Config required for DMVPN with HSRP in PLACE

Unanswered Question
Nov 24th, 2007

Dear All,

I am now working In a setup below

Central Site

------------

2-7206VXR routers for Redundancy.connectivity as follows

2-7206 each have redundancy to 2-6506 switch and these two switches have

redundancy to 2 WAN routers. simply the setup is as follows.

7206 \/ 6506 \/ Wan ROUTer----ISP

7206 /\ 6506 /\ Wan Router----ISP

Spoke site

----------

more than 500 sites through MPLS it is connecting to HUB ( 1841 routers)

All spoke location routers are ipsec enabled IOS

My requriement

---------------

I am in need of configuring DMVPN in the central site so that there is no

need for me to add any configuration in the central site if any new spoke locations

comes up.I have gone through many documents in the cisco site for the same and i have configured the same.

But for my surprise nothing is working ( i.e the packets are not getting encrypted

and so on......) and how to sync the HSRP and ipsec.

I am not confident which ip must

Sample IP configuration

-----------------------

HSRP ip for 7206VXR is 172.21.30.5

Wan router ip 192.168.1.2 ( as of now one WAN router is active )

I need configuration for both central site and the branches ( i.e it is tested in the live environment

and it is working fine).I am not sure that what must be the ip address

to give in the isamkmp key exchange ( i.e whether WAN or 7206 router's ) in Spoke locations.

I am running short of time, help me if you can

Regards,

Arun

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
tstanik Thu, 11/29/2007 - 14:24

DMVPN and HSRP are not designed to work together. When using pure IPsec with two hubs where you need redundancy, you have to combine this with a mechanism like HSRP. This is because we cannot run a dynamic routing protocol through the pure IPsec tunnels to help out with forwarding traffic. So the Stateful IPsec feature was added to specifically have IPsec work with HSRP and keep the IPsec and ISAKMP SA databases synchronized between the two HSRP routers. Therefore HSRP can switch the encrypted traffic between the two HSRP routers as necessary without too much loss of traffic.

DMVPN uses an active/active redundancy model where we build at least two spoke-hub tunnels one to each DMVPN hub from the DMVPN spoke. These tunnels come up immediately and stay up all of the time. With the DMVPN active/active redundancy model we didn't need Stateful IPsec nor a protocol to transfer NHRP mapping information between hub routers, since the hub routers would have their own independent IPsec and NHRP database information. Because of this DMVPN is not designed to work with HSRP.

Actions

This Discussion