Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1064
Views
5
Helpful
4
Replies

DMVPN and IPSEC using same interface

Mark Mattix
Level 2
Level 2

‎12-02-2014 11:26 AM - edited ‎02-21-2020 07:57 PM

Hello,

I'm using a DMVPN configuration to connect various remote sites. I would like to add a new Pepwave device that requires a point to point IPSec configuration. My question is, would I run into any problems by configuring a crypto map on the interface that my virtual tunnel for the DMVPN is sourcing from? I appreciate any help!  -Mark

 

interface Tunnel0 (DMVPN)
 ip address 192.168.1.1 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
!
interface GigabitEthernet0/0
 description DMVPN Outside
 ip address 192.168.2.2 255.255.255.0
crypto map cisco (Will this hurt to add?)
 duplex auto
 speed auto

Labels:
0 Helpful
4 Replies 4

Mark Mattix
Level 2
Level 2

‎12-02-2014 11:28 AM

BTW, I've set this up in a lab and all seemed to work well but just wanted opinions if this configuration is ok and if I could expect any issues in production from it. 

0 Helpful

SOcchiogrosso
Level 4
Level 4
In response to Mark Mattix

‎12-02-2014 01:18 PM

Just be careful with your encryption domain for the P2P Tunnel.

Remember P2P IPSec tunnels don't allow dynamic routing, so your scalability is limited.

 

Also there is an order of operations with packets moving through interfaces.

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

 

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/

Mark Mattix
Level 2
Level 2
In response to SOcchiogrosso

‎12-02-2014 01:54 PM

So as long as my encryption domain (the specific network I need to traverse the P2P tunnel), you think this configuration should be stable? I was just concerned because the tunnel0 is sourced from the gi0/0 interface. If my encryption domain instructs traffic to use the P2P will it bypass using the tunnel0? Only traffic the needs to traverse the tunnel 0 will use tunnel 0, right? Seeing the command, "tunnel source GigabitEthernet0/0" makes me think that any traffic leaving gi0/0 will try to use the tunnel, but is that incorrect to think? Thanks!!

0 Helpful

SOcchiogrosso
Level 4
Level 4
In response to Mark Mattix

‎12-02-2014 07:45 PM

Only traffic that is contained within the encryption domain will get encrypted.

 

The GRE tunnel will be from the Tunnel Source to the Tunnel Destination. Just keep that out of the encryption domain.

 

You could always try an use sub-interface to keep the traffic separate.

Or start creating loopbacks and sourcing the traffic from the loopback.

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/
0 Helpful
Customers Also Viewed These Support Documents