Re: backup dmvpn cloud

jomo frank · ‎01-20-2014

Hi all,

I have a DMVPN cloud that encompasses about 8 remote sites connect to Head Office.

It is dsl connection from one telco (Telco 1 ).

For redundancy I am looking to engage another telco (Telco 2l) to connect my 8 remote sites to head office

What I would like to do is add another DSL interface to all of my 8 remote site routers and enable a secondary (backup) cloud in case my first telco (gtt) link fails. Is this possible?

Regards

Jomo

John Blakley · ‎01-20-2014

Jomo,

Would the backup tunnel be terminating to the same destination address? If so, I wouldn't think you'd need to do anything special with the dmvpn configuration other than have a floating static default route on the router for the new isp. If they're going to different destination addresses, you can have a tunnel be a backup of the other where the second tunnel is down until needed, or you can keep both tunnels up and then manipulate routing protocols where all traffic goes over the preferred tunnel.

Actually, now that I think about it, you did say that you were going to add another interface...I'll lab this up and let you know. I think you'll be ok having two tunnels though.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

jomo frank · ‎01-20-2014

Hello John,

The destination address will different and I would like to keep both tunnels up.

The issue is I am unsure how to configure the second dmvpn cloud with different ipsec profile since

I do not want to use the same ipsec profile with the shared key word on both tunnels.

Could any one assist with a configuration template.

Regards

John Blakley · ‎01-20-2014

Jomo,

Could you create two different profiles and apply each one to a different tunnel?

I have 3 routers - R2, R3, and R4. R4 connects to R2 and R3 via dmvpn and ipsec tunnels. I've never played with the shared keyword before, but you should be able to create two different profiles. My R4 configuration is below:

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set Hub esp-aes esp-md5-hmac

!

crypto ipsec profile Hub

set transform-set Hub

!

crypto ipsec profile Hub2

set transform-set Hub

interface Tunnel1

ip address 192.168.234.4 255.255.255.0

ip mtu 1400

ip nhrp map 192.168.234.2 10.24.0.2

ip nhrp map multicast 10.24.0.2

ip nhrp network-id 234

ip nhrp nhs 192.168.234.2

tunnel source FastEthernet0/0

tunnel destination 10.24.0.2

tunnel protection ipsec profile Hub

!

interface Tunnel2

ip address 192.168.34.4 255.255.255.0

ip mtu 1400

ip nhrp map 192.168.34.3 10.34.0.3

ip nhrp map multicast 10.34.0.3

ip nhrp network-id 234

ip nhrp nhs 192.168.34.3

tunnel source FastEthernet0/1

tunnel destination 10.34.0.3

tunnel protection ipsec profile Hub2

!

R4(config)#do sh crypto session

Crypto session current status

Interface: Tunnel1

Session status: UP-ACTIVE

Peer: 10.24.0.2 port 500

IKE SA: local 10.24.0.4/500 remote 10.24.0.2/500 Active

IPSEC FLOW: permit 47 host 10.24.0.4 host 10.24.0.2

Active SAs: 2, origin: crypto map

Interface: Tunnel2

Session status: UP-ACTIVE

Peer: 10.34.0.3 port 500

IKE SA: local 10.34.0.4/500 remote 10.34.0.3/500 Active

IPSEC FLOW: permit 47 host 10.34.0.4 host 10.34.0.3

Active SAs: 2, origin: crypto map

R4(config)#do sh dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

Tunnel1, Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 10.24.0.2 192.168.234.2 UP 00:12:56 S

Tunnel2, Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 10.34.0.3 192.168.34.3 UP 01:15:40 S

The results show that I'm encrypting traffic to both destinations. You could run a routing protocol over the tunnel and play with metrics to get the desired result.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

jomo frank · ‎01-21-2014

Hello John,

I look thru your reponse, but I notice your two tunnels are coming from two different tunnel source.

The problem with this is , all my clients at the remote location I will have to use two seperate gateway.

The ideal situation would be one tunnel source but two different ipsec profile, with this config I will not have two

different gateway at the respective remote location.

I also notice the ip nhrp network-id is the same for both tunnels , how is the two dmvpn cloud indentified ?

interface Tunnel1

ip address 192.168.234.4 255.255.255.0

ip mtu 1400

ip nhrp map 192.168.234.2 10.24.0.2

ip nhrp map multicast 10.24.0.2

ip nhrp network-id 234

ip nhrp nhs 192.168.234.2

tunnel source FastEthernet0/0 ------------------------------------------------------- Lan interface 1

tunnel destination 10.24.0.2

tunnel protection ipsec profile Hub

!

interface Tunnel2

ip address 192.168.34.4 255.255.255.0

ip mtu 1400

ip nhrp map 192.168.34.3 10.34.0.3

ip nhrp map multicast 10.34.0.3

ip nhrp network-id 234

ip nhrp nhs 192.168.34.3

tunnel source FastEthernet0/1 --------------------------------------------------- Lan interface 2

tunnel destination 10.34.0.3

tunnel protection ipsec profile Hub2

Regards

SOcchiogrosso · ‎01-20-2014

If you already a DMVPN network working with the first set of internet connections and you are looking to implement a second set of internet connections I'd look into a dual cloud DMVPN solution.

Sent from Cisco Technical Support iPad App

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/

jomo frank · ‎01-21-2014

Hello SOcchiogrosso

I am interested in your suggestion, do you have a working template or example.

I would like two dmvpn cloud same tunnel source and if possibe two ipsec profile .

Is the above requirements possible?

Regards

SOcchiogrosso · ‎01-21-2014

A few good links for DMVPN

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_1.html

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.pdf

https://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/VPNLoad/ch8_Dual.pdf

This is a quick sample I've used:

! - Key Rings for PSK's

crypto keyring Key-Primary

pre-shared-key address 0.0.0.0 0.0.0.0 key ####

crypto keyring Key-Secondary

pre-shared-key address 0.0.0.0 0.0.0.0 key ####

! -ISAKMP Policies, generic IPSec VPN

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp invalid-spi-recovery

crypto isakmp profile IKE-Primary

keyring Key-Primary

match identity address <####>

crypto isakmp profile IKE-Secondary

keyring Key-Secondary

match identity address <####>

! - Typical Transform-set for VPN

crypto ipsec transform-set DMVPN-TSET esp-aes esp-sha-hmac

! - IPSec Profiles for the tunnel interfaces

crypto ipsec profile IPSec-Primary

set transform-set DMVPN-TSET

set isakmp-profile IKE-Primary

!

crypto ipsec profile IPSec-Secondary

set transform-set DMVPN-TSET

set isakmp-profile IKE-Secondary

! -Tunnel Interfaces

! - Tunnel1 is a hub for Cloud1.

! - Tunnel2 is a spoke for Cloud2

! - Cloud2's hub exists on another router so both clouds do not depend a single router.

interface Tunnel1

description DMVPN Cloud 1

bandwidth 1000

ip address

no ip redirects

ip mtu 1400

ip nhrp authentication ####

ip nhrp map multicast dynamic

ip nhrp network-id ####

ip nhrp holdtime 300

ip virtual-reassembly

ip tcp adjust-mss 1360

tunnel source

tunnel mode gre multipoint

tunnel key ####

tunnel protection ipsec profile IPSec-Primary

!

interface Tunnel2

description DMVPN Cloud 2

ip address

no ip redirects

ip mtu 1400

ip nhrp authentication ####

ip nhrp map

ip nhrp map multicast

ip nhrp network-id ####

ip nhrp holdtime 300

ip nhrp nhs

ip tcp adjust-mss 1360

tunnel source

tunnel mode gre multipoint

tunnel key ####

tunnel protection ipsec profile IPSec-Secondary

--
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/

Vasilii Mikhailovskii · ‎01-22-2014

Hello.

The primary problem with 2 clouds bound to 2 interfaces is routing.

Unless you have all the statics that lead to all the peers via correct interface, you will experience problems. This won't be a problem for spokes if they communicate only to hub, but for hubs...

The easiest way to fix routing is to create new VRF for backup DSL.

New DMVPN cloud would use this VRF as a transport.

Implementing VRF on spokes as well would solve your issue: "The problem with this is , all my clients at the remote location I will have to use two seperate gateway".

Please let me know if you need sample configuration for DMVPN using VRF WAN.

PS: I would not use equal nhrp network-id on both interfaces.

PS2: all the examples earlier would work only if you configure routing over propper interfaces; command "tunnel source ..." does not define outgoing interface, but only source IP-address for tunnel traffic (udp4500 or esp). That is why they work fine on GNS.