Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

DMVPN HUB router behind NAT

we are getting new sip trunks put in and in order for the provider to put them in the Providor put in a router to control all web traffic so they can QOS the voice that means our VPN routers will go behind the nat barrier. but when i switched the routers interface to the natted address the DMVPN tunnels would not build. there is a nat translation to the routers so the external(route-able) IP did not change. the IPsec tunnels did come up just fine. just the few DMVPN connected tunnels did not.

if issue a "sh DMVPN" the Peer NBMA Addr shows up as 0.0.0.0 while the Peer Tunnel addr is what it should be, also the attrb is  "X"

Tunnel source i have set to the interface, and the key is set to "crypto isakmp key "my key" address 0.0.0.0 0.0.0.0 no-xauth"

i am at a loss on why this was not working. keep in mind this is the HUB router and not the Spoke.

4 REPLIES
Community Member

Here is some additional infor

Here is some additional infor to help

hub config:

interface Tunnel0
 bandwidth 512
 ip address "hubtunnelIP" 255.255.255.0
 no ip redirects
 ip nhrp authentication "XXX"
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel protection ipsec profile net1

crypto isakmp key "My Key" address 0.0.0.0 0.0.0.0 no-xauth

crypto ipsec transform-set "mytransfromset" esp-des esp-md5-hmac
 mode transport

crypto ipsec profile net1
 set transform-set "mytransformset"

Spoke config:

crypto isakmp key "My Key" address "Remote IP" "remote SM" no-xauth

crypto ipsec transform-set "mytransformset" esp-des esp-md5-hmac
 mode tunnel
crypto ipsec nat-transparency spi-matching

crypto ipsec profile net1
 set transform-set "mytransformset"

interface Tunnel0
 bandwidth 512
 ip address "spoketunnelIP" 255.255.255.0
 no ip redirects
 ip nhrp authentication "XXX"
 ip nhrp map multicast "Remote IP"
 ip nhrp map "hubtunnelIP" "Remote IP"
 ip nhrp network-id 1
 ip nhrp nhs "hubtunnelIP"
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel protection ipsec profile net1 shared

Community Member

Hi Mike,I am experiencing

Hi Mike,

I am experiencing trouble when config DMVPN Hub behind the NAT. Have you found any solution yet?

Thanks.

Community Member

yes I had to work with TAC

yes I had to work with TAC after i was able to convince manager to get smartnet on the routers

this is what we did:

removed from hub

"crypto isakmp key  "My Key" address 0.0.0.0 0.0.0.0 no-xauth"

added:

crypto keyring dmvpn-tun0  
  pre-shared-key address 0.0.0.0 0.0.0.0 key "My Key"

crypto isakmp profile dmvpn-tun0
   keyring dmvpn-tun0
   match identity address 0.0.0.0
   local-address GigabitEthernet0/1

cry ipsec nat-transparency udp-encapsulation   -this is hidden command in the running config, also have to make sure the mode is transport

crypto ipsec profile net1
 set transform-set trans
 set isakmp-profile dmvpn-tun0

 

 and then on the spoke had to add:

cry ipsec nat-transparency udp-encapsulation  -again hidden in running config and making sure mode is transport

 

then it connected, of course if you have any ipsec tunnels they will either have to convert to a DMVPN tunnel or add Keyrings for each ipsec tunnel, this is because the keyrings take precedence over the crypto isakmp keys

Community Member

Thank you very much Mike, I

Thank you very much Mike, I finally could bring up my tunnel with your support.

1562
Views
5
Helpful
4
Replies
CreatePlease to create content