cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
898
Views
160
Helpful
67
Replies
Beginner

Re: DMVPN and Point-to-Point (IPSec)

Hi,

I know this thread is too long but

i don't want to duplicate question and open many threads so i ask some questions under this thread.Should i open other thread ?

Now i tried integrate those two scenario .But when i setup IPSec to DC1 in lab before setup in production ,i got the problem.Please see the below configuration for 1 tunnel only without DMVPN . I followed below links.

I cannot ping host PC1 to PC2. I can ping router to router.

 

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/118977-config-ebgp-00.pdf

and 

https://networklessons.com/cisco/ccie-routing-switching-written/ipsec-vti-virtual-tunnel-interface/

 

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.12.1 192.168.12.2 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh cryp
R1#sh crypto ips
R1#sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 192.168.12.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 192.168.12.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.12.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x54FBB914(1425783060)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x2075CF19(544591641)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: Tunnel0-head -0
sa timing: remaining key lifetime (k/sec): (4177644/1957)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x54FBB914(1425783060)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: Tunnel0-head -0
sa timing: remaining key lifetime (k/sec): (4177645/1957)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
R1#

 

 

Everyone's tags (1)
Beginner

Re: DMVPN and Point-to-Point (IPSec)

Hi  Francesco Molino,

For my Design,i am using VTI for IPSec because if i use crypto map,i need to bind ipsec profile to physical interface .So i use VTI to bind ipsec profile to tunnel interface to sperate IPSec tunnel and DMVPN tunnel.

But VTI section,i cannot to reach host to host. I can reach host gateway ip of router to router.

let me know my config is wrong ?

 

Everyone's tags (1)
VIP Advisor

Re: DMVPN and Point-to-Point (IPSec)

Hi

Your config is ok. And I also tried it just to make sure, everything works.
Don't know which router model are you using in GNS3 but maybe you can change the static route by adding the next hop tunnel IP after tunnel0 like:

ip route 192.168.1.0 255.255.255.0 tunnel 0 12.12.12.1

Try this and let me know.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Rising star

Re: DMVPN and Point-to-Point (IPSec)

check default gw on the hosts

Beginner

Re: DMVPN and Point-to-Point (IPSec)

Hi all,

I can solved now.

i would like to ask in my scenario.you all suggest to run bgp in this design.

i would like to know gbg peering.

May i know is it enough if i peer with ISP router in all sites for all IPSec with VTI and DMVPN scenario?

Do i still need to peer with virtual IP ?

 

for example : neigbour 12.12.12.2 remote-as 65201

In lab,i always peer with virtual IP.I just want to clear.

 

VIP Advisor

Re: DMVPN and Point-to-Point (IPSec)

Not sure I understand your question. Virtual IP meaning Loopback IPs?
And how do you want to peer?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Re: DMVPN and Point-to-Point (IPSec)

Hi,
I mean tunnel IP . I Don't know how to peer.
Highlighted
VIP Advisor

Re: DMVPN and Point-to-Point (IPSec)

The tunnel is your overlay and your isp doesn't have a clue of this subnet which means you will not peer with your isp using this interface. You'll need to have peering using your directly connected interface with your isp and this will be your underlay. Then you'll use your tunnel to peer with other spokes and this will be your overlay. Underlay roofing will be used by your tunnels to come up and build their peering afterwards.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards