Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
491
Views
0
Helpful
4
Replies

Can DMVPN NHS act as hub for two different networks?

jpecek
Level 1
Level 1

‎03-17-2008 08:46 AM - edited ‎03-09-2019 08:19 PM

I have an NHS in the US and another NHS in Europe (both using the same network ID, unfortunatley). Different DSL sites connect to different hubs depending on their location. Most of these sites are using the DMVPN as a backup, but there are a handfull of sites that are using the DMVPN over DSL as there primary. For these sites, which are all connected to the NHS in the US, I would like to configure a second tunnel to the hub in Europe for redundancy. Since the NHS in Europe uses the same network-id as the the DMVPN in the US, I need to create a second VPN. Is it possible to use the same router as the hub for both DMVPN networks? it seems I am able to get Phase 1 to come up, but I am not able to get Phase 2 and IPSec to come up. Are there any other caveats to this solution that you can think of?

Labels:
0 Helpful
4 Replies 4

cleidh_mor
Level 1
Level 1

‎03-18-2008 05:40 AM

I can't think of any specific caveats for a solution like this. I assume you're using different subnets and tunnel interfaces? The main thing to look out for is going to be routing issues.

What's the ipsec debug output saying? That might give a pointer as to why phase 2 is failing.

HTH

0 Helpful

jpecek
Level 1
Level 1
In response to cleidh_mor

‎03-18-2008 07:48 AM

Attached are the outputs of 'debug cry isa' and debug cry ipsec' on both the Hub and Spoke

Preview file
8 KB
0 Helpful

cleidh_mor
Level 1
Level 1
In response to jpecek

‎03-18-2008 08:31 AM

Mar 18 15:36:57.299 CET: ISAKMP:(0:670:HW:2): IPSec policy invalidated proposal

Mar 18 15:36:57.299 CET: ISAKMP:(0:670:HW:2): phase 2 SA policy not acceptable! (local 194.151.75.195 remote 206.186.69.250)

This indicates that there is some mis-match in the settings at either end. Check that all your settings match.

0 Helpful

jpecek
Level 1
Level 1
In response to cleidh_mor

‎03-18-2008 10:10 AM

That's what it seems like, but from what I can see everything should match. That's what led me to question whether or not both VPNs could use the same transform sets and isakmp poicies. I added a second transform set and policy just in case, but that didn't seem to help much. I attached a scrubbed copy of the configs so you can see what I'm talking about. The keys have been changed to protect the innocent...

Preview file
4 KB
0 Helpful
Customers Also Viewed These Support Documents