problem with mgre nhrp

Answered Question
Sep 15th, 2009
User Badges:

I'm trying to set up a gre tunnel between a spoke router with dynamic ip, and a hub router with fixed ip. And it doesn't work.I am using a loopback interface of de hub router as the destination tunnel ip in the spoke router. May be the problem that no use an ip of phisical interface?

Thanks.

Correct Answer by paolo bevilacqua about 7 years 8 months ago

IPsec supports dynamic peers, it's all in the documentation.


We also used EzVPN, that works better in presence of NAT.

Correct Answer by paolo bevilacqua about 7 years 8 months ago

As mentioned, I have DMVPN without tunnel protection, works fine.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
paolo bevilacqua Tue, 09/15/2009 - 12:10
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

For that to work, you need to configure IPsec first, in practice it's a DMVPN setup.

MARCELO MATURO Wed, 09/16/2009 - 04:32
User Badges:

I did this. The configurations are:

hub:

interface Tunnel100

description Tunel a router 3G

ip address 77.6.248.30 255.255.255.252

no ip redirects

ip nhrp authentication test

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 600

ip tcp adjust-mss 1260

tunnel source loopback10

tunnel mode gre multipoint

tunnel key 10000

tunnel protection ipsec profile 3G

spoke:

interface Tunnel100

ip address 77.6.248.29 255.255.255.252

ip nhrp authentication test

ip nhrp map 77.6.248.30 192.168.35.113

ip nhrp map multicast 192.168.35.113

ip nhrp network-id 100000

ip nhrp holdtime 300

ip nhrp nhs 77.6.248.30

ip tcp adjust-mss 1260

tunnel source Cellular0/2/0

tunnel destination 192.168.35.113

tunnel key 10000


The ipsec is up. There is an isamkp SA established.


Thanks.


paolo bevilacqua Wed, 09/16/2009 - 11:21
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Check that you can ping between the tunnel source and destination.


Then, a /30 mask seem from for multipoint tunnel.


Also, I would not use tunnel protection, configure ipsec independently.

MARCELO MATURO Wed, 09/16/2009 - 12:36
User Badges:

The ping is ok in both sides. I modified de mask in the hub, but it doesn't work.

Thanks.


Correct Answer
paolo bevilacqua Wed, 09/16/2009 - 12:37
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

As mentioned, I have DMVPN without tunnel protection, works fine.

MARCELO MATURO Thu, 09/17/2009 - 05:09
User Badges:

I do this. It works ok without encription, only mgre+nhrp. I found a new problem. How to create the crypto maps unknowing the remote address (the spoke is a dynamic ip).

Thanks

Marcelo

Correct Answer
paolo bevilacqua Thu, 09/17/2009 - 05:12
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

IPsec supports dynamic peers, it's all in the documentation.


We also used EzVPN, that works better in presence of NAT.

paolo bevilacqua Thu, 09/17/2009 - 12:23
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Very good, thanks for the nice rating and good luck!

Actions

This Discussion