problem in dmvpn

Similar Questions

• Address problem Source DMVPN Dual-Cloud

  Greetings,

  I run a pivot single double-cloud DMVPN in operation phase2 (talk-to-spoke active).  I am very surprised that the question does not come upwards more often.

  Here is my configuration:

  Each station has its own ISP.

  Each remote site has a single router connected to ISP (interface1 and interface2) 2

  Each head of public-IP network is routed static (/ 32) through a single interface.

  The default route is floating based on an IP SLA monitoring mechanism.

  Note the following image (showing the host routes) static and default

  

  With the two routes by default the value of the interface making DMVPN-X, a spoke-to-spoke on DMVPN-X works well.  But what of the talk-to-spoke out DMVPN?  It gets broken in the following way:

  At Site A, my TunnelY Interface come from 10.2.0.2.  After it to Site B; s public IP (10.4.0.2) via PNDH, he's trying to form a tunnel spoke to rays.  But how to get to 10.4.0.2?  It uses its default route on the 10.1.0.2 interface with address 10.2.0.2 source.    A few things can happen:

  (1) ISP blocks the bad sources completely, either explicitly or through uRPF.

  (2) talking-to-Spoke Tunnel arrives, but assymetic routing is performed (this is rare)

  (3) all sources of the ISP Nat to himself (gateways Comcast SMC this) in the example above, you see 10.1.0.1 crypto packages arriving at 10.4.0.2!  Imagine the confusion caused

  In most cases, isakmp is watered.  Even if the tunnel is in place, I don't want to assymetic shaping with all the bandwidth on a single interface - I like to use actively both ISP connections.

  Then... How to handle this?  I predicted it, but I thought that the mechanism of the PNDH/DMVPN would deal with this situation.  that is if I hear one speak via TunnelY and TunnelY is source on Interface2, it would naturally be to send packets on interface2.  Alas, this isn't the case.

  Here are some ways that I thought to solve:

  (1) because my end points are not dyamic, I could host statically road all rays are out all the interface2s, all the X on the interface1s.  (with 30 sites, it's so ugly, that I hesitate to even include it)

  (2) road map of each external interface and match against the source address.  If interface1 detects a source interface2, set-next-hop to interface2.  The same thing on interface2 - if she hears a source corresponding to the IP address of interface1, value jump following interface1.  It is repeatable, but looks a bit ugly as well.

  (3) poster on the forums of Cisco and see what the consensus is

  Thank you much in advance.  Here are my configs sites speaks if you need:

  Example of use of site A above:

  (using the PKI for isakmp)

  interface TunnelX
  bandwidth 10000
  IP 192.168.X.13 255.255.255.0
  no ip redirection
  IP 1400 MTU
  authentication of the PNDH IP [redact]
  map of PNDH IP 1.1.1.1 multicast
  PNDH IP card 192.168.X.1 1.1.1.1
  PNDH IP network id X
  property intellectual PNDH holdtime 240
  property intellectual PNDH nhs 192.168.X.1
  IP tcp adjust-mss 1360
  source of tunnel GigabitEthernet0/1
  multipoint gre tunnel mode
  tunnel key X
  Tunnel DMVPN_IPSEC ipsec protection profile
  !

  interface TunnelY
  bandwidth 10000
  IP 192.168.Y.13 255.255.255.0
  no ip redirection
  IP 1400 MTU
  authentication of the PNDH IP [redact]
  map of PNDH IP multicast 2.2.2.2
  PNDH IP card 192.168.Y.1 2.2.2.2
  PNDH IP network id Y
  property intellectual PNDH holdtime 240
  property intellectual PNDH nhs 192.168.Y.1
  IP tcp adjust-mss 1360
  source of tunnel GigabitEthernet0/2
  multipoint gre tunnel mode
  tunnel key Y
  Tunnel DMVPN_IPSEC ipsec protection profile
  !

  Route IP 1.1.1.1 255.255.255.255 10.1.0.1

  IP route 2.2.2.2 255.255.255.255 10.2.0.1

  IP route 0.0.0.0 0.0.0.0 10.1.0.1 Track1

  IP route 0.0.0.0 0.0.0.0 10.2.0.1 250 (for failover if track 1 breaks down)

  This is usually resolved by separating the ISP in before VRF (keeping global VRF inside if you chose to), allowing both titled tracks.

  It's late (almost 1:00) but I think that tunnel road-via could potentially work too.

• problem applying IPSEC to DMVPN

  Hi, I have a few problems with DMVPN

  I have configured the PNDH between a HUB and aSPOKE:

  HUB

  tU0 tu1

  |     |

  INTERNET SERVICE PROVIDER

  |

  tU0, tu1

  TALK

  the HUB has two physical interfaces and two logical interfaces.

  The RADIUS has a physical interface and two logical interfaces.

  in PNDH configured correctly, the tunnels are detected in the HUB and the SPOKES.

  When I add the IPSEC profile for the controls I lose tunnel1.

  SPOKE1 #sh ip PNDH

  10.1.1.4/32 via 10.1.1.4, Tunnel0 created 02:22:01, never expire

  Type: static, flags: used by authority

  The NBMA Address: 190.1.1.1

  10.2.2.4/32 via 10.2.2.4 Tunnel1 created 02:18:21, never expire

  Type: static, flags: used by authority

  The NBMA Address: 190.1.2.1

  SPOKE1 #debug ip PNDH

  Tunnel0

  * 03:50:09.399 Mar 1: PNDH: try to send packages via DEST 10.1.1.4

  * 03:50:09.399 Mar 1: PNDH: Encapsulation succeeded.  Tunnel IP addr 190.1.1.1

  * 03:50:09.399 Mar 1: PNDH: send the registration request via Tunnel0 vrf 0, the packet size: 82

  * 03:50:09.403 Mar 1: CBC: 10.1.1.1, dst: 10.1.1.4

  * 03:50:09.403 Mar 1: PNDH: 82 bytes in Tunnel0

  * 03:50:09.519 Mar 1: PNDH: receive the response for registration via Tunnel0 vrf 0, the packet size: 102

  * 03:50:09.519 Mar 1: PNDH: netid_in = 0, to_us = 1

  tunnel 1

  * 03:50:30.575 Mar 1: PNDH: try to send packages via DEST 10.2.2.4

  * 03:50:30.575 Mar 1: PNDH: Encapsulation succeeded.  Tunnel IP addr 190.1.2.1

  * 03:50:30.575 Mar 1: PNDH: send the registration request via Tunnel1 vrf 0, the packet size: 82

  * 03:50:30.579 Mar 1: CBC: 10.2.2.1, dst: 10.2.2.4

  * 03:50:30.579 Mar 1: PNDH: 82 bytes to Tunnel1

  * 03:50:30.579 Mar 1: PNDH: reset retransmission due to the wait timer for 10.2.2.4

  no response from the HUB.

  HUB #sh ip PNDH

  10.1.1.1/32 through 10.1.1.1, 00:05:05 created Tunnel0, expire 00:08:29

  Type: dynamic, flags: single authority registered

  The NBMA Address: 191.1.1.11

  just tunnel0 is here!

  I also have it on the HUB:

  * 03:58:54.519 Mar 1: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 191.1.1.11 (physical address of the SPOKE1)

  configs:

  HUBS:

  !

  crypto ISAKMP policy 10

  BA aes

  md5 hash

  preshared authentication

  Group 2

  techservices key crypto isakmp address 0.0.0.0 0.0.0.0

  !

  !

  Crypto ipsec transform-set AES_MD5 aes - esp esp-md5-hmac

  !

  Profile of crypto ipsec DMVPN

  game of transformation-AES_MD5

  !

  !

  interface Tunnel0

  bandwidth 10000

  10.1.1.4 IP address 255.255.255.0

  no ip redirection

  IP 1400 MTU

  no ip next-hop-self eigrp 123

  property intellectual PNDH authentication dmvpn1

  dynamic multicast of IP PNDH map

  PNDH id network IP-123

  no ip split horizon eigrp 123

  source of tunnel FastEthernet0/0

  multipoint gre tunnel mode

  tunnel key 123

  Protection ipsec DMVPN tunnel profile

  !

  Tunnel1 interface

  bandwidth 10000

  10.2.2.4 IP address 255.255.255.0

  no ip redirection

  IP 1400 MTU

  no ip next-hop-self eigrp 124

  property intellectual PNDH authentication dmvpn2

  dynamic multicast of IP PNDH map

  PNDH id network IP-124

  no ip split horizon eigrp 124

  source of tunnel FastEthernet1/0

  multipoint gre tunnel mode

  tunnel key 124

  Protection ipsec DMVPN tunnel profile

  !

  !

  Router eigrp 123

  Network 10.1.1.0 0.0.0.255

  network 172.16.4.0 0.0.0.255

  No Auto-resume

  !

  Router eigrp 124

  Network 10.2.2.0 0.0.0.255

  network 172.16.4.0 0.0.0.255

  No Auto-resume

  !

  SPOKE1:

  !

  crypto ISAKMP policy 10

  BA aes

  md5 hash

  preshared authentication

  Group 2

  techservices key crypto isakmp address 0.0.0.0 0.0.0.0

  !

  !

  Crypto ipsec transform-set AES_MD5 aes - esp esp-md5-hmac

  !

  Profile of crypto ipsec DMVPN

  game of transformation-AES_MD5

  !

  !

  interface Tunnel0

  bandwidth 10000

  10.1.1.1 IP address 255.255.255.0

  IP 1400 MTU

  property intellectual PNDH authentication dmvpn1

  map of PNDH IP multicast 190.1.1.1

  map of PNDH 10.1.1.4 IP 190.1.1.1

  PNDH id network IP-123

  property intellectual PNDH holdtime 600

  property intellectual PNDH nhs 10.1.1.4

  property intellectual PNDH registration timeout 300

  source of tunnel FastEthernet0/0

  multipoint gre tunnel mode

  tunnel key 123

  Protection ipsec DMVPN tunnel profile

  !

  Tunnel1 interface

  bandwidth 10000

  10.2.2.1 IP address 255.255.255.0

  IP 1400 MTU

  property intellectual PNDH authentication dmvpn2

  map of PNDH IP multicast 190.1.2.1

  property intellectual PNDH 10.2.2.4 card 190.1.2.1

  PNDH id network IP-124

  property intellectual PNDH holdtime 600

  property intellectual PNDH nhs 10.2.2.4

  property intellectual PNDH registration timeout 300

  source of tunnel FastEthernet0/0

  multipoint gre tunnel mode

  tunnel key 124

  Protection ipsec DMVPN tunnel profile

  !

  !

  Router eigrp 123

  Network 10.1.1.0 0.0.0.255

  network 172.16.1.0 0.0.0.255

  No Auto-resume

  !

  Router eigrp 124

  Network 10.2.2.0 0.0.0.255

  network 172.16.1.0 0.0.0.255

  No Auto-resume

  !

  concerning

  Good to hear. Looks like it could be a timing problem. Recent releases logic for restart the timer recording during certain delays caused by the sequence of configuration has been added. Since you're using an old code that could be the reason why it worked after the reconfiguration of tunnel interface.

  F.F. make sure that assign you this thread has responded so he can help others.

• DMVPN problem with 2 hubs

  Hello

  I dmvpn phase 1 with 2 hubs, 20 rays and eigrp, HUB1 is main and HUB2's backup. If HUB1 works any traffic from rays go to HUB2 immediately in a few seconds, but when HUB1 gets traffic from rays automatically goes back to the HUB1 after 20-30 minutes and it is too long, it's problem.

  command 'Show dmvpn' on the screens of rays which tunnelle to HUB1 are PNDH, and if I use 'session claire encryption"command manually on any traffic spoke of this talk past immediately to HUB1.

  A month ago I tested and it worked fine. but when I last tested time 2 days ago, this problem occurred.

  What should be the reason and how to fix it?

  Sorry for my English, I'm new to dmvpn :)

  Thanks in advance.

  Hi George,.

  I see two possible event which would explain the behavior that you are experiencing.

  (a) change of State DMVPN.

  (b) change in the routing table.

  You can troubleshoot each of the question above to identify that one is at the origin of the problem and then isolate him.  To begin, you must make sure that the DMVPN stay in a stable 'up' State.

  You mention "pokes displays tunnels to HUB1 in PNDH State"-this confirm DMVPN is 'stuck' and not fully operational.

  I suggest to consult a few details of useful troubleshooting here:

  http://www.Cisco.com/c/en/us/support/docs/security/dynamic-multipoint-VP...

  Take a look at these details:

  ~~~

  Interface: Tunnel100, IPv4 PNDH details
  Type: talk, PNDH peers: 2,.

  # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
  ----- --------------- --------------- ----- -------- -----
  1 192.168.1.1 172.28.1.1 UP 1d21h S
  1 192.168.1.2 172.28.1.2 UP 1d21h S

  ~~~

  You get output similar in your configuration, if you want to keep an eye on the time of "UpDn", as it will tell you how long the DMVPN has been upward.

  If the DMVPN remains stable, while you experience the problem, then focus on the routing protocol that you use in the troubleshooting dmvpn tunnel.

  If the DMVPN is unstable, check the connectivity between the spokes and hub NBMA Address and connectivity remain stable.  "you can use ' debug crypto dmvpn error and debug error PNDH dmvpn" to help identify the problem, if it is associated with DMVPN.

  There is a lot of support in my suggestions, because you have not posted the configuration :).

  But it would be useful that you post the config.  Good luck with your efforts.

  Thank you

  re775

• Neighboring relationship DMVPN heartbeat problem

  Hi all

  I am trying to build a DMVPN laboratory, but will have a hard time to make it work properly.

  And I was wondering if someone would like to help out me.

  I really don't have any idea how to solve this problem.

  Thanks in advance.

  The error looks like this:

  

  I had the following topology:

  

  And my setup looks like this:

  ISP:

  =====================

  the f1/0 interface

  IP 192.168.1.1 255.255.255.0

  full duplex

  no downtime

  F1/1 to the interface

  IP 192.168.2.1 255.255.255.0

  full duplex

  no downtime

  the f2/0 interface

  address 192.168.3.1 IP 255.255.255.0

  full duplex

  no downtime

  F2/1 interface

  192.168.4.1 IP address 255.255.255.0

  full duplex

  no downtime

  =====================

  1 Hub:

  ====================

  the f1/0 interface

  192.168.1.100 IP address 255.255.255.0

  full duplex

  no downtime

  IP route 192.168.2.0 255.255.255.0 192.168.1.1

  IP route 192.168.3.0 255.255.255.0 192.168.1.1

  IP route 192.168.4.0 255.255.255.0 192.168.1.1

  interface tunnel0

  10.1.1.1 IP address 255.255.255.0

  dynamic multicast of IP PNDH map

  PNDH network IP-1 id

  tunnel source 192.168.1.100

  multipoint gre tunnel mode

  IP mtu 1416

  interface tunnel0

  no ip next-hop-self eigrp 1

  no ip split horizon eigrp 1

  Router eigrp 1

  network 192.168.0.0

  network 172.16.0.0

  10.0.0.0 network

  No Auto-resume

  ====================

  Hub 2:

  ====================

  the f1/0 interface

  192.168.2.100 IP address 255.255.255.0

  full duplex

  no downtime

  IP route 192.168.1.0 255.255.255.0 192.168.1.1

  IP route 192.168.3.0 255.255.255.0 192.168.1.1

  IP route 192.168.4.0 255.255.255.0 192.168.1.1

  interface tunnel0

  IP 10.1.1.2 255.255.255.0

  dynamic multicast of IP PNDH map

  PNDH network IP-1 id

  tunnel source 192.168.2.100

  multipoint gre tunnel mode

  IP mtu 1416

  interface tunnel0

  no ip next-hop-self eigrp 1

  no ip split horizon eigrp 1

  Router eigrp 1

  network 192.168.0.0

  network 172.16.0.0

  10.0.0.0 network

  No Auto-resume

  ====================

  Spoke 1:

  ====================

  the f1/0 interface

  IP 192.168.3.2 255.255.255.0

  full duplex

  no downtime

  interface lo0

  172.16.3.1 IP address 255.255.255.0

  No tap

  Route IP 192.168.1.100 255.255.255.255 192.168.3.1

  IP route 192.168.2.100 255.255.255.255 192.168.3.1

  interface tunnel0

  10.1.1.3 IP address 255.255.255.0

  map of PNDH 10.1.1.1 IP 192.168.1.100

  map of PNDH 192.168.1.100 IP multicast

  PNDH network IP-1 id

  property intellectual PNDH nhs 10.1.1.1

  map of PNDH 10.1.1.2 IP 192.168.2.100

  map of PNDH IP multicast 192.168.2.100

  property intellectual PNDH nhs 10.1.1.2

  tunnel source 192.168.3.2

  multipoint gre tunnel mode

  IP mtu 1416

  interface tunnel0

  no ip next-hop-self eigrp 1

  no ip split horizon eigrp 1

  Router eigrp 1

  network 192.168.0.0

  network 172.16.0.0

  10.0.0.0 network

  No Auto-resume

  ==================

  Spoke about 2:

  ====================

  the f1/0 interface

  IP 192.168.4.2 255.255.255.0

  full duplex

  no downtime

  interface lo0

  IP 172.16.4.1 255.255.255.0

  No tap

  Route IP 192.168.1.100 255.255.255.255 192.168.4.1

  IP route 192.168.2.100 255.255.255.255 192.168.4.1

  interface tunnel0

  10.1.1.4 IP address 255.255.255.0

  map of PNDH 10.1.1.1 IP 192.168.1.100

  map of PNDH 192.168.1.100 IP multicast

  PNDH network IP-1 id

  property intellectual PNDH nhs 10.1.1.1

  map of PNDH 10.1.1.2 IP 192.168.2.100

  map of PNDH IP multicast 192.168.2.100

  property intellectual PNDH nhs 10.1.1.2

  tunnel source 192.168.4.2

  multipoint gre tunnel mode

  IP mtu 1416

  interface tunnel0

  no ip next-hop-self eigrp 1

  no ip split horizon eigrp 1

  Router eigrp 1

  network 192.168.0.0

  network 172.16.0.0

  10.0.0.0 network

  No Auto-resume

  Hello Dwayne,

  Here are the routes on Hub2

  IP route 192.168.1.0 255.255.255.0 192.168.1.1

  IP route 192.168.3.0 255.255.255.0 192.168.1.1

  IP route 192.168.4.0 255.255.255.0 192.168.1.1

  the bridge must be 192.168.2.1?... is it a fault of real strike or config?

  Harish

• Feature SR520 DMVPN problem

  Hello people,

  I have a serious problem with SR 520 and feature cisco router, what is written on the paper!

  On the cisco site, I found that SR 520 support DMVPN, I ordered the router and it came with IOS:

  (SR520-ADVIPSERVICESK9-M), Version 12.4 (20) T6. Later, I found that it does not support

  Protocol PNDH, which constitutes a basis for DMVPN feature and speak-to-speak of VPN tunnels.

  I guess that the problem is in the IOS version that comes with the router.

  Tell me please, if you know, is the problem and the IOS version which should choose?

  Should I take later (12.4.24T6) or some special release?

  Thanks in advance,

  Vladimir

  Hi Vladimir

  Support DMVPN on SR520 was indeed only added 12.4 (24) T so I suggest you go for the last, which is 12.4 (24) T6.

  HTH

  Herbert

• DMVPN problem

  Hello together,

  I have a dmvpn with double hub and ospf configuration.

  I had we spoke and now has added another spoke. but I don't want the two rays to open a tunnel between them, I want that all traffic passing through the hub.

  with "mode gre ip tunnel" on a RADIUS the RADIUS do nothing, I don't see the 2 hubs like ospf neighbors more. the hubs are configured as follows:

  interface Tunnel0
   
  bandwidth 100000
  172.16.5.1 IP address 255.255.255.0
  no ip redirection
  IP 1400 MTU
  test of PNDH IP authentication
  dynamic multicast of IP PNDH map
  PNDH id network IP-100000
  property intellectual PNDH holdtime 600
  dissemination of IP ospf network
  IP ospf priority 2
  delay of 1000
  source of tunnel GigabitEthernet0/0
  multipoint gre tunnel mode
  tunnel key 100000
  Tunnel ipsec profile protection profile
  end

  and the rays:

  interface Tunnel0
  VPN description
  bandwidth 1000
  IP 172.16.5.13 255.255.255.0
  no ip redirection
  IP 1400 MTU
  NAT outside IP
  test of PNDH IP authentication
  map of PNDH IP multicast XXX1<-official ips="" of="" the="" hubs="">
  intellectual property PNDH map 172.16.5.1 XXX1
  map of PNDH IP multicast x.x.x.2
  property intellectual PNDH card 172.16.5.2 x.x.x.2
  PNDH id network IP-100000
  property intellectual PNDH holdtime 300
  property intellectual PNDH nhs 172.16.5.1
  property intellectual PNDH nhs 172.16.5.2
  IP virtual-reassembly in
  dissemination of IP ospf network
  IP ospf priority 0
  IP ospf cost 5000
  delay of 1000
  source of Dialer1 tunnel
  multipoint gre tunnel mode
  tunnel key 100000
  Tunnel ipsec profile protection profile

  I saw roads since we talked to another speaks so I did a routemap of filtering that routes in the routing table, it takes default route hub and does not speak but they always try to open a tunnel between them which is blocked by the incomg acl, so traffic flows as it should , but I don't want the rays always trying to open a tunnel, they shouldn't be. I just want dmvpn phase 1

  Please try 'ip ospf point-to-multipoint network' on all routers of the star topology.

  In addition, it would be useful that you can post the config ipsec part (less any info security).

  Good luck with your configuration.

• DMVPN Tunnel and EIGRP routing problem

  I have redundant paths to a remote 2811 router on my network of sites.  The first links is a T1 frame relay connection that has been in place for years, and the new link is on a 54 Mbps fixed wireless that was recently created.

  I'm under EIGRP to my process of routing protocol 100 for the two links.

  I installed a DMVPN Tunnel between the remote 2811 and no. 2851 router on my host site.  The tunnel interface shows to the top and to the top of both sides and I can ping the IP remote tunnel of my networks side host.

