cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

1070
Views
15
Helpful
5
Replies
Contributor

Unable to ping other side of DMVPN Tunnel

I am doing a lab and the Tunnel is UP/UP, however I can't ping the other end of the tunnel. Here are my configs.

 

Hub Rt:

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong


interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 90
no ip next-hop-self eigrp 90
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco

------------------------------------

Spoke Rt.

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong


interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 209.168.202.225
ip nhrp map multicast 209.168.202.225
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco

 

 

 

 

 

 

 

5 REPLIES 5
VIP Mentor

Re: Unable to ping other side of DMVPN Tunnel

Hello,

 

the partial configs look ok. Do you have static routes in place, and EIGRP advertising the tunnels and any possible local networks ?

 

Hub Rt:

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong


interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 90
no ip next-hop-self eigrp 90
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco

!

interface FastEthernet0/0
ip address 209.168.202.225 255.255.255.0

!

interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.0

!

router eigrp 90
network 1.1.1.0 0.0.0.255
network 192.168.1.0
no auto-summary

!

ip route 0.0.0.0 0.0.0.0 209.168.202.226

------------------------------------

Spoke Rt.

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong


interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 209.168.202.225
ip nhrp map multicast 209.168.202.225
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco

!

interface FastEthernet0/0
ip address 209.168.202.226 255.255.255.0

!

interface FastEthernet0/1
ip address 2.2.2.1 255.255.255.0

!

router eigrp 90
network 2.2.2.0 0.0.0.255
network 192.168.1.0
no auto-summary

!

ip route 0.0.0.0 0.0.0.0 209.168.202.225

Contributor

Re: Unable to ping other side of DMVPN Tunnel

I re-did everything over pretty much exactly the same but I believe I was pointing to the wrong physically interface at first so everything works now. Yes I am using EIGRP.
On another related note, I am seeing very different configurations for configuring other spoke routers to be added to a DMVPN network. If I want to add another spoke router to this hub DMVPN router, do I create an additional tunnel the same as I did on this hub and spoke routers? Any information would be helpful.
VIP Mentor

Re: Unable to ping other side of DMVPN Tunnel

Hello,

 

yes, basically any new spoke would have a similar config except for (obviously) the IP addresses. Keep in mind there are three different DMVPN phases, that might explain why you see different configurations...

 

Beginner

Re: Unable to ping other side of DMVPN Tunnel

Hello!

Without IPSEC profile on Tunnel interface, ping succesful? 

 

Highlighted
Contributor

Re: Unable to ping other side of DMVPN Tunnel

no I still can't. What else do you think I should check?
CreatePlease to create content
Content for Community-Ad