07-30-2006 10:18 PM - edited 03-03-2019 01:30 PM
Hi All,
it's stupid to ask but i want to clear it out.
as the title says we are configuring it between one remote location and HO, no proplem in it but if i want to do it with all remote office then would it be creating new tunnels between these new remote office and HO or the one i created initially between the 1st remote location and HO, the same one can be used to establish the tunnels between the rest of the remote locations.
07-30-2006 11:09 PM
As I know, you have to create individual tunnels between HO to remote offices. Like hub and spokes design.
Sample here :
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml
Hope this helps.
08-01-2006 03:00 AM
thanks for the links, the configuration works prefectly and i can ping tunnel interfaces and external interface ends of R1 and R2 from one another. but i have a problem, i cannot ping to local interface of R1 or vice versa.
08-01-2006 04:57 AM
Hi,
DMVPN is there for exactly such scenarios. You'll configure multipoint GRE (mGRE) at hub site and either point-to-point (if you don't want spokes to communicate directly) or multipoint GRE (if you'd like direct communication between spokes dynamically exchanged) at spoke sites.
There are several good documents on DMVPN at CCO (check http://www.cisco.com/application/pdf/en/us/guest/netsol/ns130/c649/ccmigration_09186a0080685cc2.pdf and then http://www.cisco.com/go/srnd/).
I've tested it recently and it really saves a lot of work for connecting new sites.
08-01-2006 12:33 PM
hi,
thanks i got what you are saying , but i would like to add something here, that if i remove the GRE and IPSec from both R1 and R2 i can ping the local interface R2 from router R1 external or tunnel interface. so i think it has to do something with either Access-list or routing. please advice
08-01-2006 12:39 PM
It's very likely to be tunnel config problem. Did you configure GRE and IPsec as p2p on both sides or have you gone DMVPN way? In later case make sure that NHRP is correctly configured. Could you post your configs somewhere (only relevant parts but from both sides)?
08-01-2006 08:41 PM
08-02-2006 03:18 AM
The destination address of the tunnels should be that, which is used on the source interface (ethernet) of the opposite side, but you've specified address assigned on the remote tunnel interface itself. Changing destination should fix the problem.
Besides, configuration can be more simple if you use IPsec as tunnel protection instead of crypto-maps on the ethernet interface. Here is example:
! this part the same as you have
crypto isakmp policy 1
authentication pre-share
crypto isakmp key bitesandbytes address 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
! use profile instead of crypto map
crypto ipsec profile vpn-profile
set security-association lifetime seconds 120
set transform-set strong
!
! Apply profile to tunnel
interface Tunnel0
bandwidth 100000
ip address 1.1.1.1 255.255.255.0
tunnel source GigabitEthernet0/1
tunnel destination
tunnel protection ipsec profile vpn-profile
!
So you don't have to worry about ACL for selecting traffic to put through IPsec. 'bandwidth' command is desirable if you're running routing protocol over the tunnel - it will result in more accurate metric.
Once you have this running, with only few more changes you can transform it to DMVPN and provision only remote offices, while no extra changes at the hub site.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide