Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cco
Community Member

DMVPN and GRE IPSec VPN

Why is it not possible to configure tunnel protection on a Router configured to do both DMVPN and GRE VPN using a WAN Interface as Tunnel Source for both DMVPN and GRE VPN Tunnels?

15 REPLIES

Re: DMVPN and GRE IPSec VPN

Who told you its not possible?

Regards

Farrukh

cco
Community Member

Re: DMVPN and GRE IPSec VPN

Hello Farrukh,

I'm glad that you said it's possible!

I would appreciate if you could please provide me a configuration template for the scenario, thanks!

joe Bronze
Bronze

Re: DMVPN and GRE IPSec VPN

I believe you want the "shared" keyword on the tunnel protect statement. This allows IKE socket sharing so that the same public ip interface can source two tunnels...

See the attached config; its for 2 tunnel interfaces off one public interface for DMVPN, but it should get you going...

In your topology the "shared" keyword goes on the tunnel, and a plain old regular crypto map would go on the public interface for the static vpn.

-Joe

cco
Community Member

Re: DMVPN and GRE IPSec VPN

Hello Joe, Thanks for your input but your configuration is for two DMVPN Tunnels and thats not our goal.

Our goal is to have One DMVPN Tunnel and One GRE VPN Peer to Peer Tunnel using same Physical Interface as Tunnel source for both Tunnels.

Re: DMVPN and GRE IPSec VPN

Could you explain the problem?

cco
Community Member

Re: DMVPN and GRE IPSec VPN

if the "tunnel protection .... shared" command is enabled on the DMVPN Tunnel interface with tunnel source interface fa0/0 and the "CRYPTO MAP ...." command is configured on the physical interface fa0/0 for the GRE Static (IPSec) VPN.

Outcome: the Static IPSec Tunnel work fine but connection cannot be establish over the DMVPN Tunnel.

Re: DMVPN and GRE IPSec VPN

use tunnel protection on both tunnels "GRE" and "DMVPN".

cco
Community Member

Re: DMVPN and GRE IPSec VPN

Please send me a configuration template, thanks!

cco
Community Member

Re: DMVPN and GRE IPSec VPN

Also How can DMVPN Tunnel be monitor (it's always UP)

Re: DMVPN and GRE IPSec VPN

An easy way is to ping the spoke sites. Also usually you run a routing protocol over the tunnel (hence 'dynamic' in DMVPN). If the DMVPN would go down, the routing protocol adjacencies would go down. The latest IOS has also added a MIB for NHRP.

Regards

Farrukh

Re: DMVPN and GRE IPSec VPN

Have you seen this document? Its a little different than your scenario but should give you some useful hints.

http://www.cisco.com/application/pdf/paws/47541/dmvpn-ezvpn-isakmp.pdf

Regards

Farrukh

cco
Community Member

Re: DMVPN and GRE IPSec VPN

Farrukh,

I would appreciate if you could review the config below and share you view if it could be implement on both config on same Router.

Thanks!

############################################# Part 1 #########################################

crypto isakmp policy 1

encr 3des

authentication pre-share

crypto isakmp key loRG!o82nanRvi3nt-ot address 0.0.0.0 0.0.0.0 no-xauth

!

!

crypto ipsec transform-set custcpe esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile vpncust

set transform-set custcpe

!

!

!

!

interface Loopback99

ip address 10.200.36.3 255.255.255.255

!

interface Tunnel0

description klhdeleir9_klh_0_mpgre

bandwidth 10240

ip address 10.210.37.1 255.255.255.0

ip mtu 1400

no ip next-hop-self eigrp 1

ip nhrp authentication vpncust

ip nhrp map multicast dynamic

ip nhrp network-id 100037

ip nhrp holdtime 600

ip tcp adjust-mss 1360

no ip split-horizon eigrp 1

no ip split-horizon eigrp 51

delay 500

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 100037

tunnel protection ipsec profile vpncust shared

##################### Part 2 ################################################

crypto isakmp key wft5e4444wre45 address yy.yyy.yyy.yyy no-xauth

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set cm-set esp-3des esp-sha-hmac

mode transport

crypto map AHLMAP 1 ipsec-isakmp

description ahldeherr1_ahlatmadr1

set peer yy.yyy.yyy.yyy

set transform-set cm-set

set pfs group2

match address 101

interface Tunnel1

description ahldeherr1_ahlatmadr1

bandwidth 128

ip address 192.168.254.1 255.255.255.252

ip mtu 1400

no ip route-cache

ip tcp adjust-mss 1360

no ip mroute-cache

keepalive 10 3

tunnel source xx.xxx.xxx.xxx

tunnel destination yy.yyy.yyy.yyy

interface GigabitEthernet0/0

description ahldeherr1_wan

bandwidth 10240

ip address xx.xxx.xxx.xxx

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

no cdp enable

crypto map AHLMAP

access-list 101 permit gre host xx.xxx.xxx.xxx host yy.yyy.yyy.yyy

Re: DMVPN and GRE IPSec VPN

use "tunnel key" for P2P tunnel (on both sides)

cco
Community Member

Re: DMVPN and GRE IPSec VPN

Farrukh, Sorry for the typo error in my last statement; What i mean is i would appreciate if you could review the proposed config and share your view if it could be possible to implement the both configs on same Router, Thanks!

Re: DMVPN and GRE IPSec VPN

HI Kindly find the following link .

For creating DMVPN using GRE tunnel.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml

Please rate if you find it useful.

Sachin GArg

310
Views
0
Helpful
15
Replies
CreatePlease to create content