Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to Site VPN and DMVPN on same router ?

Does anyone have a configuration example with a DMVPN and site to site VPN (Not Eazy VPN), on the same router.

If this is possible what impact would the configuration have on the current DMVPN router. I have read that when adding an Eazy VPN to a DMVPN router that mGRE stops functioning. Any help would be appreciated.

Everyone's tags (5)
14 REPLIES
New Member

Re: Site to Site VPN and DMVPN on same router ?

Any one have any ideas .. I'll email any helper an iPint !

Sent from Cisco Technical Support iPhone App

Hall of Fame Super Silver

Site to Site VPN and DMVPN on same router ?

Yes, I've done that successfully.

Do you want an example with the DMVPN bit as a hub or as a spoke?

New Member

Hi Marvin

Hi Marvin

Can you share to me the example with the DMVPN Hub and IPSec L2L in the same router please?

Thank you very much in advance.

Best regards.

Hall of Fame Super Silver

I used CCP to build my

I used CCP to build my configurations in this case as I had a lot going on (DMVPN, site-site VPN, remote access VPN, ZBFW, QoS, BGP and EIGRP!) and wanted it to all work together. You might try that for your case as well.

Here're the relevant bits for DMVPN + IPsec L2L - I've removed some of the ZBFW and QoS bits.  You will have to adapt a bit for your environment.:

interface GigabitEthernet0/0
ip address 192.168.0.0 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description WAN$FW_OUTSIDE$
bandwidth 1000000
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map Crypto_Map
!
crypto map Crypto_Map 71 ipsec-isakmp
description Tunnel to xxxxx
set peer x.x.x.x
set transform-set ESP-3DES-SHA
set isakmp-profile L2LPRF
match address XYZ
!
crypto keyring ccp-dmvpn-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxx
!
crypto keyring L2LKEY
pre-shared-key address x.x.x.x key xxxxx
!
crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0
crypto isakmp profile L2LPRF
keyring L2LKEY
match identity address x.x.x.x 255.255.255.255
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-AES-SHA1 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-AES-SHA1
set isakmp-profile ccp-dmvpn-isakmprofile
!
interface Tunnel0
description DMVPN Primary
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
no ip next-hop-self eigrp 192
no ip split-horizon eigrp 192
ip flow ingress
ip flow egress
ip nhrp authentication DMVPN_NW
ip nhrp group Tu0
ip nhrp map multicast dynamic
ip nhrp map group Tu0 service-policy output CCP-QoS-Policy-2
ip nhrp network-id 100000
ip nhrp holdtime 360
zone-member security dmvpn-zone
ip tcp adjust-mss 1360
ip summary-address eigrp 192 192.168.0.0 255.255.255.0
delay 1000
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile2 shared
!
ip access-list extended XYZ
remark Traffic via VPN to XYZ Networks
remark CCP_ACL Category=4
permit ip 192.168.0.0 0.0.0.255 <XYZ net 1> 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 <XYZ net 2> 0.0.255.255
permit ip 192.168.0.0 0.0.0.255 <XYZ net 3> 0.0.255.255
permit ip 192.168.0.0 0.0.0.255 <XYZ net 4> 0.0.1.255
!
ip nat inside source list NAT interface GigabitEthernet0/1 overload
!
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255
New Member

Thanks Marvin!

Thanks Marvin!

New Member

another lost soul benefited

another lost soul benefited by this thread... you rocks Marvin, thanks!

New Member

Hi,

Hi,

I am having trouble but my situation is a bit different. My interesting traffic is a GRE tunnel.

The tunnel destination is only reachable from a spoke.

For example

ip route e.f.g.h 255.255.255.255 10.0.0.2 !a valid spoke which can reach e.f.g.h

My problem is that Tunnel100 does not invoke the ACL for interesting traffic hence I cannot see any Phase 1 kick off.

Can anyone help me?

interface Loopback100
ip address a.b.c.d 255.255.255.255

interface Tunnel100
ip address 100.0.0.1 255.255.255.252
tunnel source a.b.c.d
tunnel destination e.f.g.h

ip access
-list extended XYZ
permite gre host a.b.c.d host e.f.g.h
deny any any
New Member

Re: Site to Site VPN and DMVPN on same router ?

That would be great if you could ....I am looking for an example of a DMVPN spoke with an IPSec L2L configuration, the L2L should have a static crypto map I would imagine ...

Sent from Cisco Technical Support iPhone App

Hall of Fame Super Silver

Re: Site to Site VPN and DMVPN on same router ?

Yes a crypto map selects the traffic presented to the outside interface for encapsulation into the site-site VPN. The DMVPN traffic is put into the tunnel based on EIGRP learning the routes to the other DMVPN sites via that interface.

Below are the pertinent bits from a working config. My example asctually has two DMVPN hubs (primary and backup site) with preference given to the primary via a lower EIGRP delay.

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

!

crypto isakmp policy 71

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key address  

crypto isakmp key address 0.0.0.0       

!

crypto ipsec security-association replay window-size 1024

!

crypto ipsec transform-set Transform esp-aes 256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-AES-SHA

!

!

!

crypto map Crypto_Map 71 ipsec-isakmp

description Tunnel

set peer

set transform-set ESP-3DES-SHA

match address

!

!

!

!        

!

interface Tunnel0

description DMVPN Primary

bandwidth 1000

ip address 10.0.0.5 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip flow ingress

ip nhrp authentication DMVPN_NW

ip nhrp map multicast

ip nhrp map 10.0.0.1

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 10.0.0.1

ip tcp adjust-mss 1360

delay 1000

tunnel source GigabitEthernet0/1

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile CiscoCP_Profile1 shared

!

interface Tunnel1

description DMVPN Secondary

bandwidth 1000

ip address 10.0.1.5 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip flow ingress

ip nhrp authentication DMVPN_NW

ip nhrp map multicast

ip nhrp map 10.0.1.4

ip nhrp network-id 110000

ip nhrp holdtime 360

ip nhrp nhs 10.0.1.4

ip tcp adjust-mss 1360

delay 2000

tunnel source GigabitEthernet0/1

tunnel mode gre multipoint

tunnel key 110000

tunnel protection ipsec profile CiscoCP_Profile1 shared

!

interface Null0

no ip unreachables

!

!

interface GigabitEthernet0/0

description inside

ip address 192.168.5.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

no ip route-cache cef

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description outside

ip address 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

ip verify unicast reverse-path

duplex auto

speed auto

no cdp enable

no mop enabled

crypto map Crypto_Map

!

router eigrp 192

network 10.0.0.0 0.0.0.255

network 10.0.1.0 0.0.0.255

network 192.168.5.0

distance eigrp 15 16

!

!

ip forward-protocol nd

!

ip access-list extended

remark Traffic via VPN

permit ip 192.168.5.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.5.0 0.0.0.255 192.168.65.0 0.0.0.255

permit ip 192.168.5.0 0.0.0.255 172.30.0.0 0.0.255.255

New Member

Site to Site VPN and DMVPN on same router ?

Sorry to steal someone's thread (I did post my own thread also), but I have a very similar issue and see that it was a very recent thread so I wanted to ask, did you have any issues with this setup?  I have the same setup, a DMVPN spoke and an ipsec site to site tunnel, and as soon as i enable the crypto map on the outside interface, the dmvpn drops.  If I remove the crypto map, the dmvpn comes right back up.  The config was already very similar to the one listed above, and I then went in and added any configuration that was missing in mine, but the problem persists.  Did you experience this at all?  Any thoughts?

Thanks

New Member

Re: Site to Site VPN and DMVPN on same router ?

Thanks

Sent from Cisco Technical Support iPhone App

New Member

Re: Site to Site VPN and DMVPN on same router ?

Do you know of it have an example of DMVPN on a ZFW ?

Sent from Cisco Technical Support iPhone App

Hall of Fame Super Silver

Re: Site to Site VPN and DMVPN on same router ?

Yes, actually my sites are using ZBFW also. I removed those bits as not relevant to the original question.

The tunnel interfaces have "zone-member security dmvpn-zone".

The firewall bits are:

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 103

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-all all-private

match access-group name ZBF

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-any SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 101

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_DMVPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_GRE

match class-map SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all SDM_DMVPN_PT

match access-group 102

match class-map SDM_DMVPN_TRAFFIC

!

policy-map type inspect sdm-permit-gre

class type inspect SDM_GRE

  pass

class class-default

  drop log

policy-map type inspect Priv_Pub_pmap

class type inspect all-private

  inspect

class class-default

  drop

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

class class-default

  drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_DMVPN_PT

  pass

class class-default

  drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

!

zone security dmvpn-zone

zone security in-zone

zone security out-zone

zone-pair security sdm-zp-in-gre1 source in-zone destination dmvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security sdm-zp-gre-in1 source dmvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-out-gre source out-zone destination dmvpn-zone

service-policy type inspect sdm-permit-gre

zone-pair security ccp-zp-gre-out source dmvpn-zone destination out-zone

service-policy type inspect sdm-permit-gre

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_IP

remark CCP_ACL Category=0

permit ip any any

ip access-list extended ZBF

permit ip any any


New Member

Re: Site to Site VPN and DMVPN on same router ?

That's brilliant thanks a lot - much appreciated

Sent from Cisco Technical Support iPhone App

3095
Views
5
Helpful
14
Replies