09-25-2013 02:09 AM - edited 03-04-2019 09:08 PM
Hi,
i am building new DMVPN tunnel, previuosly we were getting the service from one of the service provider but now i wanted to test my luck, but i am facing some issues
our headoffice network is 192.168.12.0 and the remote spoke routers network is 192.168.75.0
tunnel ip at head office is 172.20.20.1 and to each spoke side 172.20.20.2,3,4...
the hub configuration is like
--------------------------------------------------------------------------------------------------------------------------------------------------
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key asicovpn address 0.0.0.0 0.0.0.0
!
!
!
!
!
!
interface Tunnel0
ip address 172.20.20.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication asicovpn
ip nhrp map multicast dynamic
ip nhrp map multicast 172.20.20.1
ip nhrp network-id 254
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 199
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 78.93.37.134 255.255.255.240
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.12.124 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
router ospf 10
redistribute rip metric 22222 subnets
network 192.168.12.0 0.0.0.255 area 0
!
router rip
version 2
redistribute ospf 10 metric 1
network 172.20.0.0
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 78.93.37.129
!
--------------------------------------------------------------------------------------------------------------------------------
the configuration for spoke routers is
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key asicovpn address 78.93.37.134
!
!
interface Tunnel0
bandwidth 1000
ip address 172.20.20.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication asicovpn
ip nhrp map multicast dynamic
ip nhrp map multicast 78.93.37.134
ip nhrp map 172.20.20.1 78.93.37.134
ip nhrp network-id 254
ip nhrp nhs 172.20.20.1
tunnel source FastEthernet4
tunnel destination 78.93.37.134
tunnel key 199
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.75.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
router rip
version 2
network 172.20.0.0
network 192.168.75.0
no auto-summary
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 2000 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 78.93.37.134 255.255.255.255 192.168.1.1
!
access-list 2000 deny ip any 192.168.12.0 0.0.0.255
access-list 2000 deny ip any 192.168.13.0 0.0.0.255
access-list 2000 deny ip any 192.168.118.0 0.0.0.255
access-list 2000 deny ip any 192.168.114.0 0.0.0.255
access-list 2000 deny ip any 192.168.115.0 0.0.0.255
access-list 2000 deny ip any 192.168.116.0 0.0.0.255
access-list 2000 deny ip any 192.168.117.0 0.0.0.255
access-list 2000 deny ip any 192.168.21.0 0.0.0.255
access-list 2000 deny ip any 192.168.33.0 0.0.0.255
access-list 2000 deny ip any 192.168.41.0 0.0.0.255
access-list 2000 permit ip any any
no cdp run
----------------------------------------------------------------------------------------------------------------------
i can ping from spoke router to my head office network, but cannot ping from head office network to spoke network 192.168.75.0
the natting is for internet traffice to get exit from dsl router and should not go on tunnel.
can anyone please help me with this...
many many thanks in advance
09-26-2013 07:39 AM
There are some things to mention:
1. There is no "crypto ipsec transform-set", no "crypto ipsec profile" and not "tunnel protection" configured. If you want to have an encrypted tunnel, you need to configure it.
2. Why are you routing the Hub WAN IP (78.93.37.134) to 192.168.1.1 on the spoke? If you receive your public IP and gateway on Fa4, you need to route something like "ip route 78.93.37.134 255.255.255.255 Fa4 dhcp".
3. De-configure that on the Hub tunnel: "ip nhrp map multicast 172.20.20.1". It doesn't make sense to do a static multicast mapping on the own IP address.
4. De-configure that on the Spoke tunnel: "ip nhrp map multicast dynamic". It is only needed on hubs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide