Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMVPN problem with NAT

Hi All,

We are running DMVPN EIGRP topology in our network. The DMVPN hub aggregates all the spoke router networks via the tunnel. ALso the Spoke routers allow internet traffic by using NAT and only private traffic flows through the DMVPN tunnel. The IPSec is up and running fine and EIGRP works good.

Brief configs on Hub and Spoke are as below:

Spoke router:

------------

interface Tunnel0

description VPN tunnel

bandwidth 400

ip address 172.28.1.159 255.255.252.0

ip nhrp authentication xxx

ip nhrp map 172.28.1.1 6x.xx.x.x

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 172.28.1.1

ip summary-address eigrp 100 10.159.0.0 255.255.0.0 5

delay 40000

qos pre-classify

tunnel source Serial0/0/1:0

tunnel destination 6x.xx.x.x

tunnel key xxxx

tunnel protection ipsec profile pppp

Hub Router:

----------

interface Tunnel0

bandwidth 100000

ip address 172.28.1.1 255.255.252.0

no ip redirects

ip nhrp authentication xxx

ip nhrp map multicast dynamic

ip nhrp network-id 100002

ip nhrp holdtime 360

no ip split-horizon eigrp 100

load-interval 30

delay 40000

qos pre-classify

tunnel source GigabitEthernet0/1

tunnel mode gre multipoint

tunnel key xxxx

tunnel protection ipsec profile pppp

Rt#sh ip nat trans | i :500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

udp 20x.y.y.y:500 10.159.99.251:500 6.x.x.x:500 6.x.x.x:500

The problem is when I get this entry in the NAT table of Spoke router, Crypto breaks and EIGRP goes down on the spoke router and DMVPN tunnel is completely down.

10.159.99.251 is gig0/0.99 private ip of the spoke router. I am not sure why we have some many entries for this UDP 500 ISAKMP connection instead of just one.

This happens even if any PC behind the Spoke router tries to establish IPSec connection with the hub router( which is not at all necessary)

Thanks,

Praful

1 REPLY
Anonymous
N/A

Re: DMVPN problem with NAT

For the NAT-Transparency Aware enhancement to work, you must use IPSec transport mode on the transform set. Also, even though NAT-Transparency (IKE and IPSec) can support two peers (IKE and IPSec) being translated to the same IP address (using the User Datagram Protocol [UDP] ports to differentiate them [this would be Peer Address Translation]), this functionality is not supported for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT translated. They can have the same IP address before they are NAT translated.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110ba1.html

187
Views
0
Helpful
1
Replies