DMVPN with VRF (redistribution a road by default via VRF)
Hi all
I was testing a DMVPN configuration so that users with POLES surfing the Internet on the Internet portal of the HUB. The SPOKE1PN is able to ping all internal IP addresses and route determination agrees. When he reached out to the Internet (HUB_INTGW) gateway, pings are okay, but traceroute requests time out. I was wondering if anyone has an idea. Here's my topology.
Basically, if SPOKE1PN pings to the Internet, it goes to SPOKE1, HUB1 via tu0, HUB1_INTGW and it gets overloaded NAT.
QUESTION (OK, TRACEROUTE DROPS AFTER OVERLOADED NAT PINGS)
SPOKE1PN #ping 202.0.0.2 rep 88
Type to abort escape sequence.
88, echoes ICMP 100 bytes to 202.0.0.2 sending, time-out is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!
Success rate is 100 per cent (88/88), round-trip min/avg/max = 144/211/328 ms
SPOKE1PN #traceroute 202.0.0.2
Type to abort escape sequence.
The route to 202.0.0.2
1 192.168.1.1 88 MS 64 ms 16 ms
2 172.14.1.1 164 MS 92 MS 128 ms
3 10.1.0.254 152 MS 124 MS ms 116
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
SPOKE1
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname SPOKE1
!
boot-start-marker
boot-end-marker
!
!
No aaa new-model
memory iomem size 5
IP cef
!
IP vrf DMVPN
RD 1:1
!
crypto ISAKMP policy 1
BA aes 256
md5 hash
preshared authentication
Group 5
address key crypto isakmp 0.0.0.0 @ngelam1chell3r1c 0.0.0.0
ISAKMP crypto keepalive 60 periodicals
!
Crypto ipsec transform-set SET1 IPSEC ah-md5-hmac esp - aes
!
Profile of crypto ipsec DMVPN
game of transformation-IPSEC-SET1
!
interface Tunnel0
IP vrf forwarding DMVPN
IP 172.14.1.2 255.255.255.0
no ip redirection
IP mtu 1416
property intellectual PNDH authentication cisco123
property intellectual PNDH card 172.14.1.1 200.0.0.2
map of PNDH IP multicast 200.0.0.2
property intellectual PNDH card 172.14.1.254 200.0.1.2
map of PNDH IP multicast 200.0.1.2
PNDH id network IP-99
property intellectual PNDH nhs 172.14.1.1
property intellectual PNDH nhs 172.14.1.254
source of tunnel FastEthernet0/1
multipoint gre tunnel mode
tunnel key 999
Protection ipsec DMVPN tunnel profile
!
interface FastEthernet0/0
IP vrf forwarding DMVPN
IP 192.168.1.1 255.255.255.0
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP 201.0.0.2 255.255.255.240
Speed 100
full-duplex
!
Router eigrp 1
Auto-resume
!
address ipv4 vrf DMVPN family
redistribute connected
network 172.14.1.0 0.0.0.255
network 192.168.1.0
No Auto-resume
autonomous system of-1
output-address-family
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 201.0.0.1
!
no ip address of the http server
no ip http secure server
!
control plan
!
Line con 0
line to 0
line vty 0 4
!
end
HUB1
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname HUB1
!
boot-start-marker
boot-end-marker
!
No aaa new-model
memory iomem size 5
IP cef
!
IP vrf DMVPN
RD 1:1
!
crypto ISAKMP policy 1
BA aes 256
md5 hash
preshared authentication
Group 5
address key crypto isakmp 0.0.0.0 @ngelam1chell3r1c 0.0.0.0
ISAKMP crypto keepalive 60
!
Crypto ipsec transform-set SET1 IPSEC ah-md5-hmac esp - aes
No encryption ipsec nat-transparency udp-program
!
Profile of crypto ipsec DMVPN
game of transformation-IPSEC-SET1
!
interface Tunnel0
IP vrf forwarding DMVPN
IP 172.14.1.1 255.255.255.0
no ip redirection
IP mtu 1416
property intellectual PNDH authentication cisco123
dynamic multicast of IP PNDH map
PNDH id network IP-99
source of tunnel FastEthernet0/1
multipoint gre tunnel mode
tunnel key 999
Protection ipsec DMVPN tunnel profile
!
interface FastEthernet0/0
IP vrf forwarding DMVPN
IP 10.1.0.1 255.255.255.0
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP 200.0.0.2 255.255.255.240
Speed 100
full-duplex
!
Router eigrp 1
Auto-resume
!
address ipv4 vrf DMVPN family
redistribute connected
redistribute static
Network 10.1.0.0 0.0.0.255
network 172.14.1.0 0.0.0.255
No Auto-resume
autonomous system of-1
output-address-family
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 200.0.0.1
IP route vrf DMVPN 0.0.0.0 0.0.0.0 10.1.0.254
!
no ip address of the http server
no ip http secure server
!
control plan
!
Line con 0
line to 0
line vty 0 4
!
end
HUB1_INTGW
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname HUB1_INTGW
!
boot-start-marker
boot-end-marker
!
No aaa new-model
memory iomem size 5
IP cef
!
no ip domain search
!
Authenticated MultiLink bundle-name Panel
!
Archives
The config log
hidekeys
!
interface FastEthernet0/0
IP 10.1.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP 200.0.1.2 255.255.255.240
NAT outside IP
IP virtual-reassembly
Speed 100
full-duplex
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 200.0.1.1
IP route 192.168.1.0 255.255.255.0 10.1.0.1
!
no ip address of the http server
no ip http secure server
overload of IP nat inside source list ACL_NATOVERLOAD interface FastEthernet0/1
!
IP access-list standard ACL_NATOVERLOAD
permit 10.1.0.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
permit 172.14.1.0 0.0.0.255
!
control plan
!
Line con 0
exec-timeout 0 0
Synchronous recording
line to 0
line vty 0 4
!
end
Desmon,
If the works of ping I can bet you that it's a problem of how ICMP unreachable it will be via NAT (PAT in fact) in response to UDP with expired TTL.
Can you do a static NAT on HUB1_INTGW to the IP test and you should see a difference... BTW the debug ip packet is your friend, try it :-) on INTGW and INT_RTR
Marcin
Tags: Cisco Security
Similar Questions
-
iPsec S2S ASA to ASR with VRF using Lo's ADDRESS
so, I have a solution and then a question about this solution:
first the solution and the config for any guy in the future, who would need it:
to configure the ASA VPN to the ASR:
door-key crypto KEY-SITE-B-DC
address [asr-ip-address]
pre-shared key address [address-ip-ASA] key test123
!
Crypto ISAKMP-SITE-B-DC isakmp profile
VRF VPN
door KEY-SITE-B-DC
identity function address [address-ip-ASA] 255.255.255.255
!
crypto ISAKMP policy 9
BA aes
preshared authentication
Group 2
lifetime 28800
!
card crypto VPN - S2S - address Loopback11
Map 10 S2S - VPN ipsec-isakmp crypto
Description # VPN S2S SITE-B-DC ASA #.
defined by peer [ASA-ip-address]
game of transformation-TRANS_SET-SITE-B-DC
PFS group2 Set
define the profile of isakmp ISAKMP-SITE-B-DC
match address IPSEC-VPN-ACL_SITE-B-DC
!
Crypto ipsec transform-set esp-aes - TRANS_SET-SITE-B-DC esp-sha-hmac
tunnel mode
!
EXIT/ENTRY interface
Description # BECAUSE RUN US DYNAMIC PROTOCOL BGP (in my case), no matter WHAT INTERFACE COULD BE THE If INPUT/OUTPUT, SO THESE IFs MUST ALSO HAVE THE CRYPTOMAP #.
S2S - VPN crypto card
!
interface Loopback11
Description # IPSEC TEST #.
IP 255.255.255.255 [asr-ip-address]
!
!
IPSEC-VPN-ACL_SITE-B-DC extended IP access list
permit ip host [ASR-LAN-addresses] [ASA-LAN-addresses]
!
IP route vrf VPN [ASA-LAN-addresses] 255.255.255.x 8.8.8.8 global name GENERIC-IPSEC-CRYPTO-ROAD (ANYCAST) * the road here is for the traffic is encrypted, the next hop MUST be no recursive road *.
!
So now for my question:
REALLY should be a route with a match on the other than a default route routing table?
(because it does not work with a route that directs the default route, even when the recursive path pointing to the interface even spefic road made).
is there any other way to do this? because to point the way to 8.8.8.8, means im my tunnels to be available on the availability of a course of 8.0.0.0 in the RIBS.
help would be what enjoyed here guys!
Why not let the router hide the complexity of administration using IPP?
The example is not perfect because of the connection point to point between two routers, but you can understand what IP address as the gateway.
I suggest also entry of cryptographic cards, the new software. logical interfaces with tunnel protection is the way to go. The problem does not appear here.
-
Windows 10. installed iTunes version 12.4.0.119. I have several iTunes libraries. On most of them display-> ' display as ' does not show the grid option. A library of fact. It's all music, with no video media. By default seems to be a list that is unchangeable.
Select the sidebar if hidden. View options > view as may depend on which of the options for the song, artist, album, etc. are selected in the sidebar.
TT2
-
DMVPN with digital ceritificates and Hub acts as a CA server
Hello guys,.
is there anyway to configure the DMVPN with digital certificates and change the router Hub to act as a CA server?
Thank you
Yes, you can do it, go ahead and set up your router, Hub, with the normal DMVPN configuration so that it becomes the hub. After doing that follow the link below to add public key infrastructure server features:
http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t4/feature/guide/gt_ioscs.html
And to register for the rays on the hub, use this link:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080210cdc.shtml
Remember that regardless of the router Hub being the authority of CA, you must sign up for itself to allow the IKE PKI authentication.
-
Someone at - it an example of use of several networks DMVPN and VRF (no MPLS) interfaces
I have a requirment to use a common link to transmit three talking about networks isolated to the Hub as encrypted data. It could be VTI doesn't bother me, but I can't use MPLS.
Thank you
Hello
"back in the day", I made this config:
of http://isamology.blogspot.com/2010/01/IPSec-and-vrfs-so-who-faire-vrf.html
But normally, I guess you've seen this:
http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03_ps6658_Products_White_Paper.htmlSame principles apply to the VRF lite little matter DMVPN/VTI/GREoIPsec configuration.
tunnel vrf VRF door =
IP vrf forwarding = inside the VRF
Now, if you add the cheat of Nico (for isakmp profiles) sheet especially if necessary, you should be all set.
https://supportforums.Cisco.com/docs/doc-13524
Marcin
-
DMVPN with dynamic failover HSRP/IPSEC
"DMVPN with dynamic failover HSRP/IPSEC."
Hi all. Is this possible? When you use a direct IPSEC LAN to LAN, you have a card encryption and when you secure the card encryption at the source of the tunnel interface, you configure "' crypto map
redundancy with State '." The DMVPN does not use encryption card, sound by using an IPSEC profile with protection of tunnel. How you configure stateful with HSRP IPSEC in this situation?
We're heading for a double cloud dmvpn topology with 2 heads dmvpn geographically separate. I want that every network head to have a redundancy HSRP, which can be done fairly easily. But I also want State IPSEC to be replicated for all security associations IPSEC do not fall in the case of a failover. Is it possible in this scenario and how?
Thanks a lot as always.
Hello again ;-)
There are currently no plan at the moment (that I know) to mix with State redundancy and anythign with protection of tunnel.
Frankly it is best to create redundancy in DMVPN termination on both turntable and relying on routing protocols - which I am sure you aware of so I won't bore you with details.
That said, my personal observation is - if you want a failover go to ASA, when you have routers, you have all these wonderful tools like VTI/GRE for IPsec that mix well with routing protocols, and MUCH MUCH more. It is very often to change some timers for routing protocol driven "failover" happen very quickly.
Marcin
-
Why my iphone will have problems with pandora in synchronization with the pandora application on infotainment chevy via a usb connection?
This was never resolved? I have the same problem with an iphone 6s. It is only my phone like an ipod playback. I don't get the interface of Pandora.
-
My Macbook 2012 mid pro with thunderbolt is connected to the tv via a Macally MDHDMI adapter. Visuals are delivered as planned but no audio.
Can anyone suggest why no noise please? And maybe a fix?
See you soon...Have you checked system-> Sound-> output preferences to see if you can select the HDMI output?
-
sign the document with 'Draw my signature' and send it via http-post
Hello
I have a pdf document with a signature field. When im opening with AcrobatReader XI, I can sign / Place Signature / draw my signature. I can't 'save a copy '. It works pretty well.
Now, I place a button in the pdf document to be sent via http post to a given address. When I now open this PDF in the XI AcrobatReader, trying to sign. I can only do this with sign / Place Signature / use a certificate. But there is no way to "draw my signature."
Did I miss an option to do this? Pls tell me if he has a chance to sign the document with 'Draw my signature' and send it via http-post.
Or is this part of the concept? When I'm looking for a solution, I found EchoSign electronic signature.
