Re: DMVPN Routing outside interface to tunnel

R3Natas · ‎05-29-2019

Hello, currently I deployed a DMVPN setup behind NAT with one Hub and one Spoke, my architecture looks like this

Hub - > Home router -> Internet <- Home router <- Spoke

My goal is to route home router networks between hub and spoke sides. So for example Hub side home router has 192.168.100.0/24 subnet and Spoke side router has 192.168.200.0/24 subnet, I want to route those subnets between Hub and Spoke, but didn't actually found a way to accomplish this task. Maybe someone had a similar task and might share some thoughts? Thanks!

Giuseppe Larosa · ‎05-29-2019

Hello ,

if DMVPN is up and you can check with show dmvpn you can use a dynamic routing protocol like EIGRP

router eigrp 100

network 192.168.100.0 0.0.0.255 ! internal LAN to advertise over DMVPN

network 172.16.20.0 0.0.0.255 ! here I suppose this the logical IP subnet used in DMVPN

no auto-summary

!

on spoke

router eigrp 100

network 192.168.200.0 0.0.0.255 ! internal LAN to advertise over DMVPN

network 172.16.20.0 0.0.0.255 ! here I suppose this the logical IP subnet used in DMVPN

no auto-summary

!

Hope to help

Giuseppe

R3Natas · ‎05-29-2019

Unfortunately, I tried this, but it doesn't work, I can only ping the assigned address, like if my Hub has 192.168.100.101 I can only ping this address from Spoke and if I ping the gateway which is 192.168.100.1 it doesn't reply and wise versa, so maybe there is a ACL issue and I need to setup access rules?

Georg Pauwen · ‎05-29-2019

Hello,

post the full configs of hub and spoke...

R3Natas · ‎05-29-2019

### HUB (Cisco 871) ###

interface l1
ip add 192.168.101.1 255.255.255.0

int f4
no shut
ip add 10.10.10.204 255.255.0.0
ip route 0.0.0.0 0.0.0.0 10.10.0.1

crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 2
lifetime 1800

crypto isakmp key cisco123 add 0.0.0.0
crypto ipsec transform-set DMVPN_TRANS_AES esp-aes 256 esp-sha-hmac
mode transport

crypto ipsec profile test
set transform-set DMVPN_TRANS_AES

router eigrp 100
no auto-summary
net 172.16.32.200 0.0.0.7
net 192.168.101.0
net 10.10.0.0 0.0.255.255

int t0
bandwidth 1000
ip add 172.16.32.201 255.255.255.248
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source f4
tunnel mode gre multipoint
tunnel key 9009
ip nhrp map multicast dynamic
ip nhrp authentication cisco123
ip nhrp network-id 101
ip nhrp holdtime 300
tunnel protection ipsec profile test
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100

### SPOKE (Cisco 2811) ###

interface l1
ip add 192.168.102.1 255.255.255.0

int f0/0
no shut
ip add 192.168.249.101 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.249.1

crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 2
lifetime 1800

crypto isakmp key cisco123 add 0.0.0.0
crypto ipsec transform-set DMVPN_TRANS_AES esp-aes 256 esp-sha-hmac
mode transport

crypto ipsec profile test
set transform-set DMVPN_TRANS_AES

router eigrp 100
no auto-summary
net 172.16.32.200 0.0.0.7
net 192.168.102.0
net 192.168.249.0 0.0.0.255

int t0
bandwidth 1000
ip add 172.16.32.202 255.255.255.248
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source f0/0
tunnel mode gre multipoint
tunnel key 9009
ip nhrp map 172.16.32.201 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp authentication cisco123
ip nhrp network-id 101
ip nhrp holdtime 300
tunnel protection ipsec profile test
ip nhrp nhs 172.16.32.201

Giuseppe Larosa · ‎05-29-2019

Hello R3Natas,

what kind of interface is the following?

>>

interface l1
ip add 192.168.101.1 255.255.255.0

If this is a loopback interface it is only a logical interface and even if it has a /24 prefix the only host that can answer is the loopback itself.

The same is valid for the spoke interface

interface l1
ip add 192.168.102.1 255.255.255.0

Use other LAN interfaces and connect them via a switch to PCs.

Hope to help

Giuseppe

Georg Pauwen · ‎05-29-2019

Hello,

as far as I can see, the mapping on your spoke is incorrect. On your hub, the tunnel source is FastEthernet4 (IP 10.10.10.204), that is what you need to map your spoke to:

### HUB (Cisco 871) ###

interface l1
ip add 192.168.101.1 255.255.255.0

int f4
no shut
ip add 10.10.10.204 255.255.0.0
ip route 0.0.0.0 0.0.0.0 10.10.0.1

crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 2
lifetime 1800

crypto isakmp key cisco123 add 0.0.0.0
crypto ipsec transform-set DMVPN_TRANS_AES esp-aes 256 esp-sha-hmac
mode transport

crypto ipsec profile test
set transform-set DMVPN_TRANS_AES

router eigrp 100
no auto-summary
net 172.16.32.200 0.0.0.7
net 192.168.101.0
net 10.10.0.0 0.0.255.255

int t0
bandwidth 1000
ip add 172.16.32.201 255.255.255.248
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source f4
tunnel mode gre multipoint
tunnel key 9009
ip nhrp map multicast dynamic
ip nhrp authentication cisco123
ip nhrp network-id 101
ip nhrp holdtime 300
tunnel protection ipsec profile test
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100

### SPOKE (Cisco 2811) ###

interface l1
ip add 192.168.102.1 255.255.255.0

int f0/0
no shut
ip add 192.168.249.101 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.249.1

crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 2
lifetime 1800

crypto isakmp key cisco123 add 0.0.0.0
crypto ipsec transform-set DMVPN_TRANS_AES esp-aes 256 esp-sha-hmac
mode transport

crypto ipsec profile test
set transform-set DMVPN_TRANS_AES

router eigrp 100
no auto-summary
net 172.16.32.200 0.0.0.7
net 192.168.102.0
net 192.168.249.0 0.0.0.255

int t0
bandwidth 1000
ip add 172.16.32.202 255.255.255.248
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source f0/0
tunnel mode gre multipoint
tunnel key 9009
ip nhrp map 172.16.32.201 10.10.10.204
ip nhrp map multicast 10.10.10.204
ip nhrp authentication cisco123
ip nhrp network-id 101
ip nhrp holdtime 300
tunnel protection ipsec profile test
ip nhrp nhs 172.16.32.201

R3Natas · ‎05-29-2019

Never mind, found a solution, just needed to add static routes to home routers in order it to start working