i am using 2 interfaces on my router (1 interface has mpls and other interface has isp). i have established DMVPN with ipsec to be used by tunnel connection when MPLS is down. My traffic has encryption when going through tunnel but no encryption through mpls as all routes are provided by vendor from hub to spoke.

Hi,

   In this case, the easiest solution is to add another DMVPN cloud / topology over MPLS (use Phase 3 and obviously add IPsec on top of it); you would additionally need to change routing over MPLS, you will only advertise your DMVPN tunnel endpoints to MPLS cloud via BGP and add your own overlay routing over DMVPN.

Best,

Cristian.

Could you provide me some guide for this solution. i have never worked with MPLS

Hi,

   From your perspective, WAN transport being Internet or MPLS (both are MPLS in the backend) it doesn't matter; routers that are under your management do not run MPLS; so you'll end up performing a similar DMVPN config like the presented one, on the routers under your management.

Best,

Cristian.

I have done following configuration just as i have done for my dmvpn
ON HUB

Hub
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication your-auth-key
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp shortcut
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 1234

router bgp 65001
neighbor 10.0.0.2 remote-as 65002 # Spoke IP
network 10.0.0.0 mask 255.255.255.0

crypto isakmp policy 10
encryption aes
hash sha
authentication pre-share
group 2
!
crypto isakmp key your-secret-key address 192.0.2.2
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode transport
!
crypto map dmvpn 10 ipsec-isakmp
set peer 192.0.2.2
set transform-set ESP-AES-SHA
match address 100
!
interface GigabitEthernet0/1
crypto map dmvpn


ON Spoke

interface Tunnel0
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication your-auth-key
ip nhrp map 10.0.0.1 192.0.2.1 # Public IP of the hub
ip nhrp map multicast 192.0.2.1
ip nhrp network-id 1
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 1234

router bgp 65002
neighbor 10.0.0.1 remote-as 65001 # Hub IP
network 10.0.0.0 mask 255.255.255.0

crypto isakmp policy 10
encryption aes
hash sha
authentication pre-share
group 2
!
crypto isakmp key your-secret-key address 192.0.2.1
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode transport
!
crypto map dmvpn 10 ipsec-isakmp
set peer 192.0.2.1
set transform-set ESP-AES-SHA
match address 100
!
interface GigabitEthernet0/1
crypto map dmvpn

But i am still unable to understand that this hub spoke model works on routers. i have cisco switch which is advertising routes to my router at hub. How to deal with this.

Sorry I dont get it' 

You use DMVPN over MPLS ?

If yes why you use public IP of Hub?

The IP is private in underlying mpls  not public 

MHM

Hi,

   Even though on the hub side, the switch is in front of the router/ DMVPN hub, it's not a problem; you would need to ensure that HUB's IP used to terminate the DMVPN tunnel is routable over MPLS (switch makes routing happen between HUB router and distant sites via MPLS).

 Assuming one spoke IP facing MPLS is 192.168.20.6 and HUB's IP facing switch/MPLS is 192.168.10.6, and you want to run BGP over DMVPN, here's your config (move away from crypto-map and use tunnel protection, NHRP authentication is removed as it's pointless when using IPsec, GRE tunnel key is only required if you source two GRE multipoint tunnels off the same source interface so it was removed):

Hub
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN
!
router bgp 65001
 neighbor 10.0.0.2 remote-as 65002
 network 10.0.0.0 mask 255.255.255.0
!
crypto isakmp policy 10
 encryption aes
 hash sha
 authentication pre-share
 group 2
!
crypto isakmp key your-secret-key address 192.168.20.6
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set ESP-AES-SHA


Spoke
interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp nhs 10.0.0.1 nbma 192.168.10.6 multicast
 ip nhrp network-id 1
 ip nhrp shortcut
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN
!
router bgp 65002
 neighbor 10.0.0.1 remote-as 65001 # Hub IP
 network 10.0.0.0 mask 255.255.255.0
!
crypto isakmp policy 10
 encryption aes
 hash sha
 authentication pre-share
 group 2
!
crypto isakmp key your-secret-key address 192.168.10.6
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set ESP-AES-SHA

 Best,

Cristian.