Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMVPN behind NAT

We are currently setting up a DMVPN cloud for the backup to our MPLS and have choosen to use ASAs in front of the routers for a number of reasons.

Currently our setup looks like:

Spoke/Branch MPLS/VPN Router <------> ASA <------> INTERWEBS <------> ASA <------> Hub DMVPN Router

I am currently testing in lab and so far we have been able to setup NAT on the ASAs, link up the tunnel running GRE and NHRP, and build an eBGP session over the tunnel, but the moment we attempt to encrypt the tunnel on the routers the link drops and fails to establish.

For the lab, both ASAs are setup with simple 1 to 1 static NAT statements and an ANY/ANY statement for traffic coming into the 2 routers.

We are getting P1 completion, QM_IDLE, on both sides, but it seems to be failing on P2.  My best guess at this point is because we are natting the traffic and the src/dst (local/remote) pairs for the tunnel don't match but I have exhahusted my resoures on how to resolve it.  Any help would be greatly apprciated.

For the lab, we are using 172. for WAN/Local addresses and 192.168 addresses to simulate the internet. 

Hub ASA is translating f0/0 on the hub router to 192.168.1.3

Spoke ASA is translating F0/1 on the spoke router to 192.168.2.3

Relavent Router configurations are as follow:

HUB:

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto isakmp nat keepalive 30

!

!

crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac

mode transport

no crypto ipsec nat-transparency udp-encaps

!

crypto ipsec profile vpn-dmvpn

set transform-set esp-3des-sha

!

!

!

!        

!

!

!

!

interface Loopback0

ip address 172.21.10.3 255.255.255.255

!

interface Tunnel0

description DMPVPN Tunnel

bandwidth 10000

ip address 172.20.10.1 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 105600

ip nhrp holdtime 300

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 105600

tunnel protection ipsec profile vpn-dmvpn

!

interface FastEthernet0/0

ip address 172.21.10.30 255.255.255.252

speed 100

full-duplex

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

router eigrp 65010

network 172.21.10.3 0.0.0.0

network 172.21.10.28 0.0.0.3

no auto-summary

!

router bgp 65010

no synchronization

bgp log-neighbor-changes

timers bgp 5 20

neighbor 172.20.10.90 remote-as 65090

neighbor 172.21.10.1 remote-as 65010

neighbor 172.21.10.1 update-source Loopback0

neighbor 172.21.10.1 next-hop-self

no auto-summary

!

SPOKE:

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 192.168.1.3

crypto isakmp nat keepalive 30

!

!

crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac

mode transport

no crypto ipsec nat-transparency udp-encaps

!

crypto ipsec profile vpn-dmvpn

set transform-set esp-3des-sha

!

!

!

!        

!

!

!

!

interface Loopback0

ip address 10.90.1.1 255.255.0.0

!

interface Tunnel0

description DMVPN Tunnel

bandwidth 10000

ip address 172.20.10.90 255.255.255.0

ip mtu 1440

ip nhrp authentication cisco

ip nhrp map 172.20.10.1 192.168.1.3

ip nhrp map multicast 192.168.1.3

ip nhrp network-id 105600

ip nhrp holdtime 300

ip nhrp nhs 172.20.10.1

tunnel source FastEthernet0/1

tunnel destination 192.168.1.3

tunnel key 105600

tunnel protection ipsec profile vpn-dmvpn

!        

interface FastEthernet0/0

ip address 172.21.90.6 255.255.255.252

speed 100

full-duplex

!

interface FastEthernet0/1

ip address 172.21.90.29 255.255.255.252

duplex auto

speed auto

!

router bgp 65090

no synchronization

bgp log-neighbor-changes

network 10.90.0.0 mask 255.255.0.0

neighbor 172.20.10.1 remote-as 65010

neighbor 172.21.90.5 remote-as 1

no auto-summary

!

Everyone's tags (2)
5 REPLIES
Cisco Employee

Re: DMVPN behind NAT

Hi,

NAT-T disabled on both ends? Did you try it with NAT-T enabled?

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

New Member

Re: DMVPN behind NAT

We've tried it both with crypto ipsec nat-transparency udp-encapsulation turned on and off with no difference.

One error message of note, we are receving these messages on both ends.

Mar  1 15:55:27.191: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=172.21.90.29, prot=50, spi=0xFF0209EE(4278323694), srcaddr=192.168.1.3

Mar  1 15:49:28.355: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=172.21.10.30, prot=50, spi=0xFF150A1E(4279568926), srcaddr=192.168.2.3

So I'm not sure if NAT-T is completely working.

Thanks


Cisco Employee

Re: DMVPN behind NAT

Hi,

Is UDP 4500 permit on ASA?

HTH,

Lei Tian

New Member

Re: DMVPN behind NAT

yup, ASAs are set to any-any for testing.

We were able to resolve this by switching from PSK to RSA-SIG and making sure tunnel mode was enabled correctly on both ends.  Aparently DMVPN doesn't work with NAT and PSK but it works fine with RSA-SIG.


Thanks

Cisco Employee

Re: DMVPN behind NAT

Hmm, that doesn't sound right, but thanks for the update!


Sent from Cisco Technical Support iPhone App

1529
Views
0
Helpful
5
Replies
CreatePlease to create content