08-16-2013 12:20 AM - edited 02-21-2020 07:05 PM
Hi All,
I'm trying to configure DMVPN, I believe the tunnel is established ok as the VPN lights are on at both routers and I am able to ping from the router the tunnell address of the other router, however i am not able to ping the LAN address of the adjacent router.
I understand it may be to do with the routing protocol (i'm using RIP) but i have enabled it on both routers and set the other router as a neibour using the tunnel IP address
Router 1 Router 2
LAN 192.168.0.254 /24 10.9.9.254 /24
Tunnel0
10.8.8.254 10.8.8.1
any help would be greatly appreciated
thanks
08-16-2013 04:45 AM
Hi Darren,
Is that site to site, or you have hub and spokes? Can you post the config on both ends?
HTH,
Lei Tian
08-16-2013 07:02 AM
Hi Lei, thanks for responding.
It's a hub and spoke, configs below
HUB
Building configuration...
Current configuration : 4626 bytes
!
! Last configuration change at 07:21:03 UTC Fri Aug 16 2013
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BH-S
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 *******************
enable password ***************
!
no aaa new-model
no process cpu extended history
no process cpu autoprofile hog
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-*************
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-**********
revocation-check none
rsakeypair TP-self-signed-*************
!
!
crypto pki certificate chain TP-self-signed-*******************
certificate self-signed 01
***********************************
quit
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
vpdn enable
!
vpdn-group pppoe
!
license udi pid *******************
!
!
!
!
!
!
!
controller VDSL 0
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key ********** address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile SP
!
crypto ipsec profile SaferPlaces
set security-association lifetime seconds 900
set transform-set strong
!
!
!
!
!
!
!
interface Tunnel0
ip address 10.8.8.254 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication SP1
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile SP
!
interface Ethernet0
no ip address
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
shutdown
no cdp enable
!
interface FastEthernet1
no ip address
shutdown
no cdp enable
!
interface FastEthernet2
no ip address
shutdown
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface Vlan1
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ***************
ppp chap password 0 ****************
ppp pap sent-username *************** password 0 **************
ppp ipcp dns request
ppp ipcp route default
!
router rip
network 192.168.0.0
neighbor 10.8.8.1
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip nat inside source list 2 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.9.9.0 255.255.255.0 10.8.8.1
ip route 10.9.9.0 255.255.255.0 Tunnel0
!
access-list 2 permit 192.168.0.0 0.0.0.255
!
snmp-server community public RO
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 4
password ***************
login
transport input all
!
!
end
SPOKE
Building configuration...
Current configuration : 4117 bytes
!
! Last configuration change at 07:44:57 UTC Fri Aug 16 2013
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BH-A
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5 ****************
enable password *********
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-*************
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-*******
revocation-check none
rsakeypair TP-self-signed-*********
!
!
crypto pki certificate chain TP-self-signed-**********
certificate self-signed 01
*********************
quit
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
vpdn enable
!
vpdn-group pppoe
!
license udi pid *****************
!
!
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key ***************** address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile SP
set security-association lifetime seconds 900
set transform-set strong
!
!
!
!
!
!
!
interface Tunnel0
ip address 10.8.8.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication SP1
ip nhrp map multicast dynamic
ip nhrp map 10.8.8.254 82.69.75.27
ip nhrp map multicast 82.69.75.27
ip nhrp network-id 1
ip nhrp nhs 10.8.8.254
no ip split-horizon
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile SaferPlaces
!
interface Ethernet0
no ip address
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
shutdown
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.9.9.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
mtu 1470
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ***************
ppp chap password 0 **********
ppp ipcp dns request
ppp ipcp route default
!
router rip
network 10.0.0.0
neighbor 10.8.8.254
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.255.0 Tunnel0
!
!
snmp-server community public RO
access-list 1 permit 10.9.9.0 0.0.0.255
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password *******************
login
transport input all
!
!
end
08-16-2013 10:32 AM
If you're using RIP between sites, why do you need this static routes?
Spoke:
ip route 192.168.0.0 255.255.255.0 Tunnel0
HUB:
ip route 10.9.9.0 255.255.255.0 10.8.8.1
ip route 10.9.9.0 255.255.255.0 Tunnel0
Delete those routes and add network statemens for the tunnel subnet in the RIP.
08-16-2013 11:39 AM
hey, RIP wasn't working so i added the static routes instead whilst troubleshooting. Can you give me an example of the network statement for RIP? Thanks
08-22-2013 01:10 AM
I've made some progress with this but its still not complete, I have RIP working at least in one direction. It seems the spoke doesn't have the local VLAN subnet (10.9.9.0/24) . in its routing table? But now has a RIP entry for the VLAN subnet of the hub which pings ok.
S* 0.0.0.0/0 [1/0] via 62.3.83.27
is directly connected, Dialer0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.8.8.0/24 is directly connected, Tunnel0
L 10.8.8.1/32 is directly connected, Tunnel0
ISP IP is subnetted, 1 subnets
C ISP IP is directly connected, Dialer0
public subnet is subnetted, 1 subnets
C public IP is directly connected, Dialer0
R 192.168.0.0/24 [120/1] via 10.8.8.254, 00:00:15, Tunnel0
Any advice is greatly appreciated.
Latest running configs
HUB
Building configuration...
Current configuration : 4525 bytes
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BH-SiteLink
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 *************
enable password *****
!
no aaa new-model
no process cpu extended history
no process cpu autoprofile hog
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-***********
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-**********
revocation-check none
rsakeypair TP-self-signed-*********
!
!
crypto pki certificate chain TP-self-signed-*****
certificate self-signed 01
***
quit
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
vpdn enable
!
vpdn-group pppoe
!
license udi pid **********
!
!
!
!
!
!
!
controller VDSL 0
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key ************* address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile SP
!
crypto ipsec profile ************
set security-association lifetime seconds 900
set transform-set strong
!
!
!
!
!
!
!
interface Tunnel0
ip address 10.8.8.254 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication SP1
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile SaferPlaces
!
interface Ethernet0
no ip address
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
shutdown
no cdp enable
!
interface FastEthernet1
no ip address
shutdown
no cdp enable
!
interface FastEthernet2
no ip address
shutdown
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface Vlan1
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
mtu 1470
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname *************
ppp chap password 0 ****************
ppp pap sent-username ************ password 0 **************
ppp ipcp dns request
ppp ipcp route default
!
router rip
network 10.0.0.0
network 192.168.0.0
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip nat inside source list 2 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.255.0 Vlan1
!
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
!
snmp-server community public RO
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line vty 0 4
password ****************
login
transport input all
!
!
end
SPOKE
Building configuration...
Current configuration : 4104 bytes
!
! Last configuration change at 07:25:19 UTC Thu Aug 22 2013
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BH-ArrayLinks
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5 ***********
enable password *************
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-*************
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-*****************
revocation-check none
rsakeypair TP-self-signed-3608216806
!
!
crypto pki certificate chain TP-self-signed-*****************
certificate self-signed 01
************************
quit
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
vpdn enable
!
vpdn-group pppoe
!
license udi pid***************
!
!
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key **************** address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile **************
set security-association lifetime seconds 900
set transform-set strong
!
!
!
!
!
!
!
interface Tunnel0
ip address 10.8.8.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication SP1
ip nhrp map multicast dynamic
ip nhrp map 10.8.8.254 HUB IP
ip nhrp map multicast HUB IP
ip nhrp network-id 1
ip nhrp nhs 10.8.8.254
no ip split-horizon
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile SaferPlaces
!
interface Ethernet0
no ip address
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
shutdown
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.9.9.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
mtu 1470
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ****************
ppp chap password 0 ***************
ppp ipcp dns request
ppp ipcp route default
!
router rip
network 10.0.0.0
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.9.9.0 255.255.255.0 Vlan1
!
!
snmp-server community public RO
access-list 1 permit 10.9.9.0 0.0.0.255
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password ************
login
transport input all
!
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide