Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dynamic tunnels will not create –DMVPN

I have configured a Hub with 5 Spokes, tunnels between Spoke and Hub are up and remain active. Traffic between spokes LAN segments does not create a tunnel and is not encrypted. If I ping router to router using the Tunnel interface as the source the tunnels are created, if I ping router to router using any other interface as the source the tunnels are not created. Any ideas?

Here are the configs of Hub and 2 Spokes (all spokes are configured the same).

HUB

crypto isakmp policy 1

authentication pre-share

crypto isakmp key xxx address 0.0.x.x.x.0.0

!

!

crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac

!

crypto ipsec profile vpnprofile

set security-association lifetime seconds 28800

set transform-set dmvpn

!

interface Tunnel0

description Multi-Point GRE

ip address 10.200.200.1 255.255.255.0

no ip redirects

ip mtu 1440

no ip next-hop-self eigrp 100

ip nhrp authentication r3mot3

ip nhrp map multicast dynamic

ip nhrp network-id 100

no ip split-horizon eigrp 100

tunnel source Multilink1

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile vpnprofile

!

interface Loopback0

ip address 10.1.10.1 255.255.255.0

!

interface Multilink1

description Bonded T1 physical link to Sprint MPLS cloud

ip address 172.21.11.10 255.255.255.252

no ip next-hop-self eigrp 100

no ip split-horizon eigrp 100

no cdp enable

ppp multilink

ppp multilink group 1

Spoke 1

crypto isakmp policy 1

authentication pre-share

crypto isakmp key xxx address 0.0.x.x.0.0.0

!

!

crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac

!

crypto ipsec profile vpnprofile

set security-association lifetime seconds 28800

set transform-set dmvpn

!

interface Tunnel0

description Multi-Point GRE

ip address 10.200.200.5 255.255.255.0

no ip redirects

ip mtu 1440

no ip next-hop-self eigrp 100

ip nhrp authentication r3mot3

ip nhrp map 10.200.200.1 172.21.11.10

ip nhrp map multicast 172.21.11.10

ip nhrp map multicast 172.20.244.238

ip nhrp map multicast 172.20.244.234

ip nhrp map multicast 172.20.188.126

ip nhrp map multicast 172.21.11.2

ip nhrp network-id 100

ip nhrp nhs 10.200.200.1

no ip split-horizon eigrp 100

tunnel source Serial0/1/0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile vpnprofile

!

interface Serial0/1/0

description Physical link from DeerB <---> MPLS Network

ip address 172.20.245.42 255.255.255.252

encapsulation ppp

no fair-queue

service-module t1 clock source internal

service-module t1 timeslots 1-24

Spoke 2

crypto isakmp policy 1

authentication pre-share

crypto isakmp key xxx address 0.0.x.x.0.0.0

!

crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac

!

crypto ipsec profile vpnprofile

set security-association lifetime seconds 28800

set transform-set dmvpn

!

interface Tunnel0

description Multi-Point GRE

ip address 10.200.200.4 255.255.255.0

no ip redirects

ip mtu 1440

no ip next-hop-self eigrp 100

ip nhrp authentication r3mot3

ip nhrp map 10.200.200.1 172.21.11.10

ip nhrp map multicast 172.21.11.10

ip nhrp map multicast 172.20.244.234

ip nhrp map multicast 172.20.188.126

ip nhrp map multicast 172.20.245.42

ip nhrp map multicast 172.21.11.2

ip nhrp network-id 100

ip nhrp nhs 10.200.200.1

no ip split-horizon eigrp 100

tunnel source Multilink1

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile vpnprofile

!

interface Loopback0

ip address 10.1.10.4 255.255.255.0

!

interface Multilink1

description Bonded T1 physical link to Sprint MPLS cloud$FW_INSIDE$

ip address 172.20.244.238 255.255.255.252

no cdp enable

ppp multilink

ppp multilink fragment disable

ppp multilink group 1

11 REPLIES
Hall of Fame Super Silver

Re: Dynamic tunnels will not create –DMVPN

The information that you posted is helpful but not enough to fully identify the problem. It is not clear from what you posted what directs traffic to go over the tunnel. Perhaps you can also post the part of the configs that has the routing logic. In particular I would like to see what directs traffic that is spoke to hub and traffic that is spoke to spoke.

HTH

Rick

New Member

Re: Dynamic tunnels will not create –DMVPN

Rick,

I'm not sure what you mean, are you looking for ACLs?

There are no ACLs in use. I guess I was working under the assumption that all traffic would trigger the tunnels.

Andy

Re: Dynamic tunnels will not create –DMVPN

By looking at your configs there is only one instruction I can't see on the tunnel interface of the hub

ip summary-address eigrp 100 X.X.X.X 255.255.0.0

this might explain the reason why you can't establish spoke to spoke tunnels ..

I hope it helps ... please rate if it does !!!

