DMVPN HUB router behind NAT

Mike Buyarski · ‎11-11-2014

we are getting new sip trunks put in and in order for the provider to put them in the Providor put in a router to control all web traffic so they can QOS the voice that means our VPN routers will go behind the nat barrier. but when i switched the routers interface to the natted address the DMVPN tunnels would not build. there is a nat translation to the routers so the external(route-able) IP did not change. the IPsec tunnels did come up just fine. just the few DMVPN connected tunnels did not.

if issue a "sh DMVPN" the Peer NBMA Addr shows up as 0.0.0.0 while the Peer Tunnel addr is what it should be, also the attrb is "X"

Tunnel source i have set to the interface, and the key is set to "crypto isakmp key "my key" address 0.0.0.0 0.0.0.0 no-xauth"

i am at a loss on why this was not working. keep in mind this is the HUB router and not the Spoke.

Mike Buyarski · ‎11-12-2014

Here is some additional infor to help

hub config:

interface Tunnel0
bandwidth 512
ip address "hubtunnelIP" 255.255.255.0
no ip redirects
ip nhrp authentication "XXX"
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile net1

crypto isakmp key "My Key" address 0.0.0.0 0.0.0.0 no-xauth

crypto ipsec transform-set "mytransfromset" esp-des esp-md5-hmac
mode transport

crypto ipsec profile net1
set transform-set "mytransformset"

Spoke config:

crypto isakmp key "My Key" address "Remote IP" "remote SM" no-xauth

crypto ipsec transform-set "mytransformset" esp-des esp-md5-hmac
mode tunnel
crypto ipsec nat-transparency spi-matching

crypto ipsec profile net1
set transform-set "mytransformset"

interface Tunnel0
bandwidth 512
ip address "spoketunnelIP" 255.255.255.0
no ip redirects
ip nhrp authentication "XXX"
ip nhrp map multicast "Remote IP"
ip nhrp map "hubtunnelIP" "Remote IP"
ip nhrp network-id 1
ip nhrp nhs "hubtunnelIP"
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile net1 shared

TranVanBien · ‎01-07-2015

Hi Mike,

I am experiencing trouble when config DMVPN Hub behind the NAT. Have you found any solution yet?

Thanks.

Mike Buyarski · ‎01-07-2015

yes I had to work with TAC after i was able to convince manager to get smartnet on the routers

this is what we did:

removed from hub

"crypto isakmp key "My Key" address 0.0.0.0 0.0.0.0 no-xauth"

added:

crypto keyring dmvpn-tun0
pre-shared-key address 0.0.0.0 0.0.0.0 key "My Key"

crypto isakmp profile dmvpn-tun0
   keyring dmvpn-tun0
   match identity address 0.0.0.0
   local-address GigabitEthernet0/1

cry ipsec nat-transparency udp-encapsulation -this is hidden command in the running config, also have to make sure the mode is transport

crypto ipsec profile net1
set transform-set trans
set isakmp-profile dmvpn-tun0

and then on the spoke had to add:

cry ipsec nat-transparency udp-encapsulation -again hidden in running config and making sure mode is transport

then it connected, of course if you have any ipsec tunnels they will either have to convert to a DMVPN tunnel or add Keyrings for each ipsec tunnel, this is because the keyrings take precedence over the crypto isakmp keys

TranVanBien · ‎01-08-2015

Thank you very much Mike, I finally could bring up my tunnel with your support.