What is available depends on how the as is put in place. If you include a button with an action of type 'Submit form' and/or reader - enable the form, then e-signature (signature of drawing) will not be available in the player. If the document is compatible player then digitally signing will. So for what you want, do not Reader-enable the document and you can use the submitForm JavaScript method to submit. The site that has the JavaScript documentation was not available at the time I wrote this, but post again if you need help with that.
-
Click Tools add on Lightening. 3.3.1 Flash appears and I click to add to Thunderbird. It downloads and a pop up box seems to say that you have chosen to open the lightning. Thunderbird has to do with this file. the options are open using default Thunderbird or save the file. Nothing to install, and if I click on open with thunderbird opens a new box for me to create a new message.
I have nothing will install brightening.
Can anyone help? Thank you
Russ Kent
https://support.Mozilla.org/en-us/KB/installing-lightning-Thunderbird
Download addon for example: desktop
In Thunderbird
Tools > addons
or
Menu icon > AddonsClick the gear icon and select "install the addon from file".
Find and select the file that you downloaded and click 'open '.
See the image -
Road by default from version 6.3 PIX IPsec tunnel
We have a PIX 501 running IOS version 6.3.1.
There are currently 3 tunnels IPsec active as described below.
What we would like is to have all traffic by default (0.0.0.0 0.0.0.0) range out through the tunnel of the middle line so that traffic can be protected by a firewall on the other side of the tunnel. Since ICF is a Sonicwall what would be needed to be changed in the configuration on the PIX to get there?
Thank you
6.3 (1) version PIX
interface ethernet0 10baset
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the 86AZXXmRLxfv/oUQ encrypted password
86AZXXmRLxfv/oUQ encrypted passwd
Site A hostname
domain default.int
clock timezone STD - 7
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
name 75.75.75.2 CovadHub
name 75.48.25.12 Sonicwall
access-list 101 permit ip 10.10.5.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list 101 permit ip 10.10.5.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list 101 permit ip 10.10.5.0 255.255.255.0 10.10.3.0 255.255.255.0
access-list 101 permit icmp any any echo response
access-list 101 permit icmp any any echo
access-list 102 permit ip 10.10.5.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list 103 allow ip 10.10.5.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list 104. allow ip 10.10.5.0 255.255.255.0 10.10.3.0 255.255.255.0
pager lines 24
opening of session
monitor debug logging
logging warnings put in buffered memory
ICMP allow 10.10.5.0 255.255.255.0 inside
Outside 1500 MTU
Within 1500 MTU
external IP 75.25.14.2 255.255.255.0
IP address inside 10.10.5.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 10.10.5.0 255.255.255.0 inside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
allow icmp a conduit
Route outside 0.0.0.0 0.0.0.0 75.25.14.1 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
NTP server 132.163.4.102 source outdoors
NTP server 129.7.1.66 source outdoors
Enable http server
http 10.10.1.0 255.255.255.0 inside
http 10.10.5.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac pix11
peer11 card crypto ipsec-isakmp 10
correspondence address 10 card crypto peer11 102
peer11 card crypto 10 peers set 75.95.21.41
peer11 card crypto 10 set transform-set pix11
11 peer11 of ipsec-isakmp crypto map
correspondence address 11 card crypto peer11 103
11 peer11 peer Sonicwall crypto card game
card crypto peer11 11 set transform-set pix11
12 peer11 of ipsec-isakmp crypto map
correspondence address 12 card crypto peer11 104
card crypto peer11 12 set peer 75.62.58.28
card crypto peer11 12 set transform-set pix11
peer11 interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 75.62.58.28 netmask 255.255.255.240
ISAKMP key * address netmask 255.255.255.224 Sonicwall
ISAKMP key * address 75.95.21.41 netmask 255.255.255.252
ISAKMP identity address
ISAKMP keepalive 10
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
part of pre authentication ISAKMP policy 11
encryption of ISAKMP policy 11
ISAKMP policy 11 md5 hash
11 2 ISAKMP policy group
ISAKMP duration strategy of life 11 28800
part of pre authentication ISAKMP policy 12
encryption of ISAKMP policy 12
ISAKMP policy 12 md5 hash
12 2 ISAKMP policy group
ISAKMP duration strategy of life 12 36000
Telnet 10.10.5.0 255.255.255.0 inside
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
Console timeout 0
dhcpd address 10.10.5.70 - 10.10.5.101 inside
dhcpd dns 10.10.1.214
dhcpd rental 43200
dhcpd ping_timeout 750
dhcpd field default.int
dhcpd outside auto_config
dhcpd allow inside
Terminal width 80
Cryptochecksum:36d2c26afa8
03957d 3659
868d9219f8
2
: end
Hello
You do not configure really any type of default route for the VPN L2L. You match rather traffic with 'everything' destination on configuring VPN L2L. Basically you would like to configure the VPN L2L ACL encryption with the 'whole' destination map
I guess in your case it would be the ACL named "103".
access-list 103 allow ip 10.10.5.0 255.255.255.0 any
IP 10.10.5.0 doesn't allow any access list 103 255.255.255.0 10.10.1.0 255.255.255.0
Naturally, your NAT0 ACL configuration should also reflect this change. I guess the end remote Sonicwall'd private NAT to public Internet access in this case whereas. I guess that in this case, the ACL NAT0 might even be just this one rule ACL
access-list 101 permit ip 10.10.5.0 255.255.255.0 any
BUT what I was asking however for now mainly is the fact it has a priority of '11' in the 'crypto map' which has between 2 other L2L VPN connections.
peer11 card crypto ipsec-isakmp 10
correspondence address 10 card crypto peer11 102
peer11 card crypto 10 peers set 75.95.21.41
peer11 card crypto 10 set transform-set pix11
11 peer11 of ipsec-isakmp crypto map
correspondence address 11 card crypto peer11 103
11 peer11 peer Sonicwall crypto card game
card crypto peer11 11 set transform-set pix11
12 peer11 of ipsec-isakmp crypto map
correspondence address 12 card crypto peer11 104
card crypto peer11 12 set peer 75.62.58.28
card crypto peer11 12 set transform-set pix11
If you have changed the destination address of '103' crypto VPN L2L ACL at "" I guess that would probably cause so that the last connection VPN L2L with "12" priority may stop working since the previous connection already corresponds to 'all' your network 'inside' destination address.
The solution might be to delete the current configuration of the '11' priority and add it with '13' for example, so that the other 2 connections VPN L2L could continue to work and all the rest of the traffic would be passed to the connection VPN L2L with Sonicwall as the remote peer.
No crypto map ipsec-isakmp 11 peer11
no correspondence address 11 card crypto peer11 103
no set of 11 peer11 card crypto don't peer Sonicwall
No peer11 11 set transform-set pix11 crypto card
13 peer11 of ipsec-isakmp crypto map
correspondence address 13 card crypto peer11 103
13 card crypto peer Sonicwall peer11 game
card crypto peer11 13 pix11 transform-set game
I have to say that this is how I expect it should work. I worked with VPN L2L that have been configured in this way but its quite rare.
If you want to try something like that, of course, be ready to return to the old configuration with your admins of the remote peer, if things do not work. I guess more difficult configurations changes must be made on the remote end while your configuration of the ends should be fairly simple.
Hope this helps
-Jouni
-
Road of default remote access VPN session
ASA version 8.2.2
How do you assign remote access VPN sessions a single default route? Other than the default route assigned to ASA. For example, my VPN ASA (handles vpn sessions), defaults to the Internet. I wish that sessions VPN for remote access by default internal network first, then follow the default route to the Internet on another firewall.
The SAA outside the IP address of the interface is a public. Inside is a private 10.x.x.x. VPN clients receive 172.17.x.x.
Thank you
After the command 'road' added keyword "tunnel".
in the tunnel
Specifies the route as the default gateway of tunnel for the VPN traffic.
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/QR.html#wp1767323
-
(1) if I understand correctly - Phase 1 DMVPN is Star technology. Is it possible to use two hubs of the network?
(2) is it possible to use the router 1841 as Phase 1 DMVPN hub?
(3) imagine this network topology:
* PIX *-(static vpn tunnel)-> router 1841 (hub)-(dynamic vpn tunnel)-> rays.
I'm having problems with routing in VPN between PIX and rays through 1841?
In the attachment, see diagram.
Thnx in advance!
Hello
It should be possible. The tunnel between the PIX and Hub 2 is going to be a regular with PIX IPSEC tunnel configured with all networks to talk as destination the ACL crypto and vice versa on the hub. Hub 2 will have a static route for the private subnet route tis and PIX will be redestributed in the routing process so that it is announced to the rays. Please keep in mind that the protection tunnel profile you are configuring should have configured 'shared' keyword.
HTH,
Please rate if this can help.
Kind regards
Kamal
-
DMVPN with invalid SPI recovery / DPD
Dear Experts,
I'm evaluating a networks of average design company DMVPN Phase 2 scope, trying to optimize the time of receovery after a failure and restoration of a DMVPN counterpart.
1. I just spent through a PDF of Cisco Live at a workshop of 2011 named "Advanced Concepts of DMVPN - BRK 4052".
It is said (without further explanation) that the invalid SPI recovery feature is not useful with DMVPN.
Can anyone explain, why?
2 DMVPN involves the use of the Tunnel (TP) Protection. I read the reviews that say that you can not use Dead Peer Detection (DPD) as well as the TP.
Unlike these reviews, Cisco DMVPN V1.1 design guide recommends a configuration container:
ISAKMP crypto keepalive 10
That means, I have to use DPD, but without "periodicals" KeepAlive? If so, could you explain?
Thank you very much!
Dear Sebastian,
1 SPI recovery means essentially that the answering router must meet the same initiator VPN router if the SPI was invalid, the response of the intervener would be an 'invalid' error to the initiator VPN.
Why it is not recommended for DMVPN?
Well, according to the previous description of SPI, imagine if someone upsets your router with rogue applications! with the resumption of active SPI, it means that your router would need to respond to all messages which he received with the message "Invalid Error", which basically means--> attack (Denial of Service Attack) back--> high CPU processing on your router.
http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t2/feature/guide/gt_ispir.html#wp1045200
How is it that relates to DMVPN?
Well! DMVPN is mainly deployed with large number of rays! and even if no one attacks you! your rays can attack you
2. I don't think that having periodic KeepAlive is what we hear in the comments on demand or periodic KeepAlive is not really effect DMVPN.
I don't know what are the comments you've read, but I think you can use DPD! There have been some incompatabilites filed for tunnel KeepAlive, but as far as I know, nothing major was filed against ISAKMP KeepAlive.
HTH!
AMatahen
-
Migration phase 3 DMVPN with Central Hub
I'm looking at the migration of my network DMVPN phase 2 phase 3. The current system contains 3 regional poles each serving about 100 rays. The final goal is to be able to build tunnels speaks to talk between sites that are hosted to the hubs in different regions. I understand from reading the document "Migrating from Dynamic Multipoint VPN Phase 2 phase 3" regional poles of phase 3 can be related in a hierarchy through a central hub, but there are no details in the doc and I was not able to find a white paper that addresses this specifically. Someone at - it experience with this topology or have the material regarding the deployment and configuration of nodal point?
Kind regards
Mike
Mike,
DMVPN phase 3 is still a valid design choice, even if we are heading for FlexVPN/IKEv2 combo (eventually finished on ASRs)
That being said, the deployment is quite easy:
-Shortcuts PNDH (+ redirect PNDH, really unnecessary during stable operation) on the shelves
-Redirect PNDH on the hubs.
Generally on regional hubs you would have a tunnel interface to the rays and the other (like talking) tunnel to the global hubs, remember that they must belong to the same network PNDH (i.e. same id PNDH network).
Now according to your choice Routing Protocol (BGP dimensionnera better, obviously), it's just a matter of right summarized advertising and setting the delays and costs.
The top level I know, if you want to read, google "BRKSEC DMVPN" you will find some different item of Cisco Live/Networkes of the past - my resource of choice.
M.
Maybe you are looking for
-
HP Envy printer range: margins
I just bought a HP Envy inkjet printer. I installed all the software and printing fine only problem, is that the margin is too high at the head of the paper. How do you define at the top and bottom margins? I don't see anywhere to do it.
-
Treatment of mixed fast representation binary files
Hello world I see several ways to tackle this, but I'm looking for the fastest approach that my data set is very large... The question: I have a binary data file with 2D data. It encodes 200 + differnet "columns" which are repeated over time (sampled
-
Copy of BatchModel.seq 4.1
Is there a repository where I can find a copy blank Batch sequence models, parallel and Sequencial? Thank you
-
F4j00la #akh: Problemas con HP Pavilion 15 Wifi
I have a HP Pavilion 15, lo compre hace approximately 7 meses y some veces me habia dado wifi conexion problemas, pero nunca tanto como ahora.The conexion me appears como 'limitada '. Tengo mas on devices connected a wifi este además y ninguno tiene
-
My Internet service provider said that it is not a problem of them