Multiple DMVPN tunnels on one router

Unanswered Question
Jun 16th, 2009
User Badges:

We have a 7200 router with the VAM2+ card, and one functional GRE/IPSec DMVPN tunnel. We are trying to create another one since these are in an MPLS environment and cant be shared between customers.


I believe I may have the answer to my problem, but I need verification before proceeding. The new tunnel created appears to be accepting phase 1 & 2, tunnel comes up, and I see inbound packets, no returns. When I do a show crypto ipsec sa peer for the tunnel in question, the crypto map is the other tunnel.


crypto map: Tunnel199-head-0


I should be seeing this


interface: Tunnel300

Crypto map tag: Tunnel300-head-0,



First can there be multiple DMVPN tunnels on one core router, and second, if so, does each one require s separate IP address to work?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
auraza Tue, 06/16/2009 - 12:28
User Badges:
  • Cisco Employee,

You can have multiple tunnels, but I am not sure I understand what you mean by does "one require a separate IP address to work?"


Can you explain that in a little more detail?

tahequivoice Tue, 06/16/2009 - 12:36
User Badges:

Tunnel 199 is reached via 192.168.100.1

tunnel 300 is reached via 192.168.100.1


Current setup, both tunnels use the same public IP. I did find a Cisco Doc Re: DMVPN, and from what I get from it each mGRE tunnel needs its own IP address, and I believe this is where my setup is failing. I will know later tonight when I can add the additional IP's to OSPF. If the remote comes up and routes, then problem solved.

tahequivoice Tue, 06/16/2009 - 13:01
User Badges:

I believe I found my answer in this sample config from the DMVPN design guide


Interface Tunnel0


description Tunnel0

bandwidth 100000

ip address 10.56.0.1 255.255.252.0

tunnel source 192.168.161.1

tunnel mode gre multipoint

!

interface Tunnel1

description Tunnel1

bandwidth 100000

ip address 10.56.16.1 255.255.252.0

tunnel source 192.168.181.1


Tunnel source addresses use a unique IP.

auraza Wed, 06/17/2009 - 07:31
User Badges:
  • Cisco Employee,

Ah, so you were talking about the tunnel source.


The tunnel source can be the same, however, if you're using crypto, and using the same tunnel source on an mgre interface, you need to use the shared keyword at the end of the tunnel protection command on the tunnel interface. Also, you need specify the interface, and not the IP address.


Let me know if that works.


Here is a document that talks about it:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/share_ipsec_w_tun_protect.html

tahequivoice Wed, 06/17/2009 - 07:35
User Badges:

I got it working last night with a new IP as the tunnel source. Its working as designed now.

Actions

This Discussion