03-01-2009 04:32 PM - edited 03-04-2019 03:45 AM
Hi
I am trying to configure DMVPN but my tunnel ip can't ping each other. I have connected two routers more like a hub and spoke network ut I only have one conneted at this stage for testing purposes.
Please check why my router's cant ping my device, below are my configs:
1st problem
I cant configure the tunnel destination on the hub.
HUB
DUT(config-if)#tunnel destination 172.16.0.1
The tunnel destination can not be configured under the existing mode
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
crypto isakmp key 6 cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set dirkstrong esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set ESP-AES256-SHA
!
crypto ipsec profile strongdirk
set security-association lifetime seconds 120
set transform-set dirkstrong
!
crypto ipsec profile test
!
interface Tunnel0
bandwidth 1000
ip address 172.16.0.2 255.255.0.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp map 172.16.0.4 10.0.44.1
ip nhrp network-id 1000
ip nhrp holdtime 360
ip nhrp nhs 172.16.0.4
ip tcp adjust-mss 1360
tunnel source 1.1.1.1
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile DMVPN
Spoke
crypto isakmp policy 10
encr aes 256
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set ESP-AES256-SHA
!
interface Tunnel0
bandwidth 1000
ip address 172.16.0.4 255.255.0.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 1000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile DMVPN shared
!
Solved! Go to Solution.
03-01-2009 08:41 PM
Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IPSec VPNs by combining generic routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP) to provide users with easy configuration through crypto profiles, which override the requirement for defining static crypto maps, and dynamic discovery of tunnel endpoints.
Configuring Dynamic Multipoint VPN (DMVPN) using GRE over IPSec between Multiple Routers
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml
03-01-2009 04:47 PM
What is your IOS version and feature set?
03-01-2009 07:09 PM
What is DMVPN?
03-01-2009 08:41 PM
Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IPSec VPNs by combining generic routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP) to provide users with easy configuration through crypto profiles, which override the requirement for defining static crypto maps, and dynamic discovery of tunnel endpoints.
Configuring Dynamic Multipoint VPN (DMVPN) using GRE over IPSec between Multiple Routers
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml
03-02-2009 12:12 AM
Version 12.4(21), SP service
03-02-2009 03:21 AM
Hello Lawrence,
DUT(config-if)#tunnel destination 172.16.0.1
The tunnel destination can not be configured under the existing mode
the tunnel destination command applies only to normal point-to-point GRE tunnels, here you are using point-to-multipoint GRE tunnel mGRE.
second note:
the hub should be also the NHRP server, your HUB configuration points to the spoke unless what you call spoke is your hub.
Hope to help
Giuseppe
06-26-2011 04:56 PM
Hi
For DMVPN, there is no need of configuring tunnel destination on hub site. That's because hub is using mGRE tunnel, which is a multipoint tunnel.
Hub must be mGRE tunnel, and Spokes can be mGRE or GRE tunnel.
And also remember, your hub site should be configured as NHRP server, the NHRP configuration should be (for example):
HUB:
interface tunnel 0
ip nhrp authentication ***
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
SPOKE:
interface tunnel 0
ip nhrp authentication ***
ip nhrp map [hub tunnel ip] [hub phsical ip]
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs [hub tunnel ip]
For more information, you can go:
or you could refer to the configuration guide above.
09-19-2013 08:35 AM
Hi ,
I have a customer who wants to deploy a Metro-E among all sites. But, when I see what he wants i saw he wants to deploy DMVPN over that MEtro-E as well. My question is: is this ok? I mean, Metro-E is not secured already? What should he deploy DMVPN ob that metro connection for?
I have read a lot of papers and I saw that DMVPN is good to be deploy to secure connections over internet, as backup or over a MPLS VPN ( aslgo GETVPN) so im confused with this.
Regards
09-19-2013 11:07 AM
Suggest you post as an independent question.
09-19-2013 06:38 PM
hi,
i've replied to your other post. kindly avoid duplicate post or create your own thread next time
03-26-2016 02:57 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: