Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Issue with DMVPN deployment

Hi Guys

I am trying to deploy DMVPN with one router placed  on our head office  as a Hub and our Branch as spoke but i actually want some sort of redundancy as i have two wan links on my Hub router. although i have on wan link on branch but what i did is to create two tunnel interfaces on branch pointing towards the each respective ISP so if one link goes down in Hub branches can stay connected through another one.

Following is some more detail :

Hub two wan links

Hub two tunnel interfaces associated with each physical link accordingly

Branch One Wan link

Branch two tunnel interfaces associated with only physical link.

Problem:

As far as mGRE is concern everything is okay my branch can connect two tunnels (using one physical link) to the Hub having two tunnel interfaces associated with the two different ISP interfaces so if one goes down another is still available but problem occurrs when i add crypto to my mGRE tunnel, out of two tunnels from branch only one (the first one shown in diagram) is getting up but the second not even creating a GRE tunnel with HO when using crypto thats why no EIGRP neighbor relationship and no nhrp request over this tunnel.

My question is why i am not able to create EIGRP neighborship when using crypto over GRE, where when i delete protection under tunnel interface its working fine branch can make EIGRP neighbor relationship and also the nhrp entries is also there also the routes populated in between but why not with using crypto. hope to hear from you guys soon

for your reference i am attaching the diagram of topology also following is the complete configuration of my scenario.

HUB

-----------------------------------------------------------XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX---------------------------------------------------------

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
!

crypto ipsec transform-set B1 esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set B2 esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile B1
set security-association lifetime seconds 120
set transform-set B1
!
crypto ipsec profile B2
set security-association lifetime seconds 120
set transform-set B2
!

!
!
!
interface Loopback1
no ip address
!
interface Tunnel1
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip nhrp map multicast 178.135.52.94
ip nhrp map 10.10.10.2 178.135.52.94
ip nhrp network-id 1
no ip split-horizon eigrp 100
no ip split-horizon eigrp 101
delay 2000
keepalive 10 5
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile B1
!
interface Tunnel2
ip address 172.16.2.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 100
no ip next-hop-self eigrp 101
ip nhrp map multicast 178.135.52.94
ip nhrp map 172.16.2.2 178.135.52.94
ip nhrp network-id 2
no ip split-horizon eigrp 100
no ip split-horizon eigrp 101
delay 2000
keepalive 10 5
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile B2


interface FastEthernet0/0

"Desc= Primary interface on Hub for Branches to connect"
ip address 62.149.74.66 255.255.255.240
duplex auto
speed auto
!
interface FastEthernet1/0

"Desc= Secondary interface on Hub for Branches to connect"
ip address 62.149.75.1 255.255.255.252
no ip route-cache cef
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
network 10.10.10.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
router eigrp 101
network 172.16.2.0 0.0.0.255
network 192.168.1.0
no auto-summary
!

!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 62.149.74.67 track 1
ip route 0.0.0.0 0.0.0.0 62.149.75.2 track 2
!
!

SPOKE

-----------------------------------------------------------XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX---------------------------------------------------------

Crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set aXX esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set B1 esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile B1
set security-association lifetime seconds 120
set transform-set B1
!
crypto ipsec profile aXX
set security-association lifetime seconds 120
set transform-set aXX
!
!
!
!
!
interface Loopback0
ip address 192.168.124.14 255.255.255.0
!
interface Tunnel1
ip address 10.10.10.2 255.255.255.0
no ip redirects
ip nhrp map multicast 62.149.74.66
ip nhrp map 10.10.10.1 62.149.74.66
ip nhrp network-id 1
ip nhrp nhs 10.10.10.1
delay 1000
keepalive 10 5
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile B1
!
interface Tunnel2
ip address 172.16.2.2 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 100
no ip next-hop-self eigrp 101
ip nhrp map multicast 62.149.75.1
ip nhrp map 172.16.2.1 62.149.75.1
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 172.16.2.1
no ip split-horizon eigrp 100
no ip split-horizon eigrp 101
delay 2000
keepalive 10 5
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile axx
!
interface FastEthernet0/0

"Description = Only interface used to connect with the both tunnel destinaition of Hub"
ip address 178.135.52.94 255.255.255.252
duplex auto
speed auto
!
router eigrp 100
network 10.10.10.0 0.0.0.255
network 192.168.124.0
no auto-summary
!
router eigrp 101
network 172.16.2.0 0.0.0.255
network 192.168.124.0
no auto-summary
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 178.135.52.93
!

Also check attached network diagram ......

Do let me know if you guys have still any issue but please let me know the solution as sooon as possible

Regards

Salman Jamshed

Everyone's tags (3)
355
Views
0
Helpful
0
Replies
CreatePlease to create content