Hall of Fame Super Silver

Re: Dynamic tunnels will not create –DMVPN

Andy

I am not talking about ACls (though they are an important part of getting traffic through the tunnel). I am talking about something in the routing table that will send traffic out through the tunnel rather than sending it directly out the outbound physical interface. If the routing table is not large it might be helpful if you would post the output of show ip route. If the table is large (or for some reason you do not want to post the complete table) then post the output of show ip route

HTH

Rick

New Member

Re: Dynamic tunnels will not create –DMVPN

Rick,

After I actually thought about your comments, I think I understand where your headed. Here are the sho IP route from the spokes. I show just about everything connected via the serial interfaces. So the question is how best to send traffic via the tunnel instead. My gut reaction is with routing statements, but I don't think that is the best way.

Spoke 1

D EX 204.181.190.186 [170/3393536] via 172.20.244.237, 2d15h, Multilink1

172.21.0.0/30 is subnetted, 3 subnets

D EX 172.21.9.248 [170/3393536] via 172.20.244.237, 2d15h, Multilink1

D 172.21.11.0 [90/4738560] via 172.20.244.237, 2d15h, Multilink1

D 172.21.11.8 [90/5953280] via 172.20.244.237, 2d15h, Multilink1

172.20.0.0/16 is variably subnetted, 7 subnets, 2 masks

D 172.20.245.40/30 [90/4738560] via 172.20.244.237, 2d15h, Multilink1

D 172.20.245.42/32 [90/4738560] via 172.20.244.237, 2d15h, Multilink1

D 172.20.188.124/30 [90/5953280] via 172.20.244.237, 2d15h, Multilink1

D 172.20.188.125/32 [90/312604416] via 10.200.200.2, 1w0d, Tunnel0

C 172.20.244.236/30 is directly connected, Multilink1

C 172.20.244.237/32 is directly connected, Multilink1

D 172.20.244.232/30 [90/4738560] via 172.20.244.237, 2d15h, Multilink1

10.0.0.0/24 is subnetted, 6 subnets

C 10.1.10.0 is directly connected, Loopback0

D 10.130.142.0 [90/4741120] via 172.20.244.237, 2d15h, Multilink1

C 10.200.200.0 is directly connected, Tunnel0

D EX 10.105.105.0 [170/3393536] via 172.20.244.237, 2d15h, Multilink1

D 10.131.49.0 [90/4741120] via 172.20.244.237, 2d15h, Multilink1

C 10.131.50.0 is directly connected, GigabitEthernet0/0

D 192.168.103.0/24 [90/5955840] via 172.20.244.237, 2d15h, Multilink1

D 192.168.100.0/24 [90/5955840] via 172.20.244.237, 2d15h, Multilink1

D 192.168.3.0/24 [90/4741120] via 172.20.244.237, 2d15h, Multilink1

204.212.60.0/30 is subnetted, 1 subnets

D EX 204.212.60.104 [170/3393536] via 172.20.244.237, 2d15h, Multilink1

S* 0.0.0.0/0 [1/0] via 10.131.50.2

Spoke 2

D EX 204.181.190.186 [170/2178816] via 172.20.245.41, 3d22h, Serial0/1/0

172.21.0.0/30 is subnetted, 3 subnets

D EX 172.21.9.248 [170/2178816] via 172.20.245.41, 3d22h, Serial0/1/0

D 172.21.11.0 [90/2690560] via 172.20.245.41, 4d06h, Serial0/1/0

D 172.21.11.8 [90/4738560] via 172.20.245.41, 2d15h, Serial0/1/0

172.20.0.0/16 is variably subnetted, 6 subnets, 2 masks

C 172.20.245.41/32 is directly connected, Serial0/1/0

C 172.20.245.40/30 is directly connected, Serial0/1/0

D 172.20.188.124/30 [90/4738560] via 172.20.245.41, 4d06h, Serial0/1/0

D 172.20.188.125/32 [90/315676416] via 172.20.245.41, 4d06h, Serial0/1/0

D 172.20.244.236/30 [90/4738560] via 172.20.245.41, 4d06h, Serial0/1/0

D 172.20.244.232/30 [90/2690560] via 172.20.245.41, 4d06h, Serial0/1/0

--More-- 10.0.0.0/24 is subnetted, 6 subnets

D 10.1.10.0 [90/4866560] via 172.20.245.41, 4d06h, Serial0/1/0

D 10.130.142.0 [90/2693120] via 172.20.245.41, 4d06h, Serial0/1/0

C 10.200.200.0 is directly connected, Tunnel0

D EX 10.105.105.0 [170/2178816] via 172.20.245.41, 3d22h, Serial0/1/0

C 10.131.49.0 is directly connected, FastEthernet0/0

D 10.131.50.0 [90/4741120] via 172.20.245.41, 4d06h, Serial0/1/0

D 192.168.103.0/24 [90/4741120] via 172.20.245.41, 4d06h, Serial0/1/0

D 192.168.100.0/24 [90/4741120] via 172.20.245.41, 2d15h, Serial0/1/0

D 192.168.3.0/24 [90/2693120] via 172.20.245.41, 4d06h, Serial0/1/0

204.212.60.0/30 is subnetted, 1 subnets

D EX 204.212.60.104 [170/2178816] via 172.20.245.41, 3d22h, Serial0/1/0

D*EX 0.0.0.0/0 [170/4741120] via 172.20.245.41, 4d06h, Serial0/1/0

Hall of Fame Super Silver

Re: Dynamic tunnels will not create –DMVPN

Andy

Thanks for posting the show ip route output. I believe it does support my theory that there is not anything directing traffic through the tunnel. There are multiple alternatives for how you could direct traffic through the tunnel. These alternatives include static routing, dynamic routing protocol, and you could even do this with Policy Based Routing.

