DMVP Tunnel over a GRE tunnel

Unanswered Question
May 30th, 2009

Hi all,

can I build a tunnel over a tunnel without any known limitation ? let's say Tunnel 100 is a DMVPN tunnel , tunnel 1000 is a gre tunnel between my site and the service provider. will be there any limitation to run tunnel 100 to be sourced out tunnel 1000 ?

I am doing so because DMVPN tunnel terminated with IPSEC does not support keepalive. so I want to run a GRE between me and the service provider to get benefit out of the keepalive. if anything goes wrong between me and the service provider, the GRE tunnel will go down and hence the DMVPN tunnel will be forced to go down as well.

Below are more illustrations :

interface Tunnel100

ip address x.x.x.x 255.255.252.0

no ip redirects

ip mtu 1400

ip nhrp authentication x.x.x.x

ip nhrp map multicast dynamic

ip nhrp map multicast x.x.x.x

ip nhrp map x.x.x.x x.x.x.x

ip nhrp network-id 100

ip nhrp holdtime 300

ip nhrp nhs x.x.x.x

ip tcp adjust-mss 1360

ip ospf message-digest-key 1 md5 7 x.x.x.x

ip ospf network broadcast

ip ospf cost 10

ip ospf mtu-ignore

tunnel source Tunnel1000

tunnel mode gre multipoint

tunnel key xxx

tunnel protection ipsec profile xxxx

end

ROUTER#show run inter tunn 1000

Building configuration...

Current configuration : 130 bytes

!

interface Tunnel1000

ip unnumbered Ethernet0/0

keepalive 10 3

tunnel source Ethernet0/0

tunnel destination x.x.x.x

Thanks

Ismail

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 05/30/2009 - 13:22

Hello Ismail,

>> I am doing so because DMVPN tunnel terminated with IPSEC does not support keepalive.

DMVPN supports routing protocols on the virtual flat subnet provided by mGRE + NHRP.

I would suggest you to use your favorite IGP EIGRP or OSPF.

I don't think it is possible to have a mGRE tunnel be transported inside a point to point GRE tunnel over the same router.

for DMVPN solution design see:

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG.html

Hope to help

Giuseppe

conceptzone Sun, 05/31/2009 - 00:14

Hi Giuseppe,

Thanks for your reply, Actually I am only sourcing the traffic out of the GRE tunnel, nothing more... I have tried it on dynamips and it works! remember tunnel 1000 is only established between me and the service provider, not between me and the remote end (the branch)

so the MGRE DMVPN tunnel is tunnel 100, and instead of getting sourced out of the physical interface, it will be sourced out of an interface that is again established between me and the service provider.

Again, The GRE tunnel keepalives are not supported in conjunction with the tunnel protection ipsec profile so there will no way to know what is going on unless if I build the DMVPN tunnel over a GRE tunnel that support keepalive.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml

Ismail

Giuseppe Larosa Sun, 05/31/2009 - 02:17

Hello Ismail,

this is interesting.

However, I prefer to use routing protocol inside the DMVPN to know if there are problems end to end.

I mean if there problems on the local link with the provider also the routing protocol adjacency goes down.

This can give you some more info in case of failure.

If I understand correctly you want to be able to detect failures on the local link to the provider.

We use GRE keepalives on point-to-point end-to-end GRE tunnels inside IPSec and this allows use to automatically switch traffic to a secondary GRE tunnel (because a floating static route uses it as outgoing interface)

Hope to help

Giuseppe

rakesh.hegde Sun, 05/31/2009 - 09:41

Hi Ismail,

You will be essentially doing IPSEC (DMVPN mGRE as the payload) over GRE. IPSEC tunnel protection in a DMVPN set up uses NHRP NBMA ip address as the tunnel end point. Depending on your topology, you may want to verify that the IPSEC source and destination endpoints are actually using the point to point GRE IP addresses; otherwise you may end up routing IPSEC packets natively.

I would still use an IGP to detect end to end reachability for DMVPN mGRE.You may also want to take a look at crypto isakmp keepalives.

-Rakesh

Actions

This Discussion