cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

941
Views
30
Helpful
21
Replies
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: DMVPN ,EIGRP And IPsec with CA

In the IKEv2 profile, specify the local identity using "identity local dn" on all routers.

You aren't using FVRF, so you'd don't need to specifically configure anything. You'd use VRF's if you wanted a different routing table for the outside interface and another unique routing table for the inside network. Useful when the inside network needs to tunnel all traffic over the VPN.
Participant

Re: DMVPN ,EIGRP And IPsec with CA

Hi RJI,

Now DMVPN is work properly as you advice.but now i got the new problem. int DMVPN router i create new point to point tunnel and add other new IPSec profile.

So i have one point to point tunnel and one dmvpn tunnel ,and then two IPSec profile for each tunnel. 

Let me know i can use different IPSec profile (one for point to point,one for DMVPN )? becaus now DMVPN tunnels is up and work properly but point to point tunnel is doesn't up. Sorry i don't know how attachment with file in message box.

 

This is point to point IPSec Profile:
crypto ikev2 proposal aes-cbc-256-proposal1
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 policy policy
match address local 10.1.14.70
proposal aes-cbc-256-proposal1
crypto ikev2 profile profile
description IKEv2 profile
match identity remote address 10.1.14.80 255.255.255.255
identity local address 10.1.14.70
authentication local rsa-sig
authentication remote rsa-sig

pki trustpoint my-ca
!
This is DMVPN IPSec profile:

crypto pki certificate map CERT-MAP-DMVPN-IKEv2 10
subject-name co crypto.local

crypto ikev2 proposal IKEv2-PROPOSAL
encryption aes-cbc-256 aes-cbc-192 3des
integrity sha512 sha256 md5
group 14 5 2

crypto ikev2 policy IKEv2-POLICY
proposal IKEv2-PROPOSAL
crypto ikev2 profile DMVPN-ISAKMP-IKEv2
match certificate CERT-MAP-DMVPN-IKEv2
identity local dn
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint my-ca

Everyone's tags (4)
Participant

Re: DMVPN ,EIGRP And IPsec with CA

 Hi,

Thanks for your help.now I got the confuse.I want to DMVPN fail over but I can search dual hub single ISP or dual ISP.I didn't see single hub dual ISP.I don't want to use vrf also.

So I would to know for my design

 

1.do I need to sperate nhrp id?

2.do I need to run two eigrp on single router.

3.how to do to go traffic on active link(I already configured 150.150.150.1 link is secondary link in gbp)

4.how to  spoke know which hub tunnel is primary?

Please help

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: DMVPN ,EIGRP And IPsec with CA

Hi,
So on the spoke you can have 1 tunnel, same nhrp id, same eigrp AS, on the tunnel interface you would specify both hubs. You can either use an eigrp delay on the tunnel interface to prefer 1 tunnel over the other or alternatively use the priority command inconjunction with "max-connections 1" and therefore only 1 tunnel will be up, if that fails the other tunnel will come up.


interface Tunnel0
ip nhrp map multicast 1.1.1.1
ip nhrp map 10.5.0.1 1.1.1.1
ip nhrp map multicast 2.2.2.1
ip nhrp map 10.5.0.2 2.2.2.1
ip nhrp nhs 10.5.0.1 priority 1 cluster 1
ip nhrp nhs 10.5.0.2 priority 2 cluster 1

ip nhrp nhs cluster 1 max-connections 1

 

This post shows example of the failover I've described and will help you determine which tunnel is active/primary.

 

HTH

Participant

Re: DMVPN ,EIGRP And IPsec with CA

Hi ,

I am using single router now.

I have two ISP in one router(single).

I don't know how to configure for tunnel 2 in hub without using vrf.

Can I run one eigrp AS in hub?

Tunnel 2 should be nhrp client of tunnel 1(primary)?

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: DMVPN ,EIGRP And IPsec with CA

I assume you have 2 ISP's on the hub only?
Any reason why you don't wish to use FVRF? When you have 2 ISP you would have a default route conflict, using FVRF resolves this issue. In this scenario, FVRF is the recommended solution and the most elegant. The FVRF is only used for the ISP interfaces, the inside interface is within the global routing table.

Alternatively you could use IP SLA to track the ISP-1 interface and/or internet reachability via ISP-1, if that goes down then using tracking will failover to ISP-2.

The spoke routers would be configured as my previous suggestion above, with 1 active hub and if connectivity is lost failover to the other.

HTH

Participant

Re: DMVPN ,EIGRP And IPsec with CA

Dear All,

I have still problem.my spoke run one dmvpn tunnel to DC1 and one point to point (ipsec) tunnel to DC2.In spoke router ,the both of tunnels ( dmvpn and ptp) are working and ipsec sa and ikev2 are up.In my DC 1 ,i run DMVPN tunnel and poinit to point tunnel to DC2 .now i got the problem in DC1.in my DC1 ,all DMVPN tunnel is up and working.but my Point to point tunnel to DC1 didn't up and not working.i use different IPsec policy and diffenent pofile but. it is same as my spoke site why i don't know my DC site is got the problem.In my DC i am running local preference and prepend.It will effect to my tunnel ?

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here