Knowing which alternative would be best needs more understanding of your particular environment and your requirements than we currently have. In particular I gather from what you have posted that there is an MPLS network connecting your sites and that you are configuring IPSec using DMVPN over the MPLS. Understanding what you are trying to accomplish will be important in selecting the best alternative. In particular the key question is how much/what kind of traffic do you want to go over MPLS (without IPSec) and how much/what kind of traffic do you want to go through IPSec? Once you can describe how you want to differentiate traffic we can consider which alternative would be best.

In general I would tend to prefer a solution using a dynamic routing protocol. It might be possible to just include the tunnel interfaces into your dynamic routing protocol (which seems to be EIGRP). But running the same dynamic routing protocol announcing the tunnel source and destination addresses and running over the tunnel frequently produces problems with recursive routing. It might be an alternative to run the existing EIGRP which I assume provides connectivity through the MPLS and which announces the tunnel source and destination addresses and to run a different instance of EIGRP (a different EIGRP with a different AS number) through the tunnels. The question then would be which of the networks at each site to include in the new EIGRP.

If it is confusing to think of two different EIGRPs then perhaps you can think of running the existing EIGRP for MPLS connectivity and running something like OSPF through the tunnels to advertise the destinations that you want traffic to be protected by IPSec going through the tunnel.

I hope this makes sense to you.

HTH

Rick

New Member

Re: Dynamic tunnels will not create –DMVPN

Rick,

Early on in our set up we had a recursive routing issue, at that time we did have the tunnel interfaces in the eigrp.

If we use another eigrp (as) it would look like this

EIGRP 100

WAN segment

LAN segment

EIGRP 200

Tunnel segment

Sound right?

Thanks,

Andy

Hall of Fame Super Silver

Re: Dynamic tunnels will not create –DMVPN

Andy

You have the general approach. I wonder where you want the LAN segment advertised? Do you want to route it through the MPLS/WAN or do you want to route it through the tunnel (or do you want some to go one way and some the other)? Knowing the answer to this question will guide you toward the best implementation.

HTH

Rick

New Member

Re: Dynamic tunnels will not create –DMVPN

Rick,

Thanks, I think I'll play around with it abit, but I for sure see where it went wrong and have a fair understanding now of what I need to do to fix it.

I want LAN to LAN traffic encrypted so it appears it should be advertised across the tunnels EIGRP (as).

New Member

Re: Dynamic tunnels will not create –DMVPN

I added static routes to the Spokes, but not the Hub and the tunnels created but my Novell servers no longer sync, they use IP. IP traffic appears to work correctly we can ping and RDP between sites, but the servers no longer communicate, any ideas?

The main server is at the Hub site

Hall of Fame Super Silver

Re: Dynamic tunnels will not create –DMVPN

Andy

I am not sure what the problem is but have a couple of suggestions of things to try. Since the original problem was difficulty with routing logic, I would probably start with this aspect. Can you verify that the spoke server has IP connectivity to the hub server? The easy test is to ping between servers but it might also be helpful to do a tracert and verify whether the traffic is flowing through the tunnel or not. Be careful about the possibility that traffic may flow through the tunnel in one direction but not in the other direction. So I would test from spoke to hub and also test from hub to spoke.

If you are sure that there is proper IP connectivity then I would look into the possibility that some kind of packet (some port number) is not being permitted to go through. I believe that one of your posts said there are no access lists. If that is the case then packets not being permitted is probably not the issue, but check.

Another possibility is a problem with fragmentation. With the extra headers that GRE and IPSec add to the packet, sometimes the headers make the packet too large and require fragmentation. This is an issue when applications set the DF bit in the header. To investigate this possibility I would suggest that you configure the command: ip tcp adjust-mss 1300 on the LAN interfaces where the servers are connected.

Try these suggestions and let us know what you find.

HTH

Rick

305
Views
5
Helpful
11
Replies
CreatePlease login to create content