cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12448
Views
160
Helpful
67
Replies

DMVPN and Point-to-Point (IPSec)

UCrypto
Level 1
Level 1

Dear All,

PLease help me:

  1. I would like to know DMVPN and Point to Point (IPSec) can run in one router ? I mean two type of VPN can run together ?
  2. If i will use GBP for DMVPN ,how many RAM will need in minimum ?
  3. For BGP in DMVPN, my remote as is ISP AS number and PE router IP(gateway IP)?
  4. For my DMVPN,can I use AS number are (100,200,300 etc) ?
67 Replies 67

Hi,

I know this thread is too long but

i don't want to duplicate question and open many threads so i ask some questions under this thread.Should i open other thread ?

Now i tried integrate those two scenario .But when i setup IPSec to DC1 in lab before setup in production ,i got the problem.Please see the below configuration for 1 tunnel only without DMVPN . I followed below links.

I cannot ping host PC1 to PC2. I can ping router to router.

 

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/118977-config-ebgp-00.pdf

and 

https://networklessons.com/cisco/ccie-routing-switching-written/ipsec-vti-virtual-tunnel-interface/

 

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.12.1 192.168.12.2 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh cryp
R1#sh crypto ips
R1#sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 192.168.12.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 192.168.12.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.12.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x54FBB914(1425783060)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x2075CF19(544591641)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: Tunnel0-head -0
sa timing: remaining key lifetime (k/sec): (4177644/1957)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x54FBB914(1425783060)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: Tunnel0-head -0
sa timing: remaining key lifetime (k/sec): (4177645/1957)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
R1#

 

 

Hi  Francesco Molino,

For my Design,i am using VTI for IPSec because if i use crypto map,i need to bind ipsec profile to physical interface .So i use VTI to bind ipsec profile to tunnel interface to sperate IPSec tunnel and DMVPN tunnel.

But VTI section,i cannot to reach host to host. I can reach host gateway ip of router to router.

let me know my config is wrong ?

 

Hi

Your config is ok. And I also tried it just to make sure, everything works.
Don't know which router model are you using in GNS3 but maybe you can change the static route by adding the next hop tunnel IP after tunnel0 like:

ip route 192.168.1.0 255.255.255.0 tunnel 0 12.12.12.1

Try this and let me know.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

check default gw on the hosts

Hi all,

I can solved now.

i would like to ask in my scenario.you all suggest to run bgp in this design.

i would like to know gbg peering.

May i know is it enough if i peer with ISP router in all sites for all IPSec with VTI and DMVPN scenario?

Do i still need to peer with virtual IP ?

 

for example : neigbour 12.12.12.2 remote-as 65201

In lab,i always peer with virtual IP.I just want to clear.

 

Not sure I understand your question. Virtual IP meaning Loopback IPs?
And how do you want to peer?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi,
I mean tunnel IP . I Don't know how to peer.

The tunnel is your overlay and your isp doesn't have a clue of this subnet which means you will not peer with your isp using this interface. You'll need to have peering using your directly connected interface with your isp and this will be your underlay. Then you'll use your tunnel to peer with other spokes and this will be your overlay. Underlay roofing will be used by your tunnels to come up and build their peering afterwards.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Review Cisco Networking for a $25 gift card