06-06-2011 12:33 AM - edited 02-21-2020 05:23 PM
Dear Collegues,
I have a router where ipsec connections to several other points have been configured. Now I need to configure a DMVPN structure where this router should be a spoke. Its external interface address is x.x.x.x. The address of one of the actual VPN peers is y.y.y.y. The address of the new DMVPN hub is q.q.q.q.
I have configured the following.
--------------------------------------
crypto map MYMAP 1 ipsec-isakmp
set peer y.y.y.y
set security-association idle-time 800
set transform-set ESP-3DES-SHA
match address 101
interface Tunnel3
bandwidth 2000
ip address 10.1.0.2 255.255.255.0
ip mtu 1400
ip nhrp authentication passw
ip nhrp map 10.1.0.1 q.q.q.q
ip nhrp map multicast q.q.q.q
ip nhrp network-id 3
ip nhrp holdtime 450
ip nhrp nhs 10.1.0.1
ip tcp adjust-mss 1360
ip ospf network broadcast
shutdown
tunnel source FastEthernet0/0
tunnel destination q.q.q.q
tunnel protection ipsec profile DEFAULT_IPSEC_PROFILE
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MYMAP
access-list 101 permit ip 192.168.74.128 0.0.0.127 192.168.72.0 0.0.1.255
-----------------------------------------------
After I did "no shutdown" on Tunnel3 DMVPN connection with q.q.q.q became successfully established. But the old IPSEC connections including the one with y.y.y.y broke down.
----------------------------------------------
CiscoNSK(config-if)#no shutdown
*Jun 3 13:54:48.241: ISAKMP (1059): received packet from y.y.y.y dport 500 sport 500 Global (R) QM_IDLE
*Jun 3 13:54:48.241: ISAKMP: set new node 680641784 to QM_IDLE
*Jun 3 13:54:48.241: ISAKMP:(1059): processing HASH payload. message ID = 680641784
*Jun 3 13:54:48.241: ISAKMP:(1059): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 680641784, sa = 65FB08A0
*Jun 3 13:54:48.241: ISAKMP:(1059):deleting node 680641784 error FALSE reason "Informational (in) state 1"
*Jun 3 13:54:48.241: ISAKMP:(1059):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jun 3 13:54:48.241: ISAKMP:(1059):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 3 13:54:48.245: ISAKMP:(1059):DPD/R_U_THERE received from peer y.y.y.y, sequence 0xA21FE2
*Jun 3 13:54:48.245: ISAKMP: set new node 416677855 to QM_IDLE
*Jun 3 13:54:48.245: ISAKMP:(1059):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1702230736, message ID = 416677855
*Jun 3 13:54:48.245: ISAKMP:(1059): seq. no 0xA21FE2
*Jun 3 13:54:48.245: ISAKMP:(1059): sending packet to 195.98.68.177 my_port 500 peer_port 500 (R) QM_IDLE
*Jun 3 13:54:48.245: ISAKMP:(1059):Sending an IKE IPv4 Packet.
*Jun 3 13:54:48.245: ISAKMP:(1059):purging node 416677855
*Jun 3 13:54:48.245: ISAKMP:(1059):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
------------------------------------------------
When I shutdown Tunnel3 the connection with y.y.y.y is immediately restored.
Is there any chance to make the ordinary VPN with a 'crypto map' and the VPN with an IPSEC-protected GRE tunnel to live together?
Thanks.
06-17-2011 06:32 AM
Hello Viktor,
Not sure if you tried this but if I used different source address for tunnel, I could bring up both the regular crypto map and the dmvpn tunnel (I used a loopback as tunnel source in my case):
interface Tunnel0
ip address 1.1.1.2 255.255.255.0
ip mtu 1400
ip nhrp authentication passwd
ip nhrp map 1.1.1.1 10.0.2.2
ip nhrp network-id 1000
ip nhrp holdtime 600
ip nhrp nhs 1.1.1.1
tunnel source Loopback10
tunnel destination 10.0.2.2
tunnel protection ipsec profile fsmipsecprofile
I could not find another way.
Warm Regards,
Rose
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide