Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issue withDMVPN

Hi,

i am building new DMVPN tunnel, previuosly we were getting the service from one of the service provider but now i wanted to test my luck, but i am facing some issues

                                                  dmvpn.jpg

our headoffice network is 192.168.12.0 and the remote spoke routers network is 192.168.75.0

tunnel ip at head office is 172.20.20.1 and to each spoke side 172.20.20.2,3,4...

the hub configuration is like

--------------------------------------------------------------------------------------------------------------------------------------------------

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key asicovpn address 0.0.0.0 0.0.0.0

!

!

!

!

!

!

interface Tunnel0

ip address 172.20.20.1 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication asicovpn

ip nhrp map multicast dynamic

ip nhrp map multicast 172.20.20.1

ip nhrp network-id 254

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 199

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 78.93.37.134 255.255.255.240

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.12.124 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

router ospf 10

redistribute rip metric 22222 subnets

network 192.168.12.0 0.0.0.255 area 0

!

router rip

version 2

redistribute ospf 10 metric 1

network 172.20.0.0

no auto-summary

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 78.93.37.129

!

--------------------------------------------------------------------------------------------------------------------------------

the configuration for spoke routers is

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key asicovpn address 78.93.37.134

!

!

interface Tunnel0

bandwidth 1000

ip address 172.20.20.2 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication asicovpn

ip nhrp map multicast dynamic

ip nhrp map multicast 78.93.37.134

ip nhrp map 172.20.20.1 78.93.37.134

ip nhrp network-id 254

ip nhrp nhs 172.20.20.1

tunnel source FastEthernet4

tunnel destination 78.93.37.134

tunnel key 199

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.75.1 255.255.255.248

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

router rip

version 2

network 172.20.0.0

network 192.168.75.0

no auto-summary

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 2000 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 Tunnel0

ip route 78.93.37.134 255.255.255.255 192.168.1.1

!

access-list 2000 deny   ip any 192.168.12.0 0.0.0.255

access-list 2000 deny   ip any 192.168.13.0 0.0.0.255

access-list 2000 deny   ip any 192.168.118.0 0.0.0.255

access-list 2000 deny   ip any 192.168.114.0 0.0.0.255

access-list 2000 deny   ip any 192.168.115.0 0.0.0.255

access-list 2000 deny   ip any 192.168.116.0 0.0.0.255

access-list 2000 deny   ip any 192.168.117.0 0.0.0.255

access-list 2000 deny   ip any 192.168.21.0 0.0.0.255

access-list 2000 deny   ip any 192.168.33.0 0.0.0.255

access-list 2000 deny   ip any 192.168.41.0 0.0.0.255

access-list 2000 permit ip any any

no cdp run

----------------------------------------------------------------------------------------------------------------------

i can ping  from spoke router to my head office network, but cannot ping from head office network to spoke network 192.168.75.0

the natting is for internet traffice to get exit from dsl router and should not go on tunnel.

can anyone please help me with this...

many many thanks in advance

Everyone's tags (1)
1 REPLY
New Member

Issue withDMVPN

There are some things to mention:

1. There is no "crypto ipsec transform-set", no "crypto ipsec profile" and not "tunnel protection" configured. If you want to have an encrypted tunnel, you need to configure it.

2. Why are you routing the Hub WAN IP (78.93.37.134) to 192.168.1.1 on the spoke? If you receive your public IP and gateway on Fa4, you need to route something like "ip route 78.93.37.134 255.255.255.255 Fa4 dhcp".

3. De-configure that on the Hub tunnel: "ip nhrp map multicast 172.20.20.1". It doesn't make sense to do a static multicast mapping on the own IP address.

4. De-configure that on the Spoke tunnel: "ip nhrp map multicast dynamic". It is only needed on hubs.

105
Views
0
Helpful
1
Replies