01-20-2014 07:35 AM - edited 03-04-2019 10:07 PM
Hi all,
I have a DMVPN cloud that encompasses about 8 remote sites connect to Head Office.
It is dsl connection from one telco (Telco 1 ).
For redundancy I am looking to engage another telco (Telco 2l) to connect my 8 remote sites to head office
What I would like to do is add another DSL interface to all of my 8 remote site routers and enable a secondary (backup) cloud in case my first telco (gtt) link fails. Is this possible?
Regards
Jomo
01-20-2014 09:59 AM
Jomo,
Would the backup tunnel be terminating to the same destination address? If so, I wouldn't think you'd need to do anything special with the dmvpn configuration other than have a floating static default route on the router for the new isp. If they're going to different destination addresses, you can have a tunnel be a backup of the other where the second tunnel is down until needed, or you can keep both tunnels up and then manipulate routing protocols where all traffic goes over the preferred tunnel.
Actually, now that I think about it, you did say that you were going to add another interface...I'll lab this up and let you know. I think you'll be ok having two tunnels though.
HTH,
John
*** Please rate all useful posts ***
01-20-2014 10:28 AM
Hello John,
The destination address will different and I would like to keep both tunnels up.
The issue is I am unsure how to configure the second dmvpn cloud with different ipsec profile since
I do not want to use the same ipsec profile with the shared key word on both tunnels.
Could any one assist with a configuration template.
Regards
01-20-2014 02:21 PM
Jomo,
Could you create two different profiles and apply each one to a different tunnel?
I have 3 routers - R2, R3, and R4. R4 connects to R2 and R3 via dmvpn and ipsec tunnels. I've never played with the shared keyword before, but you should be able to create two different profiles. My R4 configuration is below:
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set Hub esp-aes esp-md5-hmac
!
crypto ipsec profile Hub
set transform-set Hub
!
crypto ipsec profile Hub2
set transform-set Hub
interface Tunnel1
ip address 192.168.234.4 255.255.255.0
ip mtu 1400
ip nhrp map 192.168.234.2 10.24.0.2
ip nhrp map multicast 10.24.0.2
ip nhrp network-id 234
ip nhrp nhs 192.168.234.2
tunnel source FastEthernet0/0
tunnel destination 10.24.0.2
tunnel protection ipsec profile Hub
!
interface Tunnel2
ip address 192.168.34.4 255.255.255.0
ip mtu 1400
ip nhrp map 192.168.34.3 10.34.0.3
ip nhrp map multicast 10.34.0.3
ip nhrp network-id 234
ip nhrp nhs 192.168.34.3
tunnel source FastEthernet0/1
tunnel destination 10.34.0.3
tunnel protection ipsec profile Hub2
!
R4(config)#do sh crypto session
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 10.24.0.2 port 500
IKE SA: local 10.24.0.4/500 remote 10.24.0.2/500 Active
IPSEC FLOW: permit 47 host 10.24.0.4 host 10.24.0.2
Active SAs: 2, origin: crypto map
Interface: Tunnel2
Session status: UP-ACTIVE
Peer: 10.34.0.3 port 500
IKE SA: local 10.34.0.4/500 remote 10.34.0.3/500 Active
IPSEC FLOW: permit 47 host 10.34.0.4 host 10.34.0.3
Active SAs: 2, origin: crypto map
R4(config)#do sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel1, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.24.0.2 192.168.234.2 UP 00:12:56 S
Tunnel2, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.34.0.3 192.168.34.3 UP 01:15:40 S
The results show that I'm encrypting traffic to both destinations. You could run a routing protocol over the tunnel and play with metrics to get the desired result.
HTH,
John
*** Please rate all useful posts ***
01-21-2014 04:22 AM
Hello John,
I look thru your reponse, but I notice your two tunnels are coming from two different tunnel source.
The problem with this is , all my clients at the remote location I will have to use two seperate gateway.
The ideal situation would be one tunnel source but two different ipsec profile, with this config I will not have two
different gateway at the respective remote location.
I also notice the ip nhrp network-id is the same for both tunnels , how is the two dmvpn cloud indentified ?
interface Tunnel1
ip address 192.168.234.4 255.255.255.0
ip mtu 1400
ip nhrp map 192.168.234.2 10.24.0.2
ip nhrp map multicast 10.24.0.2
ip nhrp network-id 234
ip nhrp nhs 192.168.234.2
tunnel source FastEthernet0/0 ------------------------------------------------------- Lan interface 1
tunnel destination 10.24.0.2
tunnel protection ipsec profile Hub
!
interface Tunnel2
ip address 192.168.34.4 255.255.255.0
ip mtu 1400
ip nhrp map 192.168.34.3 10.34.0.3
ip nhrp map multicast 10.34.0.3
ip nhrp network-id 234
ip nhrp nhs 192.168.34.3
tunnel source FastEthernet0/1 --------------------------------------------------- Lan interface 2
tunnel destination 10.34.0.3
tunnel protection ipsec profile Hub2
Regards
01-20-2014 03:17 PM
If you already a DMVPN network working with the first set of internet connections and you are looking to implement a second set of internet connections I'd look into a dual cloud DMVPN solution.
Sent from Cisco Technical Support iPad App
01-21-2014 04:38 AM
Hello SOcchiogrosso
I am interested in your suggestion, do you have a working template or example.
I would like two dmvpn cloud same tunnel source and if possibe two ipsec profile .
Is the above requirements possible?
Regards
01-21-2014 06:21 PM
A few good links for DMVPN
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_1.html
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.pdf
https://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/VPNLoad/ch8_Dual.pdf
This is a quick sample I've used:
! - Key Rings for PSK's
crypto keyring Key-Primary
pre-shared-key address 0.0.0.0 0.0.0.0 key ####
crypto keyring Key-Secondary
pre-shared-key address 0.0.0.0 0.0.0.0 key ####
! -ISAKMP Policies, generic IPSec VPN
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp profile IKE-Primary
keyring Key-Primary
match identity address <####>
crypto isakmp profile IKE-Secondary
keyring Key-Secondary
match identity address <####>
! - Typical Transform-set for VPN
crypto ipsec transform-set DMVPN-TSET esp-aes esp-sha-hmac
! - IPSec Profiles for the tunnel interfaces
crypto ipsec profile IPSec-Primary
set transform-set DMVPN-TSET
set isakmp-profile IKE-Primary
!
crypto ipsec profile IPSec-Secondary
set transform-set DMVPN-TSET
set isakmp-profile IKE-Secondary
! -Tunnel Interfaces
! - Tunnel1 is a hub for Cloud1.
! - Tunnel2 is a spoke for Cloud2
! - Cloud2's hub exists on another router so both clouds do not depend a single router.
interface Tunnel1
description DMVPN Cloud 1
bandwidth 1000
ip address
no ip redirects
ip mtu 1400
ip nhrp authentication ####
ip nhrp map multicast dynamic
ip nhrp network-id ####
ip nhrp holdtime 300
ip virtual-reassembly
ip tcp adjust-mss 1360
tunnel source
tunnel mode gre multipoint
tunnel key ####
tunnel protection ipsec profile IPSec-Primary
!
interface Tunnel2
description DMVPN Cloud 2
ip address
no ip redirects
ip mtu 1400
ip nhrp authentication ####
ip nhrp map
ip nhrp map multicast
ip nhrp network-id ####
ip nhrp holdtime 300
ip nhrp nhs
ip tcp adjust-mss 1360
tunnel source
tunnel mode gre multipoint
tunnel key ####
tunnel protection ipsec profile IPSec-Secondary
--
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/
01-22-2014 08:59 AM
Hello.
The primary problem with 2 clouds bound to 2 interfaces is routing.
Unless you have all the statics that lead to all the peers via correct interface, you will experience problems. This won't be a problem for spokes if they communicate only to hub, but for hubs...
The easiest way to fix routing is to create new VRF for backup DSL.
New DMVPN cloud would use this VRF as a transport.
Implementing VRF on spokes as well would solve your issue: "The problem with this is , all my clients at the remote location I will have to use two seperate gateway".
Please let me know if you need sample configuration for DMVPN using VRF WAN.
PS: I would not use equal nhrp network-id on both interfaces.
PS2: all the examples earlier would work only if you configure routing over propper interfaces; command "tunnel source ..." does not define outgoing interface, but only source IP-address for tunnel traffic (udp4500 or esp). That is why they work fine on GNS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide