Solved: DMVPN

mailaglady2 · ‎03-01-2009

Hi

I am trying to configure DMVPN but my tunnel ip can't ping each other. I have connected two routers more like a hub and spoke network ut I only have one conneted at this stage for testing purposes.

Please check why my router's cant ping my device, below are my configs:

1st problem

I cant configure the tunnel destination on the hub.

HUB

DUT(config-if)#tunnel destination 172.16.0.1

The tunnel destination can not be configured under the existing mode

crypto isakmp policy 10

encr aes 256

hash md5

authentication pre-share

crypto isakmp key 6 cisco123 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set dirkstrong esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN

set transform-set ESP-AES256-SHA

!

crypto ipsec profile strongdirk

set security-association lifetime seconds 120

set transform-set dirkstrong

!

crypto ipsec profile test

!

interface Tunnel0

bandwidth 1000

ip address 172.16.0.2 255.255.0.0

no ip redirects

ip mtu 1400

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp map 172.16.0.4 10.0.44.1

ip nhrp network-id 1000

ip nhrp holdtime 360

ip nhrp nhs 172.16.0.4

ip tcp adjust-mss 1360

tunnel source 1.1.1.1

tunnel mode gre multipoint

tunnel key 12345

tunnel protection ipsec profile DMVPN

Spoke

crypto isakmp policy 10

encr aes 256

authentication pre-share

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN

set transform-set ESP-AES256-SHA

!

interface Tunnel0

bandwidth 1000

ip address 172.16.0.4 255.255.0.0

no ip redirects

ip mtu 1400

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 1000

ip nhrp holdtime 360

ip tcp adjust-mss 1360

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 12345

tunnel protection ipsec profile DMVPN shared

!

Leo Laohoo · ‎03-01-2009

Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IPSec VPNs by combining generic routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP) to provide users with easy configuration through crypto profiles, which override the requirement for defining static crypto maps, and dynamic discovery of tunnel endpoints.

Configuring Dynamic Multipoint VPN (DMVPN) using GRE over IPSec between Multiple Routers

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml

View solution in original post

Leo Laohoo · ‎03-01-2009

What is your IOS version and feature set?

rayroyaleverest · ‎03-01-2009

What is DMVPN?

Leo Laohoo · ‎03-01-2009

Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IPSec VPNs by combining generic routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP) to provide users with easy configuration through crypto profiles, which override the requirement for defining static crypto maps, and dynamic discovery of tunnel endpoints.

Configuring Dynamic Multipoint VPN (DMVPN) using GRE over IPSec between Multiple Routers

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml

mailaglady2 · ‎03-02-2009

Version 12.4(21), SP service

Giuseppe Larosa · ‎03-02-2009

Hello Lawrence,

DUT(config-if)#tunnel destination 172.16.0.1

The tunnel destination can not be configured under the existing mode

the tunnel destination command applies only to normal point-to-point GRE tunnels, here you are using point-to-multipoint GRE tunnel mGRE.

second note:

the hub should be also the NHRP server, your HUB configuration points to the spoke unless what you call spoke is your hub.

Hope to help

Giuseppe

jazou · ‎06-26-2011

Hi

For DMVPN, there is no need of configuring tunnel destination on hub site. That's because hub is using mGRE tunnel, which is a multipoint tunnel.

Hub must be mGRE tunnel, and Spokes can be mGRE or GRE tunnel.

And also remember, your hub site should be configured as NHRP server, the NHRP configuration should be (for example):

HUB:

interface tunnel 0

ip nhrp authentication ***

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

SPOKE:

interface tunnel 0

ip nhrp authentication ***

ip nhrp map [hub tunnel ip] [hub phsical ip]

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs [hub tunnel ip]

For more information, you can go:

www.cisco.com/go/dmvpn

or you could refer to the configuration guide above.

josem_155 · ‎09-19-2013

Hi ,

I have a customer who wants to deploy a Metro-E among all sites. But, when I see what he wants i saw he wants to deploy DMVPN over that MEtro-E as well. My question is: is this ok? I mean, Metro-E is not secured already? What should he deploy DMVPN ob that metro connection for?

I have read a lot of papers and I saw that DMVPN is good to be deploy to secure connections over internet, as backup or over a MPLS VPN ( aslgo GETVPN) so im confused with this.

Regards

Joseph W. Doherty · ‎09-19-2013

Suggest you post as an independent question.

johnlloyd_13 · ‎09-19-2013

hi,

i've replied to your other post. kindly avoid duplicate post or create your own thread next time

rajaabir525 · ‎03-26-2016

Problem has been solved please check DOC file attached with this.