11-11-2014 06:44 PM - edited 02-21-2020 07:55 PM
we are getting new sip trunks put in and in order for the provider to put them in the Providor put in a router to control all web traffic so they can QOS the voice that means our VPN routers will go behind the nat barrier. but when i switched the routers interface to the natted address the DMVPN tunnels would not build. there is a nat translation to the routers so the external(route-able) IP did not change. the IPsec tunnels did come up just fine. just the few DMVPN connected tunnels did not.
if issue a "sh DMVPN" the Peer NBMA Addr shows up as 0.0.0.0 while the Peer Tunnel addr is what it should be, also the attrb is "X"
Tunnel source i have set to the interface, and the key is set to "crypto isakmp key "my key" address 0.0.0.0 0.0.0.0 no-xauth"
i am at a loss on why this was not working. keep in mind this is the HUB router and not the Spoke.
11-12-2014 07:04 AM
Here is some additional infor to help
hub config:
interface Tunnel0
bandwidth 512
ip address "hubtunnelIP" 255.255.255.0
no ip redirects
ip nhrp authentication "XXX"
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile net1
crypto isakmp key "My Key" address 0.0.0.0 0.0.0.0 no-xauth
crypto ipsec transform-set "mytransfromset" esp-des esp-md5-hmac
mode transport
crypto ipsec profile net1
set transform-set "mytransformset"
Spoke config:
crypto isakmp key "My Key" address "Remote IP" "remote SM" no-xauth
crypto ipsec transform-set "mytransformset" esp-des esp-md5-hmac
mode tunnel
crypto ipsec nat-transparency spi-matching
crypto ipsec profile net1
set transform-set "mytransformset"
interface Tunnel0
bandwidth 512
ip address "spoketunnelIP" 255.255.255.0
no ip redirects
ip nhrp authentication "XXX"
ip nhrp map multicast "Remote IP"
ip nhrp map "hubtunnelIP" "Remote IP"
ip nhrp network-id 1
ip nhrp nhs "hubtunnelIP"
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile net1 shared
01-07-2015 02:23 AM
Hi Mike,
I am experiencing trouble when config DMVPN Hub behind the NAT. Have you found any solution yet?
Thanks.
01-07-2015 08:01 AM
yes I had to work with TAC after i was able to convince manager to get smartnet on the routers
this is what we did:
removed from hub
"crypto isakmp key "My Key" address 0.0.0.0 0.0.0.0 no-xauth"
added:
crypto keyring dmvpn-tun0
pre-shared-key address 0.0.0.0 0.0.0.0 key "My Key"
crypto isakmp profile dmvpn-tun0
keyring dmvpn-tun0
match identity address 0.0.0.0
local-address GigabitEthernet0/1
cry ipsec nat-transparency udp-encapsulation -this is hidden command in the running config, also have to make sure the mode is transport
crypto ipsec profile net1
set transform-set trans
set isakmp-profile dmvpn-tun0
and then on the spoke had to add:
cry ipsec nat-transparency udp-encapsulation -again hidden in running config and making sure mode is transport
then it connected, of course if you have any ipsec tunnels they will either have to convert to a DMVPN tunnel or add Keyrings for each ipsec tunnel, this is because the keyrings take precedence over the crypto isakmp keys
01-08-2015 05:33 PM
Thank you very much Mike, I finally could bring up my tunnel with your support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide