cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3521
Views
0
Helpful
3
Replies

DMVPN : Configuring tunnel Default gateway on cisco ios routing issue

CSCO11181152
Level 1
Level 1

Dear All,

please i would appricate to help us to resloved following issue.

All the desired legitimate traffic between remote site  and Data  Center is operational without any issue using firewall becuase DMVPN router forwarding legitimate traffice to firewall.

However, if we want allow internet traffic from spoke1  machine via Data Center firewall (192.168.10.1)  somehow we are unable to route it.

following are the IP addresses and default gatway which are using at remote site.

IP address :192.168.61.91

DG : 192.168.61.1

DNS : 213.42.20.20 ( Etisalat DNS for direct internet access via firewall 192.168.10.1)

follwoing are the latest configuration and attached diagram for your information:

DMVPN_HUB Router configuration:


!
boot-start-marker
boot-end-marker
!

!
aaa new-model
!
!
!
!
aaa session-id common
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name 213.42.20.20
!
multilink bundle-name authenticated
!
!
!
!
!
!

archive
log config
  hidekeys
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
!
crypto ipsec profile vpnprof
set transform-set trans2
!
!

!
!
!
interface Tunnel0
bandwidth 16384
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication 1p2@3s4s
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 600
ip policy route-map VPN-INTERNET
delay 1000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface GigabitEthernet0/0
description Connected to AGI_DC_CS2 port gi2/42
ip address x.x.x.26 255.255.255.248
duplex full
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.10.3 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
router eigrp 1
redistribute static
network 10.0.0.0 0.0.0.255
network 192.168.10.3 0.0.0.0
network 192.168.0.0 0.0.255.255
no auto-summary
!
ip forward-protocol nd
no ip route static inter-vrf
ip route 0.0.0.0 0.0.0.0 83.111.201.25
ip route 172.17.0.0 255.255.0.0 192.168.10.1
ip route 172.31.0.0 255.255.0.0 192.168.10.1
ip route 192.168.2.0 255.255.255.0 192.168.10.1
ip route 192.168.5.0 255.255.255.0 192.168.10.1
ip route 192.168.32.0 255.255.255.0 192.168.10.1
ip route 192.168.33.0 255.255.255.0 192.168.10.1
ip http server
no ip http secure-server
!
ip flow-export version 5
ip flow-export destination 172.31.0.110 2048
!
ip dns server
!
access-list 10 permit 192.168.33.91
access-list 10 permit 192.168.33.90
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
!
!
!
route-map VPN-INTERNET permit 10
match ip address 100
set ip next-hop 192.168.10.1
!
!
snmp-server group readonly v3 auth match exact read readview
snmp-server view readview iso included
!
control-plane
!


SPOKE1 router configuration
!
boot-start-marker
boot-end-marker
!

!
aaa new-model
!
!
!
!
aaa session-id common
ip cef
!
!
!
!
!
multilink bundle-name authenticated
crypto pki token default removal timeout 0
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
!
crypto ipsec profile vpnprof
set transform-set trans2
!
!
!
!

archive
log config
  hidekeys
!
!
ip ssh time-out 60
!
!
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
ip mtu 1400
ip nhrp authentication 1p2@3s4s
ip nhrp map 10.0.0.1 x.x.x.26
ip nhrp network-id 100000
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
ip nhrp redirect
delay 1000
tunnel source FastEthernet0/0
tunnel destination x.x.x.26
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface FastEthernet0/0
ip address 192.168.1.201 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.61.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
router eigrp 1
redistribute static
network 10.0.0.0 0.0.0.255
network 192.168.61.0
auto-summary
!
ip route 83.111.201.26 255.255.255.255 192.168.1.1
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane

3 Replies 3

walter baziuk
Level 5
Level 5

hello:

i am having the same issue. i am speaking with my cisco SE

if i get a reposne before you do, i will post it

here is what he suggest first

First, disable split-horizon for EIGRP ("no ip split-horizon eigrp 90")
- If this doesn't magically solve the problem, take a look at the following document:
 http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml
- If it still doesn't work, send us the output of the following debug commands:
   - Debug crypto ipsec
   - Debug crypto engine
   - Debug crypto isakmp

This is my current situation

from work i can connect to the hub and the spoke. The only addresses i  can  connect to the spoke with is it tunnel address, the local subnet  and the loopback and no others. There are connected devices but no  accessible from the HUB or the spoke

if i try to traceroute or ping a connected device from the SPOKE( src =  subnet or LB) it fails. However a user connected to the spoke site can  ping and traceroute the local subnet i/f or the spoke LB addr. One way  connectivity? if traffic not leaving or is there no know return path ??

I need to run EIGRP so that the spokes can see the HUB devices and

potentially talk spoke to spoke

The GRE tunnels are up

EIGRP is passing updates; the routing tables look fine

i was testing to see if the spoke can get to google

it's ip address is used as i have no dns enabled

Google can be reached from the HUB, but not the spoke

all spoke traffic must use the tunnel and NOT the local WAN interface.  ie. i do not want any Internet destined traffic to connect to the  Internet directly. it needs to go to the HUB first

The HUB will forward all traffic it has not learned about from eigrp  directly to the WAN interface (which goes to the Internet) . All learned  traffic is either local or at one of the spokes.

cheers

here are configs that  work for me

HUB

interface Tunnel0

description $FW_OUTSIDE$

bandwidth 20000

ip address a.b.2.100 255.255.255.0

no ip redirects

no ip unreachables

ip mtu 1400

ip pim sparse-mode

no ip split-horizon eigrp 100

ip flow ingress

ip nhrp authentication PROJECT-N

ip nhrp map multicast dynamic

ip nhrp map group PROJECT-pol service-policy output PROJECT-pol-parent

ip nhrp network-id 9911

ip nhrp holdtime 900

ip nhrp registration timeout 120

ip tcp adjust-mss 1360

load-interval 30

delay 100

tunnel source GigabitEthernet0/2/0

tunnel mode gre multipoint

tunnel key 1357248

tunnel protection ipsec profile xxx_Profile

router eigrp 100

network a.b.2.0 0.0.0.255 / the tunnel

network x.y.100.16 0.0.0.15 / the lan side

!

ip route 0.0.0.0 0.0.0.0

ip route x.y.0.0 255.0.0.0 Null0 /absorb all non used subnets from being advertised

=======================

Spoke

interface Tunnel0

bandwidth 20000

ip address a.b.2.111 255.255.255.0

no ip redirects

ip mtu 1400

ip pim sparse-mode

no ip split-horizon eigrp 100 / may need to remove this line

ip nhrp authentication PROJECT-N

ip nhrp map a.b.2.100

ip nhrp map multicast

ip nhrp map group PROJECT-pol service-policy output PROJECT-pol-parent

ip nhrp network-id 9911

ip nhrp holdtime 900

ip nhrp nhs a.b.2.100

ip nhrp registration no-unique

ip nhrp registration timeout 120

ip tcp adjust-mss 1360

load-interval 30

delay 100

if-state nhrp

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 1357248

tunnel protection ipsec profile xxx_Profile

router eigrp 100

network a.b.2.0 0.0.0.255

network x.y.111.16 0.0.0.15

  eigrp stub connected summary

no eigrp log-neighbor-changes

!

ip route 0.0.0.0 0.0.0.0

ip route x.y.0.0 255.0.0.0 Null0 /absorb all non used subnets from being advertised

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: