DMVPN with spoke router on 3G Connection

ddolbel · ‎01-18-2012

Hi,

I'm having issues with one of my spoke routers connecting to the dmvpn, the 3g connection appears to be ok, its not dropping

however the tunnel keep dropping and ospf has to keep learning again and again, this is my first site with a 3g connection all the other

are either on fibre or adsl and they just work. Here are the configs below any assistanst would be greatly appreaciated

thank you for your time and effort in advance.

---------------------------------------------------------------------------------------------

Hub

---------------------------------------------------------------------------------------------

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

crypto isakmp key <removed> address <removed>

crypto isakmp keepalive 60 periodic

crypto isakmp nat keepalive 60

!

crypto ipsec transform-set ESP-SHA-HMAC-AES-256-VPN esp-aes 256 esp-sha-hmac

crypto ipsec transform-set ESP-SHA-HMAC-AES-256-DMVPN esp-aes 256 esp-sha-hmac

mode transport

!

crypto ipsec profile dmvpn

description Dynamic Multi-Point VPN IPSEC Policy

set transform-set ESP-SHA-HMAC-AES-256-DMVPN

set pfs group5

!

interface Tunnel0

description --- Tunnel Int -- DMVPN Entry ---$FW_INSIDE$

ip address 10.0.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip flow ingress

ip flow egress

ip nhrp authentication dmvpn

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

ip virtual-reassembly in

ip virtual-reassembly out

no ip route-cache cef

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

delay 1000

mpls ip

cdp enable

tunnel source Dialer0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile dmvpn

!

interface Loopback0

description --- Loopback ---

ip address 10.100.0.1 255.255.255.255

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

router ospf 1

router-id 10.100.0.1

log-adjacency-changes detail

network 10.0.0.0 0.0.0.255 area 1

network 10.0.1.1 0.0.0.0 area 1

network 10.0.1.0 0.0.0.3 area 1

network 10.0.2.2 0.0.0.0 area 1

network 10.0.2.0 0.0.0.3 area 1

network 10.0.99.0 0.0.0.15 area 1

network 10.100.0.1 0.0.0.0 area 1

!

access-list 101 remark Route-map Internet Access List

access-list 101 remark Denying Tunnel Traffic

access-list 101 deny ip 10.100.0.0 0.0.0.255 10.60.0.0 0.0.0.255

access-list 101 deny ip 10.100.0.0 0.0.0.255 10.70.0.0 0.0.0.255

access-list 101 deny ip 10.100.0.0 0.0.0.255 10.80.0.0 0.0.0.255

access-list 101 remark Permitting Local Subnet Traffic

access-list 101 permit ip 10.0.1.0 0.0.0.3 any

!

route-map nonat permit 10

description NAT Route-Map

match ip address 101

!

---------------------------------------------------------------------------------------------------------

3G Spoke

---------------------------------------------------------------------------------------------------------

!

chat-script connect "" "ATDT*98*1#" TIMEOUT 30 CONNECT

!

controller Cellular 0/0

!

ip tcp synwait-time 10

ip ssh source-interface Loopback0

ip ssh logging events

ip ssh version 2

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

crypto isakmp key <removed> address <removed>

crypto isakmp keepalive 60 periodic

crypto isakmp nat keepalive 60

!

crypto ipsec transform-set ESP-SHA-HMAC-AES-256-VPN esp-aes 256 esp-sha-hmac

crypto ipsec transform-set ESP-SHA-HMAC-AES-256-DMVPN esp-aes 256 esp-sha-hmac

mode transport

!

crypto ipsec profile dmvpn

description Dynamic Multi-Point VPN IPSEC Policy

set transform-set ESP-SHA-HMAC-AES-256-DMVPN

set pfs group5

!

interface Loopback0

description --- Loopback ---

ip address 10.70.0.1 255.255.255.255

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

interface Tunnel0

description --- Tunnel to DD-CR-GLENORIE ---$FW_INSIDE$

ip address 10.0.0.4 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip flow ingress

ip flow egress

ip nhrp authentication dmvpn

ip nhrp map 10.0.0.1 <removed>

ip nhrp map multicast <removed>

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 10.0.0.1

ip virtual-reassembly in

no ip route-cache cef

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 10000

ip ospf 1 area 1

mpls ip

cdp enable

tunnel source Dialer0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile dmvpn

!

interface Cellular0/0/0

bandwidth 5760

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

encapsulation ppp

no ip route-cache cef

dialer in-band

dialer pool-member 1

dialer-group 1

async mode interactive

!

interface Cellular0/0/1

no ip address

encapsulation ppp

!

interface Dialer0

bandwidth 5760

ip address negotiated

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip inspect FireWall out

ip virtual-reassembly in

encapsulation ppp

no ip route-cache cef

dialer pool 1

dialer idle-timeout 0

dialer string connect

dialer persistent

dialer-group 1

keepalive 10 3

ppp authentication chap pap callin

ppp chap hostname dummy

ppp chap password 7 050F13022C55

no cdp enable

!

router ospf 1

router-id 10.70.0.1

log-adjacency-changes detail

network 10.0.0.0 0.0.0.255 area 1

network 10.0.70.1 0.0.0.0 area 1

network 10.0.70.0 0.0.0.3 area 1

network 10.0.77.0 0.0.0.15 area 1

network 10.70.0.1 0.0.0.0 area 1

!

ip forward-protocol nd

ip http server

ip http access-class 1

no ip http secure-server

!

ip nat inside source route-map nonat interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

ip tacacs source-interface Loopback0

!

access-list 100 remark Original External Ports Access List

access-list 100 permit udp host <removed> any eq non500-isakmp

access-list 100 permit udp host <removed> any eq isakmp

access-list 100 permit esp host <removed> any

access-list 100 permit ahp host <removed> any

access-list 100 permit gre host <removed> any

access-list 100 permit icmp host <removed> any

access-list 100 permit ospf host <removed> any

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 172.16.0.0 0.15.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip host 0.0.0.0 any

access-list 100 deny ip any any log

access-list 101 remark Route-map Internet Access List

access-list 101 remark Denying Tunnel Traffic

access-list 101 deny ip 10.70.0.0 0.0.0.255 10.60.0.0 0.0.0.255

access-list 101 deny ip 10.70.0.0 0.0.0.255 10.80.0.0 0.0.0.255

access-list 101 deny ip 10.70.0.0 0.0.0.255 10.100.0.0 0.0.0.255

access-list 101 remark Permitting Local Subnet Traffic

access-list 101 permit ip 10.0.70.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

route-map nonat permit 1

description Net Traffic Route-Map

match ip address 101

paolo bevilacqua · ‎01-20-2012

Try a continuous ping to see if there are connectivity blankouts.

ddolbel · ‎01-21-2012

yes there are,

also when ever I try to do anything intensive like copy a file to the server at that location , it times out completely and the tunnel drops, it does come back ospf has to relearn the routes again and then we are back to square one.

it strange,