cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
297
Views
0
Helpful
1
Replies
Julzorensen
Beginner

DMVPN issue - non-local traffic not getting IPSEC encap'd

Hi,

 

I'am quite new to DMVPN but I'am used to the underlying technologies in use (GRE, IPSEC, etc...).

I'am trying to deploy it for the first time but I'am running into an issue and I couldn't find the solution.

 

The topology is as followed (simplified)

 

Server - Router (Cat6k) - Router (Cat9500 - HUB) -------------WAN----------- Router (ISR1111 LTE - SPOKE)

 

The ISR1111 is reaching the Hub through LTE connectivity. It gets private IP from the provider which gets NAT'd after at the provider level (don't really know if it's important or not).

 

So far, here is the situation : IPSEC is up and running, GRE over IPSEC also.

OSPF is running between the 3 routers and looks absolutely good.

 

From the Hub, I can ping any local IP of the Spoke from any of the Hub local IP.

From the Spoke, I can ping any local IP of the Hub from any of the Spoke local IP.

 

So the connectivity and the tunnels looks good.

 

The issue is that as soon as the Spoke try to contact something farther than the Hub (for example "Server"), it doesn't work.

Packet capture on the server shows that the packet are actually received, the reply is sent but never reaches back the Spoke.

MTR from Server to Spoke shows the Hub as last hop.

 

We did some other packet captures and here is what we discovered :

For trafic from local IP (Hub or Spoke) to local IP (Hub or Spoke), everything is encapsulated (GRE then ESP/UDP) correctly and sent trough the tunnel. It works.

For trafic from the Spoke to the Server, the trafic in the Spoke->Server direction is correctly encapsulated and reches the Server.

But for the trafic from the Server to the Spoke, it only gets GRE encapsulated, and we never see any ESP/UDP over that, thus it fails to reach the destination.

 

The only thing that I can almost confirm is that it's not a routing issue.

 

Any idea what's happening and/or what do verify?

 

HUB CONFIG :

!
crypto isakmp policy 999
hash sha256
authentication pre-share
crypto isakmp key XXXXXXX address 0.0.0.0
!
crypto ipsec transform-set dmvpn esp-aes 256
mode transport
!
crypto ipsec profile dmvpn-ipsec
set security-association lifetime seconds 86400
set transform-set dmvpn
!

!
interface Tunnel10
description DMVPN
ip address 172.24.255.1 255.255.255.0
ip mtu 1360
ip nhrp authentication XXX
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1320
ip ospf network broadcast
ip ospf 1 area 0
tunnel source Loopback2
tunnel mode gre multipoint
tunnel key XXXX
tunnel path-mtu-discovery
tunnel protection ipsec profile dmvpn-ipsec

 

SPOKE CONFIG :

!
crypto isakmp policy 999
hash sha256
authentication pre-share
crypto isakmp key XXX address 0.0.0.0
crypto isakmp fragmentation
crypto isakmp keepalive 10
!
crypto ipsec transform-set dmvpn esp-aes 256
mode transport
!
crypto ipsec profile dmvpn-ipsec
set security-association lifetime seconds 86400
set transform-set dmvpn

!

!
interface Tunnel10
ip address 172.24.255.10 255.255.255.0
ip mtu 1360
ip nhrp authentication XXXX
ip nhrp map 172.24.255.1 PublicIPHub
ip nhrp map multicast PublicIPHub
ip nhrp network-id 1
ip nhrp nhs 172.24.255.1
ip tcp adjust-mss 1320
ip ospf network broadcast
ip ospf 1 area 0
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key XXXX
tunnel path-mtu-discovery
tunnel protection ipsec profile dmvpn-ipsec
!

1 REPLY 1
Georg Pauwen
VIP Expert

Hello,

 

how is the 'remote' server connected to the hub ? There are a few things that don't look standard for a DMVPN Phase 3 configuration (marked in bold), you might want to try and change these. Also, post the full configs of the hub and the spoke, we might be able to spot something...

 

HUB CONFIG :

!
crypto isakmp policy 999
--> encryption aes256
hash sha256
authentication pre-share
crypto isakmp key XXXXXXX address 0.0.0.0
!
crypto ipsec transform-set dmvpn esp-aes 256
mode transport
!
crypto ipsec profile dmvpn-ipsec
set security-association lifetime seconds 86400
set transform-set dmvpn
!
interface Tunnel10
description DMVPN
ip address 172.24.255.1 255.255.255.0
--> ip mtu 1400
ip nhrp authentication XXX
ip nhrp network-id 1
ip nhrp redirect
--> ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf 1 area 0
tunnel source Loopback2
tunnel mode gre multipoint
tunnel key XXXX
tunnel path-mtu-discovery
tunnel protection ipsec profile dmvpn-ipsec

 

SPOKE CONFIG :
!
crypto isakmp policy 999
--> encryption aes256
hash sha256
authentication pre-share
!
crypto isakmp key XXX address 0.0.0.0
crypto isakmp fragmentation
crypto isakmp keepalive 10
!
crypto ipsec transform-set dmvpn esp-aes 256
mode transport
!
crypto ipsec profile dmvpn-ipsec
set security-association lifetime seconds 86400
set transform-set dmvpn
!
interface Tunnel10
ip address 172.24.255.10 255.255.255.0
--> ip mtu 1400
ip nhrp authentication XXXX
ip nhrp map 172.24.255.1 PublicIPHub
ip nhrp map multicast PublicIPHub
ip nhrp network-id 1
ip nhrp nhs 172.24.255.1
--> ip nhrp shortcut
--> ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf 1 area 0
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key XXXX
tunnel path-mtu-discovery
tunnel protection ipsec profile dmvpn-ipsec

Content for Community-Ad