07-31-2008 05:51 AM - edited 02-21-2020 03:52 PM
Why is it not possible to configure tunnel protection on a Router configured to do both DMVPN and GRE VPN using a WAN Interface as Tunnel Source for both DMVPN and GRE VPN Tunnels?
07-31-2008 06:44 PM
Who told you its not possible?
Regards
Farrukh
07-31-2008 10:00 PM
Hello Farrukh,
I'm glad that you said it's possible!
I would appreciate if you could please provide me a configuration template for the scenario, thanks!
07-31-2008 11:11 PM
I believe you want the "shared" keyword on the tunnel protect statement. This allows IKE socket sharing so that the same public ip interface can source two tunnels...
See the attached config; its for 2 tunnel interfaces off one public interface for DMVPN, but it should get you going...
In your topology the "shared" keyword goes on the tunnel, and a plain old regular crypto map would go on the public interface for the static vpn.
-Joe
08-01-2008 01:37 AM
Hello Joe, Thanks for your input but your configuration is for two DMVPN Tunnels and thats not our goal.
Our goal is to have One DMVPN Tunnel and One GRE VPN Peer to Peer Tunnel using same Physical Interface as Tunnel source for both Tunnels.
08-01-2008 04:32 AM
Could you explain the problem?
08-01-2008 05:07 AM
if the "tunnel protection .... shared" command is enabled on the DMVPN Tunnel interface with tunnel source interface fa0/0 and the "CRYPTO MAP ...." command is configured on the physical interface fa0/0 for the GRE Static (IPSec) VPN.
Outcome: the Static IPSec Tunnel work fine but connection cannot be establish over the DMVPN Tunnel.
08-01-2008 05:16 AM
use tunnel protection on both tunnels "GRE" and "DMVPN".
08-01-2008 05:22 AM
Please send me a configuration template, thanks!
08-01-2008 06:10 AM
Also How can DMVPN Tunnel be monitor (it's always UP)
08-01-2008 06:19 AM
An easy way is to ping the spoke sites. Also usually you run a routing protocol over the tunnel (hence 'dynamic' in DMVPN). If the DMVPN would go down, the routing protocol adjacencies would go down. The latest IOS has also added a MIB for NHRP.
Regards
Farrukh
08-01-2008 05:19 AM
Have you seen this document? Its a little different than your scenario but should give you some useful hints.
http://www.cisco.com/application/pdf/paws/47541/dmvpn-ezvpn-isakmp.pdf
Regards
Farrukh
08-04-2008 09:45 AM
Farrukh,
I would appreciate if you could review the config below and share you view if it could be implement on both config on same Router.
Thanks!
############################################# Part 1 #########################################
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key loRG!o82nanRvi3nt-ot address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set custcpe esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile vpncust
set transform-set custcpe
!
!
!
!
interface Loopback99
ip address 10.200.36.3 255.255.255.255
!
interface Tunnel0
description klhdeleir9_klh_0_mpgre
bandwidth 10240
ip address 10.210.37.1 255.255.255.0
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication vpncust
ip nhrp map multicast dynamic
ip nhrp network-id 100037
ip nhrp holdtime 600
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
no ip split-horizon eigrp 51
delay 500
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100037
tunnel protection ipsec profile vpncust shared
##################### Part 2 ################################################
crypto isakmp key wft5e4444wre45 address yy.yyy.yyy.yyy no-xauth
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set cm-set esp-3des esp-sha-hmac
mode transport
crypto map AHLMAP 1 ipsec-isakmp
description ahldeherr1_ahlatmadr1
set peer yy.yyy.yyy.yyy
set transform-set cm-set
set pfs group2
match address 101
interface Tunnel1
description ahldeherr1_ahlatmadr1
bandwidth 128
ip address 192.168.254.1 255.255.255.252
ip mtu 1400
no ip route-cache
ip tcp adjust-mss 1360
no ip mroute-cache
keepalive 10 3
tunnel source xx.xxx.xxx.xxx
tunnel destination yy.yyy.yyy.yyy
interface GigabitEthernet0/0
description ahldeherr1_wan
bandwidth 10240
ip address xx.xxx.xxx.xxx
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map AHLMAP
access-list 101 permit gre host xx.xxx.xxx.xxx host yy.yyy.yyy.yyy
08-04-2008 11:12 AM
use "tunnel key" for P2P tunnel (on both sides)
08-04-2008 09:53 AM
Farrukh, Sorry for the typo error in my last statement; What i mean is i would appreciate if you could review the proposed config and share your view if it could be possible to implement the both configs on same Router, Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide