05-30-2009 12:30 PM - edited 03-04-2019 04:56 AM
Hi all,
can I build a tunnel over a tunnel without any known limitation ? let's say Tunnel 100 is a DMVPN tunnel , tunnel 1000 is a gre tunnel between my site and the service provider. will be there any limitation to run tunnel 100 to be sourced out tunnel 1000 ?
I am doing so because DMVPN tunnel terminated with IPSEC does not support keepalive. so I want to run a GRE between me and the service provider to get benefit out of the keepalive. if anything goes wrong between me and the service provider, the GRE tunnel will go down and hence the DMVPN tunnel will be forced to go down as well.
Below are more illustrations :
interface Tunnel100
ip address x.x.x.x 255.255.252.0
no ip redirects
ip mtu 1400
ip nhrp authentication x.x.x.x
ip nhrp map multicast dynamic
ip nhrp map multicast x.x.x.x
ip nhrp map x.x.x.x x.x.x.x
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp nhs x.x.x.x
ip tcp adjust-mss 1360
ip ospf message-digest-key 1 md5 7 x.x.x.x
ip ospf network broadcast
ip ospf cost 10
ip ospf mtu-ignore
tunnel source Tunnel1000
tunnel mode gre multipoint
tunnel key xxx
tunnel protection ipsec profile xxxx
end
ROUTER#show run inter tunn 1000
Building configuration...
Current configuration : 130 bytes
!
interface Tunnel1000
ip unnumbered Ethernet0/0
keepalive 10 3
tunnel source Ethernet0/0
tunnel destination x.x.x.x
Thanks
Ismail
05-30-2009 01:22 PM
Hello Ismail,
>> I am doing so because DMVPN tunnel terminated with IPSEC does not support keepalive.
DMVPN supports routing protocols on the virtual flat subnet provided by mGRE + NHRP.
I would suggest you to use your favorite IGP EIGRP or OSPF.
I don't think it is possible to have a mGRE tunnel be transported inside a point to point GRE tunnel over the same router.
for DMVPN solution design see:
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG.html
Hope to help
Giuseppe
05-31-2009 12:14 AM
Hi Giuseppe,
Thanks for your reply, Actually I am only sourcing the traffic out of the GRE tunnel, nothing more... I have tried it on dynamips and it works! remember tunnel 1000 is only established between me and the service provider, not between me and the remote end (the branch)
so the MGRE DMVPN tunnel is tunnel 100, and instead of getting sourced out of the physical interface, it will be sourced out of an interface that is again established between me and the service provider.
Again, The GRE tunnel keepalives are not supported in conjunction with the tunnel protection ipsec profile so there will no way to know what is going on unless if I build the DMVPN tunnel over a GRE tunnel that support keepalive.
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml
Ismail
05-31-2009 02:17 AM
Hello Ismail,
this is interesting.
However, I prefer to use routing protocol inside the DMVPN to know if there are problems end to end.
I mean if there problems on the local link with the provider also the routing protocol adjacency goes down.
This can give you some more info in case of failure.
If I understand correctly you want to be able to detect failures on the local link to the provider.
We use GRE keepalives on point-to-point end-to-end GRE tunnels inside IPSec and this allows use to automatically switch traffic to a secondary GRE tunnel (because a floating static route uses it as outgoing interface)
Hope to help
Giuseppe
05-31-2009 09:41 AM
Hi Ismail,
You will be essentially doing IPSEC (DMVPN mGRE as the payload) over GRE. IPSEC tunnel protection in a DMVPN set up uses NHRP NBMA ip address as the tunnel end point. Depending on your topology, you may want to verify that the IPSEC source and destination endpoints are actually using the point to point GRE IP addresses; otherwise you may end up routing IPSEC packets natively.
I would still use an IGP to detect end to end reachability for DMVPN mGRE.You may also want to take a look at crypto isakmp keepalives.
-Rakesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide