Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12418
Views
160
Helpful
67
Replies

DMVPN and Point-to-Point (IPSec)

Go to solution
UCrypto
Level 1
Level 1

‎09-11-2018 05:44 PM - edited ‎03-08-2019 04:08 PM

Dear All,

PLease help me:

  1. I would like to know DMVPN and Point to Point (IPSec) can run in one router ? I mean two type of VPN can run together ?
  2. If i will use GBP for DMVPN ,how many RAM will need in minimum ?
  3. For BGP in DMVPN, my remote as is ISP AS number and PE router IP(gateway IP)?
  4. For my DMVPN,can I use AS number are (100,200,300 etc) ?
Labels:
0 Helpful
67 Replies 67

Go to solution
UCrypto
Level 1
Level 1
In response to Georg Pauwen

‎11-08-2018 01:20 AM - edited ‎11-08-2018 01:49 PM

Hi,

I know this thread is too long but

i don't want to duplicate question and open many threads so i ask some questions under this thread.Should i open other thread ?

Now i tried integrate those two scenario .But when i setup IPSec to DC1 in lab before setup in production ,i got the problem.Please see the below configuration for 1 tunnel only without DMVPN . I followed below links.

I cannot ping host PC1 to PC2. I can ping router to router.

 

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/118977-config-ebgp-00.pdf

and 

https://networklessons.com/cisco/ccie-routing-switching-written/ipsec-vti-virtual-tunnel-interface/

 

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.12.1 192.168.12.2 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh cryp
R1#sh crypto ips
R1#sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 192.168.12.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 192.168.12.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.12.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x54FBB914(1425783060)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x2075CF19(544591641)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: Tunnel0-head -0
sa timing: remaining key lifetime (k/sec): (4177644/1957)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x54FBB914(1425783060)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: Tunnel0-head -0
sa timing: remaining key lifetime (k/sec): (4177645/1957)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
R1#

 

 

Preview file
49 KB
Preview file
1 KB
Preview file
1 KB
0 Helpful

Go to solution
UCrypto
Level 1
Level 1
In response to UCrypto

‎11-08-2018 01:48 PM - edited ‎11-08-2018 01:48 PM

Hi  Francesco Molino,

For my Design,i am using VTI for IPSec because if i use crypto map,i need to bind ipsec profile to physical interface .So i use VTI to bind ipsec profile to tunnel interface to sperate IPSec tunnel and DMVPN tunnel.

But VTI section,i cannot to reach host to host. I can reach host gateway ip of router to router.

let me know my config is wrong ?

 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to UCrypto

‎11-10-2018 09:01 AM

Hi

Your config is ok. And I also tried it just to make sure, everything works.
Don't know which router model are you using in GNS3 but maybe you can change the static route by adding the next hop tunnel IP after tunnel0 like:

ip route 192.168.1.0 255.255.255.0 tunnel 0 12.12.12.1

Try this and let me know.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
a.alekseev
Level 7
Level 7
In response to UCrypto

‎11-10-2018 09:47 AM

check default gw on the hosts

Go to solution
UCrypto
Level 1
Level 1
In response to Francesco Molino

‎11-13-2018 06:28 AM

Hi all,

I can solved now.

i would like to ask in my scenario.you all suggest to run bgp in this design.

i would like to know gbg peering.

May i know is it enough if i peer with ISP router in all sites for all IPSec with VTI and DMVPN scenario?

Do i still need to peer with virtual IP ?

 

for example : neigbour 12.12.12.2 remote-as 65201

In lab,i always peer with virtual IP.I just want to clear.

 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to UCrypto

‎11-14-2018 10:30 AM

Not sure I understand your question. Virtual IP meaning Loopback IPs?
And how do you want to peer?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
UCrypto
Level 1
Level 1
In response to Francesco Molino

‎11-14-2018 03:52 PM

Hi,
I mean tunnel IP . I Don't know how to peer.
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to UCrypto

‎11-14-2018 07:37 PM

The tunnel is your overlay and your isp doesn't have a clue of this subnet which means you will not peer with your isp using this interface. You'll need to have peering using your directly connected interface with your isp and this will be your underlay. Then you'll use your tunnel to peer with other spokes and this will be your overlay. Underlay roofing will be used by your tunnels to come up and build their peering afterwards.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card