Solved: DMVPN and CGN (or NAT in general)

schwarzenbachcyb · ‎08-22-2022

Hi DMVPN Pros

Maybe a DMVPN hero can help me out. I have a DMVPN setup with multiple spokes that are behind the same CGN (mobile 4G network). So there is a possibility that 2 CPEs may have the same public IP address after processing the CGN.

Is this a problem for the DMVPN Hub? Because I can read here: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-17/sec-conn-dmvpn-xe-17-cat8000-book/sec-conn-dmvpn-dmvpn.html#GUID-284B12C0-9F18-42EE-9A77-29D368883C45

"For these NAT-Transparency Aware enhancements to work, you must use IPsec transport mode on the transform set. Also, even though NAT-Transparency (IKE and IPsec) can support two peers (IKE and IPsec) being translated to the same IP address (using the UDP ports to differentiate them), this functionality is not supported for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT translated. They can have the same IP address before they are NAT translated."

"If there is more than one DMVPN spoke behind the same NAT box, the NAT box must translate the DMVPN spokes to different outside NAT IP addresses."

If I have the same public IP address for more than one DMVPN Spoke, is it then a general problem that the connection between this spokes and the hub is broken? Or are just some features or some special scenarios broken?

MHM Cisco World · ‎08-23-2022

https://www.trueneutral.eu/2017/dmvpn-mobile-blues.html

check this solution.
if you have any Q you free to ask any thing

View solution in original post

Georg Pauwen · ‎08-22-2022

Hello,

there is no way you can have identical public IP addresses. Carrier Grade NAT is implemented by the ISP. Where did you get the information that there is a chance for duplicate public IP addresses ?

schwarzenbachcyb · ‎08-22-2022

The more routers I have, the greater the probability that two will get translated to the same Public IP from the ISP, when he is doing CGN.

Georg Pauwen · ‎08-22-2022

Hello,

can you post the source of that ? Did your ISP tell you that ?

Wizard4777 · ‎06-04-2023

from experience

Wizard4777 · ‎10-15-2023

i fixed this issue by using two different apns

Wizard4777 · ‎06-04-2023

What do you make of this? Two spokes sharing same IP behind CGN

MHM Cisco World · ‎08-22-2022

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-16-9/sec-conn-dmvpn-xe-16-9-book/sec-conn-dmvpn-dt-spokes-b-nat.pdf
check this doc. for the DMVPN with NAT

schwarzenbachcyb · ‎08-23-2022

Thank you for the document. The document describes the

Spoke-to-Spoke

Tunnels. What I like to know is, if the

Spoke-to-Hub

tunnels will also have problems, if two Spokes are translated to the same public IP address.

MHM Cisco World · ‎08-23-2022

I will make review send solution.

MHM Cisco World · ‎08-23-2022

https://www.trueneutral.eu/2017/dmvpn-mobile-blues.html

check this solution.
if you have any Q you free to ask any thing

Wizard4777 · ‎04-13-2024

If two or more spokes get the same IP, only one tunnel will kept and others dropped. Reboot the devices so they get different IP for all spokes to be connected.