bi-rule is required when build DMVPN?

syjeon · ‎12-16-2016

Hi

our DMVPN hub router is behind of internet firewall. and need to communicate with spoke router to establish IPSEC tunnel.

my question is do we need to open bi-directinoal rule on internet firewall? I think DMVPN and SPOKE will initiate each other so, I think we need bi-rule on internet firewall. normally, rule only from Spoke to Hub, it would be not working?

Please, advise.

Karsten Iwen · ‎12-16-2016

As always: It depends (assuming the firewall is an ASA) ...

If there is NAT between the routers (probably there is if the router behind the firewall has a public IP): Then all traffic from the spokes to the hub is UDP which can be inspected by the firewall and return traffic (which is also encapsulated VPN-traffic from the hub to the spoke) is allowed.
If there is no NAT: Now the firewall sees also ESP-traffic which is by default not inspected. Based on your firewall config it could be allowed if you have a permissive approach but also could be denied if you have an restrictive approach.

As 1) is a very often used setup, I would assume that you only need incoming rules on your firewall.

syjeon · ‎12-16-2016

Hi Iwen,

our case is .2, which means, we don't have any NAT. the router is already having the public IP will communicate with spoke router's public IP address. but, as of now, only our ASA is having only incoming rule from spoke to hub. if so, according from you, we have to also open the rule from Hub to spoke, is it?

Karsten Iwen · ‎12-16-2016

If there is no ESP-inspection then the firewall should have a rule allowing outbound ESP-traffic.