02-01-2019 05:27 AM - edited 02-01-2019 08:19 AM
Hi,
I'm in the process of designing a spoke to spoke DMVPN solution with iBGP routing.
The spoke to hub communication works fine (PC1 & PC2 can successfully ping 10.10.1.1) but not the spoke to spoke's (PC1 & PC2 can't ping each other).
Any idea why?
Hardware:
Spokes: Cellular routers connecting through SIMs.
Hub: Cisco 2900 Series connecting through ADSL.
Diagram:
GRE addressing:
Hub: 192.168.1.1
Spoke1: 192.168.1.2
Spoke2: 192.168.1.3
Hub's running conf:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key xxxx address 0.0.0.0
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set security-association lifetime seconds 86400
set transform-set DMVPN
!
!
!
!
!
!
!
interface Loopback0
ip address 10.10.1.1 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nhrp authentication xxxx
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip nhrp record
no ip nhrp cache non-authoritative
keepalive 20 3
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile DMVPN
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 86.x.x.x 255.255.255.240
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
!
router bgp 65500
bgp router-id 192.168.1.1
bgp log-neighbor-changes
bgp listen range 192.168.1.0/24 peer-group DMVPN
bgp listen limit 500
neighbor DMVPN peer-group
neighbor DMVPN remote-as 65500
neighbor DMVPN timers 30 180
!
address-family ipv4
network 10.10.1.0 mask 255.255.255.0
network 192.168.1.0
neighbor DMVPN activate
neighbor DMVPN next-hop-self
exit-address-family
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 86.x.x.x
Hub's routing table:
Gateway of last resort is 86.x.x.x to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 86.x.x.x
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.1.0/24 is directly connected, Loopback0
L 10.10.1.1/32 is directly connected, Loopback0
86.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 86.x.x.x/28 is directly connected, GigabitEthernet0/0
L 86.x.x.x/32 is directly connected, GigabitEthernet0/0
B 192.168.0.0/24 [200/0] via 192.168.1.2, 01:51:54
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Tunnel0
L 192.168.1.1/32 is directly connected, Tunnel0
B 192.168.2.0/24 [200/0] via 192.168.1.3, 00:00:43
I thought it could be because the spokes don't know where to send the traffic toward one another so I added the following IP range to the Hub’s iBGP routing address-family so it advertises it to the spokes:
Network 192.168.0.0 mask 255.255.0.0
But it didn’t work… The spokes won't take it for some reasons.
Whereas they do take:
Network 10.10.1.0 mask 255.255.255.0
Which is also advertised by the Hub…
KR
Mike
02-05-2019 04:18 AM - edited 02-05-2019 04:19 AM
I've managed to add static routes to the spokes towards one another but they still can't ping each other.
Spoke1:
192.168.2.0/24 through 192.168.1.1
Spoke2:
192.168.0.0/24 through 192.168.1.1
02-05-2019 09:47 AM
Adding static routes to each spoke would do nothing.
You haven't confirmed if your cellular routers are Cisco or a different vendor.
Does your traffic have to traverse a firewall? If so, have you checked to see if their are any hits on the Firewall?
Could you do the following:
1. Remove crypto profile on the tunnel interfaces for both Hub and Spokes and test
2. Replace DMVPN config on Cisco Hub router with GRE only to each spoke with no crypto. If it works, then that confirms that your cellular routers have an issue integrating DMVPN with Cisco.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: