Re: Multiple DMVPN tunnels on one router

tahequivoice · ‎06-16-2009

We have a 7200 router with the VAM2+ card, and one functional GRE/IPSec DMVPN tunnel. We are trying to create another one since these are in an MPLS environment and cant be shared between customers.

I believe I may have the answer to my problem, but I need verification before proceeding. The new tunnel created appears to be accepting phase 1 & 2, tunnel comes up, and I see inbound packets, no returns. When I do a show crypto ipsec sa peer for the tunnel in question, the crypto map is the other tunnel.

crypto map: Tunnel199-head-0

I should be seeing this

interface: Tunnel300

Crypto map tag: Tunnel300-head-0,

First can there be multiple DMVPN tunnels on one core router, and second, if so, does each one require s separate IP address to work?

auraza · ‎06-16-2009

You can have multiple tunnels, but I am not sure I understand what you mean by does "one require a separate IP address to work?"

Can you explain that in a little more detail?

tahequivoice · ‎06-16-2009

Tunnel 199 is reached via 192.168.100.1

tunnel 300 is reached via 192.168.100.1

Current setup, both tunnels use the same public IP. I did find a Cisco Doc Re: DMVPN, and from what I get from it each mGRE tunnel needs its own IP address, and I believe this is where my setup is failing. I will know later tonight when I can add the additional IP's to OSPF. If the remote comes up and routes, then problem solved.

tahequivoice · ‎06-16-2009

I believe I found my answer in this sample config from the DMVPN design guide

Interface Tunnel0

description Tunnel0

bandwidth 100000

ip address 10.56.0.1 255.255.252.0

tunnel source 192.168.161.1

tunnel mode gre multipoint

!

interface Tunnel1

description Tunnel1

bandwidth 100000

ip address 10.56.16.1 255.255.252.0

tunnel source 192.168.181.1

Tunnel source addresses use a unique IP.

auraza · ‎06-17-2009

Ah, so you were talking about the tunnel source.

The tunnel source can be the same, however, if you're using crypto, and using the same tunnel source on an mgre interface, you need to use the shared keyword at the end of the tunnel protection command on the tunnel interface. Also, you need specify the interface, and not the IP address.

Let me know if that works.

Here is a document that talks about it:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/share_ipsec_w_tun_protect.html

tahequivoice · ‎06-17-2009

I got it working last night with a new IP as the tunnel source. Its working as designed now.

Majed Zouhairy · ‎02-26-2018

Thanks for the tip! Replacing tunnel source ip with source interface made it work. So that others save time, I was setting 2 dmvpn on the same router, one with ipsec, 2 other dmvpn tunnels on another router with the same requirement. on spoke routers, the shared keyword for ipsec profile is not necessary, as they are connecting to 2 different routers.

there is one caveat to watch for:

on 2900's the spoke, important part of the configuration is:

ip nhrp authentication 111111
ip nhrp map multicast 192.168.12.12
ip nhrp network-id 111111
ip nhrp holdtime 300
ip nhrp nhs 10.11.9.12

while on the 1900's it needs:

ip nhrp map 10.11.9.12 192.168.12.12
ip nhrp map multicast 192.168.12.12
ip nhrp network-id 222222
ip nhrp holdtime 300
ip nhrp nhs 10.11.9.12

P.S: Do not put the same keys for an ipsec tunnel and a non ipsec tunnel as it will cause at least the ipsec tunnel to disconnect.

agairola · ‎02-26-2018

My2Cents:

One more factor is required if we are using same tunnel source is tunnel key to make GRE packet unique , more details about that is mentioned here:

--

The tunnel source, tunnel destination, and tunnel key (triplet) must be unique for all tunnel interfaces on a router. For a multipoint GRE (mGRE) interface where the tunnel destination is not configured, the pair (tunnel source and tunnel key) must be unique. Incoming GRE packets are also matched to P2P GRE tunnels first; if there is no match, then they are matched to mGRE tunnels.

Source: https://goo.gl/mxq3VB

--