DMVPN

Answered Question
Mar 1st, 2009
User Badges:

Hi


I am trying to configure DMVPN but my tunnel ip can't ping each other. I have connected two routers more like a hub and spoke network ut I only have one conneted at this stage for testing purposes.


Please check why my router's cant ping my device, below are my configs:


1st problem


I cant configure the tunnel destination on the hub.


HUB


DUT(config-if)#tunnel destination 172.16.0.1

The tunnel destination can not be configured under the existing mode


crypto isakmp policy 10

encr aes 256

hash md5

authentication pre-share

crypto isakmp key 6 cisco123 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set dirkstrong esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN

set transform-set ESP-AES256-SHA

!

crypto ipsec profile strongdirk

set security-association lifetime seconds 120

set transform-set dirkstrong

!

crypto ipsec profile test

!

interface Tunnel0

bandwidth 1000

ip address 172.16.0.2 255.255.0.0

no ip redirects

ip mtu 1400

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp map 172.16.0.4 10.0.44.1

ip nhrp network-id 1000

ip nhrp holdtime 360

ip nhrp nhs 172.16.0.4

ip tcp adjust-mss 1360

tunnel source 1.1.1.1

tunnel mode gre multipoint

tunnel key 12345

tunnel protection ipsec profile DMVPN


Spoke


crypto isakmp policy 10

encr aes 256

authentication pre-share

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN

set transform-set ESP-AES256-SHA

!

interface Tunnel0

bandwidth 1000

ip address 172.16.0.4 255.255.0.0

no ip redirects

ip mtu 1400

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 1000

ip nhrp holdtime 360

ip tcp adjust-mss 1360

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 12345

tunnel protection ipsec profile DMVPN shared

!

Correct Answer by Leo Laohoo about 8 years 4 months ago

Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IPSec VPNs by combining generic routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP) to provide users with easy configuration through crypto profiles, which override the requirement for defining static crypto maps, and dynamic discovery of tunnel endpoints.


Configuring Dynamic Multipoint VPN (DMVPN) using GRE over IPSec between Multiple Routers

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Leo Laohoo Sun, 03/01/2009 - 16:47
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

What is your IOS version and feature set?

Correct Answer
Leo Laohoo Sun, 03/01/2009 - 20:41
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IPSec VPNs by combining generic routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP) to provide users with easy configuration through crypto profiles, which override the requirement for defining static crypto maps, and dynamic discovery of tunnel endpoints.


Configuring Dynamic Multipoint VPN (DMVPN) using GRE over IPSec between Multiple Routers

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml

Giuseppe Larosa Mon, 03/02/2009 - 03:21
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Lawrence,


DUT(config-if)#tunnel destination 172.16.0.1

The tunnel destination can not be configured under the existing mode


the tunnel destination command applies only to normal point-to-point GRE tunnels, here you are using point-to-multipoint GRE tunnel mGRE.


second note:

the hub should be also the NHRP server, your HUB configuration points to the spoke unless what you call spoke is your hub.


Hope to help

Giuseppe


jazou Sun, 06/26/2011 - 16:56
User Badges:

Hi

For DMVPN, there is no need of configuring tunnel destination on hub site.  That's because hub is using mGRE tunnel, which is a multipoint tunnel.

Hub must be mGRE tunnel, and Spokes can be mGRE or GRE tunnel.


And also remember, your hub site should be configured as NHRP server, the NHRP configuration should be (for example):

HUB:

interface tunnel 0

ip nhrp authentication ***

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360


SPOKE:

interface tunnel 0

ip nhrp authentication ***

ip nhrp map [hub tunnel ip] [hub phsical ip]

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs [hub tunnel ip]


For more information,  you can go:

www.cisco.com/go/dmvpn

or you could refer to the configuration guide above.

josem_155 Thu, 09/19/2013 - 08:35
User Badges:

Hi ,


I have a customer who wants to deploy a Metro-E among all sites. But, when I see what he wants i saw he wants to deploy DMVPN over that MEtro-E as well. My question is: is this ok? I mean, Metro-E is not secured already? What should he deploy DMVPN ob that metro connection for?


I have read a lot of papers and I saw that DMVPN is good to be deploy to secure connections over internet, as backup or over a MPLS VPN ( aslgo GETVPN) so im confused with this.


Regards

Joseph W. Doherty Thu, 09/19/2013 - 11:07
User Badges:
  • Super Bronze, 10000 points or more

Suggest you post as an independent question.

johnlloyd_13 Thu, 09/19/2013 - 18:38
User Badges:
  • Blue, 1500 points or more

hi,


i've replied to your other post. kindly avoid duplicate post or create your own thread next time

Actions

This Discussion