cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3624
Views
10
Helpful
16
Replies

DMVPN - spoke to spoke comm not working

mikepro
Level 1
Level 1

Hi,

 

I'm in the process of designing a spoke to spoke DMVPN solution with iBGP routing.

The spoke to hub communication works fine (PC1 & PC2 can successfully ping 10.10.1.1) but not the spoke to spoke's (PC1 & PC2 can't ping each other).

Any idea why?

 

Hardware:

Spokes: Cellular routers connecting through SIMs.

Hub: Cisco 2900 Series connecting through ADSL.

 

Diagram:

dmvpn diagram.JPG

 

GRE addressing:

Hub: 192.168.1.1

Spoke1: 192.168.1.2

Spoke2: 192.168.1.3

 

Hub's running conf:

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 2

 lifetime 3600

crypto isakmp key xxxx address 0.0.0.0

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac

 mode transport

!

crypto ipsec profile DMVPN

 set security-association lifetime seconds 86400

 set transform-set DMVPN

!

!

!

!

!

!

!

interface Loopback0

 ip address 10.10.1.1 255.255.255.0

!

interface Tunnel0

 ip address 192.168.1.1 255.255.255.0

 no ip redirects

 ip nhrp authentication xxxx

 ip nhrp map multicast dynamic

 ip nhrp network-id 1

 no ip nhrp record

 no ip nhrp cache non-authoritative

 keepalive 20 3

 tunnel source GigabitEthernet0/0

 tunnel mode gre multipoint

 tunnel key 0

 tunnel protection ipsec profile DMVPN

!

interface Embedded-Service-Engine0/0

 no ip address

 shutdown

!

interface GigabitEthernet0/0

 ip address 86.x.x.x 255.255.255.240

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 no ip address

 shutdown

 duplex auto

 speed auto

!

router ospf 1

!

router bgp 65500

 bgp router-id 192.168.1.1

 bgp log-neighbor-changes

 bgp listen range 192.168.1.0/24 peer-group DMVPN

 bgp listen limit 500

 neighbor DMVPN peer-group

 neighbor DMVPN remote-as 65500

 neighbor DMVPN timers 30 180

 !

 address-family ipv4

  network 10.10.1.0 mask 255.255.255.0

  network 192.168.1.0

  neighbor DMVPN activate

  neighbor DMVPN next-hop-self

 exit-address-family

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 86.x.x.x

 

Hub's routing table:

Gateway of last resort is 86.x.x.x to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 86.x.x.x
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.1.0/24 is directly connected, Loopback0
L 10.10.1.1/32 is directly connected, Loopback0
86.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 86.x.x.x/28 is directly connected, GigabitEthernet0/0
L 86.x.x.x/32 is directly connected, GigabitEthernet0/0
B 192.168.0.0/24 [200/0] via 192.168.1.2, 01:51:54
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Tunnel0
L 192.168.1.1/32 is directly connected, Tunnel0
B 192.168.2.0/24 [200/0] via 192.168.1.3, 00:00:43

 

I thought it could be because the spokes don't know where to send the traffic toward one another so I added the following IP range to the Hub’s iBGP routing address-family so it advertises it to the spokes:

Network 192.168.0.0 mask 255.255.0.0

But it didn’t work… The spokes won't take it for some reasons.

Whereas they do take:

Network 10.10.1.0 mask 255.255.255.0

Which is also advertised by the Hub…

 

KR

Mike

16 Replies 16

I've managed to add static routes to the spokes towards one another but they still can't ping each other.

 

Spoke1: 

192.168.2.0/24 through 192.168.1.1

 

Spoke2:

192.168.0.0/24 through 192.168.1.1

Adding static routes to each spoke would do nothing. 

 

You haven't confirmed if your cellular routers are Cisco or a different vendor. 

 

Does your traffic have to traverse a firewall? If so, have you checked to see if their are any hits on the Firewall?

 

Could you do the following:

1. Remove crypto profile on the tunnel interfaces for both Hub and Spokes and test

2. Replace DMVPN config on Cisco Hub router with GRE only to each spoke with no crypto. If it works, then that confirms that your cellular routers have an issue integrating DMVPN with Cisco.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco