
Shutdown
source of Dialer1 tunnel
multipoint gre tunnel mode
tunnel key 100000
Tunnel CiscoCP_Profile1 ipsec protection profile
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
IP 192.168.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
IP 192.168.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
!
ATM0/1/0 interface
DSL Interface Description
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5snap encapsulation
PPPoE-client dial-pool-number 1

!
interface Dialer0
no ip address
!
interface Dialer1
the negotiated IP address
IP mtu 1492
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
PPP authentication chap callin pap
PPP chap hostname nama20004
password PPP chap 0 220004
PPP pap sent-username nama20004 password 0 220004
i-crypto map
!
IP local pool mypool 192.168.30.1 192.168.30.100
IP forward-Protocol ND
!
IP http server
IP http secure server
!
overload of IP nat inside source list 171 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1
IP route 192.168.32.0 255.255.255.0 172.16.10.32
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 refuse ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access ip-list 171 allow a whole
Dialer-list 2 ip protocol allow
!

HQ #sh cry isa his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
82.114.179.120 78.137.84.92 CONF_XAUTH 1486 ACTIVE
82.114.179.120 78.137.84.92 MM_NO_STATE 1483 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 1482 ACTIVE (deleted)

See the branch to execute:

!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 11
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key [email protected] / * / address 82.114.179.105
ISAKMP crypto key [email protected] / * / address 82.114.179.120
ISAKMP crypto keepalive 10 periodicals
!
!
Crypto ipsec transform-set ESP-AES-MD5-esp - aes esp-md5-hmac comp-lzs
transport mode
Crypto ipsec transform-set esp - aes Taiz esp-md5-hmac comp-lzs
transport mode
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-AES-MD5
!
Profile of crypto ipsec to Taiz-profile-
the value of the transform-set in Taiz
!
interface Tunnel0
bandwidth 1000
IP 172.16.0.32 255.255.255.0
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
map of PNDH 172.16.0.1 IP 82.114.179.105
PNDH id network IP-100000
property intellectual PNDH holdtime 360
property intellectual PNDH nhs 172.16.0.1
IP tcp adjust-mss 1360
delay of 1000
source of Dialer0 tunnel
tunnel destination 82.114.179.105
tunnel key 100000
Tunnel CiscoCP_Profile1 ipsec protection profile
!
interface Tunnel10
bandwidth 1000
IP 172.16.10.32 255.255.255.0
IP 1400 MTU
authentication of the PNDH IP DMVPN_NW
property intellectual PNDH 172.16.10.1 card 82.114.179.120
PNDH id network IP-100000
property intellectual PNDH holdtime 360
property intellectual PNDH nhs 172.16.10.1
IP tcp adjust-mss 1360
delay of 1000
source of Dialer0 tunnel
tunnel destination 82.114.179.120
key to tunnel 22334455
tunnel of ipsec to Taiz-profile protection
!
interface Ethernet0
no ip address
Shutdown
!
ATM0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0.1
PVC 8/35
PPPoE-client dial-pool-number 1
!
!
interface FastEthernet0
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet1
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet2
# CONNECT TO LAN description #.
no ip address
!
interface FastEthernet3
# CONNECT TO LAN description #.
no ip address
!
interface Vlan1
# LAN INTERFACE description #.
customer IP dhcp host name no
IP 192.168.32.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1412
!
interface Dialer0
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP authentication chap callin pap
PPP chap hostname mohammadaa
password PPP chap 0-123456
PPP pap sent-name of user mohammadaa password 123456 0
!
IP forward-Protocol ND
IP http server
10 class IP http access
local IP http authentication
no ip http secure server
!
the IP nat inside source 1 interface Dialer0 overload list
IP route 0.0.0.0 0.0.0.0 Dialer0
Route IP 192.168.0.0 255.255.255.0 172.16.0.1
IP route 192.168.1.0 255.255.255.0 172.16.10.1
!
auto discovering IP sla
Dialer-list 1 ip protocol allow
!
access-list 1 permit 192.168.32.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.0.255
!

Branch #sh cry isa his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
82.114.179.120 78.137.84.92 MM_NO_STATE ACTIVE 2061 (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 2060 ACTIVE (deleted)

Mohammed,

No probs, ensure safety.

The config you home has only one profile of IKE again. i.e. your DMVPN and ezvpn fall into the same basket.

What you need is a clean separation.

In the example you have
```
 crypto isakmp profile VPNclient match identity group hw-client-groupname client authentication list userauthen isakmp authorization list hw-client-groupname client configuration address respond 
```
which is then linked to:
```
 crypto dynamic-map dynmap 10 set isakmp-profile VPNclient reverse-route set transform-set strong
```
and separately a Profile of IKE DMVPN:
```
 crypto isakmp profile DMVPN keyring dmvpnspokes match identity address 0.0.0.0
```
linked to your profile DMVPN IPsec:
```
 crypto ipsec profile cisco set security-association lifetime seconds 120 set transform-set strong set isakmp-profile DMVPN
```
You apply the same logic here and clean to the top of your current config (i.e. move the features that you have applied to the level of the crypto map to your new profile of IKE).

M.

DMVPN Phase 3 double cloud has spoke-to-Spoke communication

Hello

I would like to confirm/verify if Phase 3 allows rays in different areas of DMVPN communicate directly or that there is the talking-DMVPN-A routed through hubs talk-DMVPN-B? Any document on EAC authoritative on this specific scenario is greatly appreciated.

Thank you.

-Mike

Mike,

I may be off, does not not with the VPN for a year now, but that's.

It really depends on what is a domain for you. Remember that the ID Network PNDH is locally important.

In the end even network ID allows PNDH requests jump between different tunnels.

If the network ID is different then the 'domain' is different and PNDH must not circulate between.

For the rest, he is based on the road, it's just a matter of making conscious design decisions prior to deployment and a few tests.

M.

DMVPN and PNDH

Similar Questions

Maybe you are looking for