Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
2
Replies

DMVPN Cloud

Go to solution
Rayval Rodman
Level 1
Level 1

‎07-11-2014 08:50 AM - edited ‎02-21-2020 07:43 PM

Hi,

I create a DMVPN cloud with 1 hub and 5 spokes, the main purpose of the VPN is for centralise voice deployment. Now all the spokes are up and connecting fine, i can see all the phones in the different sites and even browse to the phone webpages. 

The problem i am having is two of the sites the phones registered with CUCM but the other sites even though i can see the phones they won't register to CUCM. See a copy of my config below, i use static route as the routing protocol.

++++++++++++
HUB
++++++++++++

crypto isakmp policy 1

 encr aes
 authentication pre-share
 group 2
!
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 3 periodic
crypto isakmp xauth timeout 20
!
crypto ipsec security-association lifetime seconds 7200
!
crypto ipsec transform-set DMVPN_SPOKE esp-aes 
 mode transport
!
crypto ipsec profile DMVPNspoke
 set security-association lifetime seconds 86400
 set security-association idle-time 86400
 set transform-set DMVPN_SPOKE 
!
interface Tunnel0
 description <<< TUNNEL >>>
 bandwidth 1000
 ip address 192.168.222.1 255.255.255.0
 no ip redirects
 ip mtu 1452
 ip nhrp authentication client
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp shortcut
 ip nhrp redirect
 ip virtual-reassembly max-fragments 64
 ip tcp adjust-mss 1360
 delay 30
 tunnel source dialer 1
 tunnel mode gre multipoint
 tunnel key 131
 tunnel protection ipsec profile DMVPNspoke shared

crypto isakmp key cisco address 77.95.xxx.xxx

 

+++++++++++
SPOKE
+++++++++++

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 3 periodic
crypto isakmp xauth timeout 20
!
crypto ipsec security-association lifetime seconds 7200
!
crypto ipsec transform-set DMVPN_SPOKE esp-aes 
 mode transport
!
crypto ipsec profile DMVPNspoke
 set security-association lifetime seconds 86400
 set security-association idle-time 86400
 set transform-set DMVPN_SPOKE 
!
interface Tunnel0
 description <<< TUNNEL >>>
 bandwidth 1000
 ip address 192.168.222.11 255.255.255.0
 no ip redirects
 ip mtu 1452
 ip nhrp authentication client
 ip nhrp map multicast 212.20.xxx.xxx
 ip nhrp map 192.168.222.1 xxx.xxx.xxx.xxx
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp nhs 192.168.222.1
 ip nhrp shortcut
 ip nhrp redirect
 ip virtual-reassembly max-fragments 64
 ip tcp adjust-mss 1360
 delay 30
 tunnel source dialer 1
 tunnel mode gre multipoint
 tunnel key 131
 tunnel protection ipsec profile DMVPNspoke shared

crypto isakmp key cisco address xxx.xxx.xxx.xxx

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nkarthikeyan
Level 7
Level 7

‎07-12-2014 01:26 AM

Hi Ray,

Do you get any error for failing to register in to CUCM? Do you have the proper rules in both the ends allowing the voice traffic through the tunnel..... like Qos / Inspect statements is already been configured.... have you checked the reachability of CUCM server from those spoke sites???

 

Regards

Karthik

View solution in original post

0 Helpful
2 Replies 2

Go to solution
nkarthikeyan
Level 7
Level 7

‎07-12-2014 01:26 AM

Hi Ray,

Do you get any error for failing to register in to CUCM? Do you have the proper rules in both the ends allowing the voice traffic through the tunnel..... like Qos / Inspect statements is already been configured.... have you checked the reachability of CUCM server from those spoke sites???

 

Regards

Karthik

0 Helpful

Go to solution
Rayval Rodman
Level 1
Level 1
In response to nkarthikeyan

‎07-13-2014 10:03 AM

Hi nkarthikeyan,

 

 haven't applied any Qos or inspect statements, the only devices traversing the VPN is the voice traffic. I can reach the CUCM from every spokes and i can reach the spokes from the HUB. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents