Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
6
Replies

DMVPN problem

averheaghe
Level 1
Level 1

‎03-23-2006 08:52 AM - edited ‎03-09-2019 02:22 PM

I am having a problem with Dynamic Multipoint VPN on a group of 2800 series routers.

The tunnels between the spokes and hub work fine, but the dynamic tunnels between the spokes do not come up with normal traffic. I can cause the tunnels to be created if I ping the tunnel interface from one spoke to the other.

Your help is appreaciated.

Andy

Hub

crypto isakmp policy 1

authentication pre-share

crypto isakmp key vpnr3mot3 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac

!

crypto ipsec profile vpnprofile

set security-association lifetime seconds 28800

set transform-set dmvpn

!

interface Tunnel0

description Multi-Point GRE

ip address 10.200.200.1 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication r3mot3

ip nhrp map multicast dynamic

ip nhrp network-id 100

ip ospf network broadcast

tunnel source Multilink1

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile vpnprofile

router eigrp 100

redistribute connected

redistribute static

network 172.21.0.0

network 192.168.100.0

network 0.0.0.0

no auto-summary

router ospf 1

log-adjacency-changes

network 10.200.200.0 0.0.0.255 area 0

network 192.168.100.0 0.0.0.255 area 1

Spoke 1

crypto isakmp policy 1

authentication pre-share

crypto isakmp key xxx address 0.x.x.x.0.0.0

!

crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac

!

crypto ipsec profile vpnprofile

set security-association lifetime seconds 120

set transform-set dmvpn

!

interface Tunnel0

description Multi-Point GRE

ip address 10.200.200.4 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication r3mot3

ip nhrp map multicast dynamic

ip nhrp map 10.200.200.1 172.21.11.10

ip nhrp map multicast 172.21.11.10

ip nhrp network-id 100

ip nhrp nhs 10.200.200.1

ip ospf network broadcast

ip ospf priority 0

tunnel source Multilink1

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile vpnprofile

router eigrp 100

redistribute static

network 10.131.50.0 0.0.0.255

network 172.20.0.0

no auto-summary

!

router ospf 1

log-adjacency-changes

network 10.131.50.0 0.0.0.255 area 0

network 10.200.200.0 0.0.0.255 area 0

network 10.204.204.0 0.0.0.255 area 0

Spoke 2

crypto isakmp policy 1

authentication pre-share

crypto isakmp key vpnr3mot3 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac

!

crypto ipsec profile vpnprofile

set security-association lifetime seconds 120

set transform-set dmvpn

!

interface Tunnel0

description Multi-Point GRE

ip address 10.200.200.2 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication r3mot3

ip nhrp map multicast dynamic

ip nhrp map 10.200.200.1 172.21.11.10

ip nhrp map multicast 172.21.11.10

ip nhrp network-id 100

ip nhrp nhs 10.200.200.1

ip ospf network broadcast

ip ospf priority 0

tunnel source Multilink1

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile vpnprofile

!

router eigrp 100

network 172.20.0.0

network 192.168.103.0

no auto-summary

!

router ospf 1

log-adjacency-changes

network 10.200.200.0 0.0.0.255 area 0

network 192.168.103.0 0.0.0.255 area 0

Labels:
0 Helpful
6 Replies 6

j-block
Level 4
Level 4

‎03-29-2006 07:16 AM

This wizard will help you configure your router as a DMVPN hub. The hub should be configured before the spokes so that you can provide the spoke administrators with the information they need to configure their spoke routers.

http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080511c22.html

0 Helpful

attrgautam
Level 5
Level 5

‎03-29-2006 07:31 AM

At the spoke see if the foll changes helps

no ip nhrp map multicast dynamic

ip nhrp map 10.200.200.1 172.21.11.10

ip nhrp map multicast 172.21.11.10

ip nhrp map multicast

0 Helpful

averheaghe
Level 1
Level 1
In response to attrgautam

‎04-07-2006 08:05 AM

So basicly we add IP nhrp map multicast for each spoke?

I thought the hub was supposed to handle this dynamicly

0 Helpful

attrgautam
Level 5
Level 5
In response to averheaghe

‎04-08-2006 07:54 AM

Well the hub actually resolves the next hop not multicast nexthop if iam correct. I ran into the same problem and had to do this as a workaround

0 Helpful

dhirtz
Level 1
Level 1

‎04-07-2006 11:22 AM

Andy,

If spoke-to-spoke tunnels are required, the no ip next-hop-self eigrp command,

introduced in Cisco IOS Software Releases 12.3(2) and 12.2(13)T, must be configured on the hub mGRE

tunnel interface to tell EIGRP to use the original IP next hop when advertising these routes.

This should fix your problem with the spoke to spoke tunnels.

David

0 Helpful

dhirtz
Level 1
Level 1
In response to dhirtz

‎04-07-2006 11:26 AM

Sorry my bad! I see your using OSPF and have broadcast configured.

0 Helpful
Customers Also Viewed These Support Documents