Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

DMVPN - Nat traversal - tunnel source BVI

I have a dmvpn network with 2 Hub routers (different locations, ISP's) and over 300 spoke routers.

At some spokes I want to use backup internet connections to reestablish the (same) dmvpn tunnels (to the same hub's) when the primary internet connection is down.

A problem is: On the tunnel interfaces you have to specify the tunnel source interface (typical: the internet interface.) There is no possibility to specify "a backup tunnel source interface".

A workaround with 2 routers at one spoke site works fine:

* Cisco877 handles the (primary & backup) internet connections & NAT (adsl & pstn modem via con0)

* Cisco837 (connected via ethernet0 to the 877) has the dmvpn tunnels (tunnel source ethernet0), The tunnels establish correctly (nat traversal - udp 4500, non500-isakmp)!

Then I power off the 837 and configure the tunnels in the 877:

If "tunnel source Dialer0" (Internet interface) the tunnels are established.

If "tunnel source BVI0" (Bridge: vlan & wireless) the tunnels don't establish.

A "show ip nat translations" doesn't show an entry for udp port 4500 (if using the second router there is a nat entry!)

Do I need policy routing and/or policy NAT? Is this a bug or undocumented feature?

The 877 runs: c870-advipservicesk9-mz.124-9.T1.bin


Re: DMVPN - Nat traversal - tunnel source BVI

Yes, you need policy routing and apply policy nat

CreatePlease to create content