  However my eigrp routes are not spread over this new tunnel link and if I run a command show ip eigrp neighbor on each router I show only the neighbor for the frame relay link and not the new wireless link.

  What I'm missing here?

  A tunnel0 to see the shows the following:

  Tunnel0 is up, line protocol is up
  Material is Tunnel
  The Internet address is 10.x.x.x/24
  MTU 1514 bytes, BW 54000 Kbps, DLY 10000 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  KeepAlive not set
  Tunnel source (FastEthernet0/1), destination 172.x.x.x 10.x.x.x
  Tunnel/GRE/IP transport protocol
  Key 0x186A0, sequencing of the people with reduced mobility
  Disabled packages parity check
  TTL 255 tunnel
  Quick tunneling enabled
  Tunnel of transmission bandwidth 8000 (Kbps)
  Tunnel to receive 8000 (Kbps) bandwidth
  Tunnel of protection through IPSec (profile "CiscoCP_Profile1")
  Last entry of 00:00:01, exit ever, blocking of output never
  Final cleaning of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 947
  Strategy of queues: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bps, 0 packets/s
  5 minute output rate 0 bps, 0 packets/s
  packages of 880, 63000 bytes, 0 no buffer entry
  Received 0 broadcasts, 0 Runts, 0 Giants 0 shifters
  errors entry 0, 0 CRC, overgrown plot of 0, 0, 0 ignored, 0 abort
  output of 910 packages, 81315 bytes, 0 underruns
  0 output errors, 0 collisions, 0 resets interface
  unknown protocol 0 drops
  output buffer, the output buffers 0 permuted 0 failures

  Please go ahead and add a static route on the hub, so it goes through the wireless link and let me know if everything works correctly.

  Federico.

• DMVPN (NAT?) solution with rais as subnets

  Hi all

  I have a large number of remote networks that are prevalent all over the world. Currently, they are all individual island with no connectivity to anywhere else.

  What I would do is connect all back to Headquarters on the internet so I can access it remotely. The internet service that I receive from all the sites will be different and unknown for example some directly on the internet, some behind NAT.

  So I think that the solution to this is DMVPN.

  But my problem is that all of the remote locations have the same internal subnet. So, how can I make sure that they are all connected and remote devices are all available at the same time?

  I wonder if I can configure NAT on the router may talk so that each device has a static nat with the Natted IP is unique. I labbed this place GNS3 and it seems to work. However the problem is that there are hundreds of devices on each site, which means a large number of NAT entries.

  I was wondering is it possible to make a fair full 1:1 Nat specifies a network to network. For example, something like 192.168.20.0/24 NAT to 10.0.1.0/24, so try to access the 192.168.20.5 in fact, it connects to 10.0.1.5

  Has anyone never has something like this work?

  Y at - it a good solution?

  Thank you, Simon

  It is possible, but (assuming they already use NAT for Internet access) you'll need to define things very carefully to avoid interference with what they have.

  Do a complete translation of subnet is easy and is a good word:

  IP nat inside source static 10.0.0.0 network 192.168.0.0/24

  The problem is that this will replace all existing for this subnet NAT, condition and the existing NAT configuration.

  Can you provide an example of how the current NAT is set up for one of these sites?

• DMVPN BGP and EIGRP

  I am in the initial phase of research DMVPN.  We currently have an MPLS network running BGP.  Each site has Internet at home as well as a VPN site-to-site is built on the router and talks to an ASA when the SPLM fails.

  I want to implement DMVPN to do away with the site to site VPN and ASA.  I'm going to run EIGRP on routers to connect DMVPN.  Are there any good whitepapers on BGP as the main path and by EIGRP on the DMVPN as a backup?  Or no focus on a general config?

  Thank you

  It's really the main issue.

  With your configuration DMVPN roads will be internal EIGRP of an advertisement of 90, so your default DC prefer DMVPN on MPLS, which is exactly what you don't want.

  There are several ways around this as summarizing through DMPVN, redistribution connected on the sites of the branch in EIGRP so roads DMVPN are external as well and then changing measures etc.

  The other alternative I have ever done so it's for your information is really Cisco have what is called a solution IWAN where DMVPN is performed everywhere that is, even through the MPLS network.

  That would solve your problem of external routes internal EIGRP but IWAN vs is much more than just that, even if you do not need necessarily to implement the entire solution at a time.

  I just thought that it should be mentioned, and if you want more information on this I can direct you to the design guide.

  Jon

• DMVPN - PSK to Auth RSA - Sig move

  Hi all

  I'm moving a laboratory DMVPN config PSK has the use of certificates.

  Installed root CA + certificates without problem.

  I imagined it would be just a case of creating a different strategy on the hubs ISAKMP and rays and gradually introduce speaks talks about but I am receiving and error on the hub "x.x.x.x IKE message failed the validation test or is incorrect.

  the problem disappears if I remove the ISAKMP policy in the hub, he returns to the original policy of the PSK. I checked the correspondence of policies a million times and the certificates are installed properly.

  I have included some of the config below. Policy 10 works very well.

  any help appreciated. Thank you

  -Hub-
  crypto ISAKMP policy 5
  BA aes
  md5 hash
  !
  crypto ISAKMP policy 10
  md5 hash
  preshared authentication
  ISAKMP crypto key address 0.0.0.0 xxxxxxxxxxxxxxxxxx
  !
  !
  Crypto ipsec transform-set esp-3des esp-md5-hmac hand
  tunnel mode
  !
  Profile of crypto ipsec ProfileName
  define security-association life seconds 900
  transformation-home game
  !
  !
  !
  !
  !
  !
  !
  interface Tunnel0
  bandwidth 20480
  IP x.x.x.x 255.255.255.0
  no ip redirection
  IP 1400 MTU
  NBAR IP protocol discovery
  penetration of the IP stream
  IP nat inside
  property intellectual PNDH authentication Auth
  dynamic multicast of IP PNDH map
  PNDH IP network id ID
  IP virtual-reassembly in
  No cutting of the ip horizon
  IP tcp adjust-mss 1300
  CDP enable
  source of tunnel Dialer
  multipoint gre tunnel mode
  tunnel key X
  Profile of tunnel ProfileName ipsec protection
  -Speaks-
  crypto ISAKMP policy 5
  BA aes
  md5 hash
  !
  crypto ISAKMP policy 10
  md5 hash
  preshared authentication
  ISAKMP crypto keys xxxxxxxxxxx address 0.0.0.0
  !
  !
  Crypto ipsec transform-set main esp-3des esp-md5-hmac
  tunnel mode
  !
  Profile of crypto ipsec IProfile
  define security-association life seconds 900
  Set main transformation game
  !
  !
  !
  !
  !
  !
  !
  interface Tunnel0
  IP x.x.x.x 255.255.255.0
  no ip redirection
  IP 1400 MTU
  IP nat inside
  property intellectual PNDH authentication Auth
  dynamic multicast of IP PNDH map
  property intellectual PNDH card x.x.x.x where x.x.x.x
  map of PNDH IP x.x.x.x multicast
  PNDH IP network id X
  property intellectual PNDH nhs x.x.x.x
  IP virtual-reassembly in
  No cutting of the ip horizon
  IP tcp adjust-mss 1300
  source of tunnel Dialer
  multipoint gre tunnel mode
  tunnel key X
  Profile of tunnel Iprofile ipsec protection

  Your certificates seem to be good. TGE of time is very important. Comes with service horodateurs time of the journal is your clock the ntp.

  When everything is set correctly in view, I would be very interested to get all debugs them.

  This question you have is based on the key or certificate not authencating together, coukd be mtu, could be something else.

  Would you mind to provide all debugs them and perhaps a trace of wireshark to see what is happening. Debugs isakmp, ipsec and certificates as well.

  Thank you

• DMVPN PPPoe MTU

  Hello

  I have a problem with all the PPPoe on my network with DMVPN spoker. The problem is the stability of the DMVPN tunnel. All the spoker with PPPoe, I have a problem.

  When I do a ping on the spoker to the hub like this:

  ping [dest IP Hub] [local IP tunnel] penny I have only 50% of success.

  Spoker newspaper I have this message:

  % DOUBLE-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour X.X.X.X (tunnels2) is falling: Peer received termination

  I'm sure it has to do with the mtu setting. Only int tunnel 2 on spoker that I try to play with ip mtu and mss size adjust tcp ip. Without success

  But is it normal if in int dialer1, I set the mtu to 1492 and I do it with a sh int 1 Dialer is the mtu 1500?

  I don't know what is the right recipe in this case, when I have several spoker PPPoe not all with the hub? Do I have to create another DMVPN just for spoker PPPoe? If Yes, what is the parameter I need to do for PPPoe with DMVPN. Do I have to adjust the mtu on the tunnel port? Time place, hub and spoker? Etc...

  Because if I use GRE with VPN over a distance where PPPoe is installed, I have more a problem. For the code and maintenance simplicity, I prefer to use DMVPN for sure. So, if it is possible to set it up, it will be nice.

  Thank you

  MTU must be set on the interface of tunnel for the hubs and spockes.

  If you want to save bits, you can even use transport mode instead of tunnel of fashion.

  Thank you

  PS: Please do not forget to rate and score as good response if this solves your problem

• DMVPN base

  Hello

  I was wondering if someone could shed some light as to where I might have a problem with my config DMVPN.

  I have a very basic setup with no NAT configuration in a lab environment and can't seem to remove the VPN tunnels. R1 is the hub and R2 is the RADIUS.

  find attached a copy of the configs of two routers aswell as a debug crypto isakmp.

  any guidance would be appreciated

  Thanks in advance

  Hello

  You have connected your tunnel-interface FastEthernet0/1, while it seems to me that it is FastEthernet0/0, which must be used.as the VPN-network heads

  You must also remove your itinerary to the 10.0.0.0/24 Fas0/1 network

  Did she help? In the affirmative, please write it down.

• problem with the ios certificate server does not update the CRL

  Hi all

  The background is that I'm putting a DMVPN solution with tunnels ipsec between the rays created by using certificates.

  I use a cisco 877 as the CA server (its 12.4 (6) T5) running to provide certificates for the spoke routers. This part works very well - rays can apply for a certificate and get a number very well.

  The problem is CA, life of LCR is set to 24 hours, but the CA is not updated the LCR so when the rays see CRL (as defined in their trustpoint) they point to a mistake that the CRL is obsolete and does not connect.

  If making a ' #sh cryptographic pki server ' it lists a ' CRL NextUpdate timer. It has a timestamp that is 24 hours after the last certificate was revocked. The only way I can get the LCR to be rebuilt must revoke a certificate.

  So, my question is, am I missing something here? I thought that it would automatically generations a new CRL list file every 24 hours.

  Can anyone help?

  Thank you.

  Hey Marc (?)

  This seems to correspond to this bug:

  CSCsy95838    AC IOS: LCR of the not updated, update timer not started

  However, it does not mention if 12.4 (6) T5 is affected, only that it was found 12.4 (15) T3 and resolved to 12.4 (15) T10 and other more recent versions.

  I suggest trying the last 12.4 (15) Tx, 15.0 (1) Mx or 15.1 (4) Mx version if you can.

  I assumed that you have much of it, but just in case: as a workaround, you can disable CRL checking on all routers DMVPN, of course they will still allow connections from routers with a revoked RADIUS.

  As (temporary?) substitute for a Revocation list, you can use a 'certificate ACL' with which you can create kind of a 'local CRL Manual:

    crypto pki certificate map certACL 10    serial-number ne    serial-number ne    etc. 

    crypto pki trustpoint myTP

     match certificate certACL
  
      (note the "ne" stands for "not equal" so you are permitting any certificate whose serial number is not listed) 

  Of course, you would have to configure (and maintain!) participating on each router in the DMVPN so it's heavy, but I guess if you revoke often certs, that it might be an option.
  HTH
  Herbert

  --

  If this post answered your question, please click the button of "right answer".

• DMVPN + isakmp profile + CA

  I'm trying to use a "isakmp profile" with a DMVPN configuration so that we can have accounting RADIUS (which I think should be done with an isakmp profile). I can operate using pre-shared keys, but I can't make it work using certificates that I need.

  Spoke it seems to be fine (it goes to IKE_P1_COMPLETE and I see no problem in debugging). It is only at the hub where the isakmp profile is set up where we have "% CRYPTO-6-IKMP_MODE_FAILURE: fast mode processing failed with the peer to 5.0.0.20.

  Both devices are definitively authenticated and registered with the certification authority.

  I have attached what, in my view, are the relevant config of the hub and speaks and debugging of the hub (edited to remove identifying information).

  Any help appreciated,

  Ray

  Looks like your routers are unable to find a profile matching not ISAKMP to match peer. You could try to create a certificate mapping which refers to the OU of the cert to indicate to what IKE profile to use the router. You can do this by using one of the following ways:

  1. create a certificate mapping by using the command "map of crypto pki certificate. In this command, specify a corresponding setting on (such as "name of the object OU = mgmt co"). Then, according to your profile of IKE, 'match certificate.'

  2. According to your profile of IKE, simply change the command "match identity address 0.0.0.0" for "corresponds to the identity Mgmt Group."

  Either way, I think that will solve your problem. In addition, it is not in your config file, but you can also change your 'ca trustpoint' config to specify that the keys are for the use of IKE only ("use ike") and which touches the pair to use ("rsakeypair").

  HTH,

  Aaron