Legacy VPN (with 'crypto map') vs DMVPN on the same outside interface

SuperVitya · ‎06-06-2011

Dear Collegues,

I have a router where ipsec connections to several other points have been configured. Now I need to configure a DMVPN structure where this router should be a spoke. Its external interface address is x.x.x.x. The address of one of the actual VPN peers is y.y.y.y. The address of the new DMVPN hub is q.q.q.q.

I have configured the following.

--------------------------------------

crypto map MYMAP 1 ipsec-isakmp

set peer y.y.y.y

set security-association idle-time 800

set transform-set ESP-3DES-SHA

match address 101

interface Tunnel3

bandwidth 2000

ip address 10.1.0.2 255.255.255.0

ip mtu 1400

ip nhrp authentication passw

ip nhrp map 10.1.0.1 q.q.q.q

ip nhrp map multicast q.q.q.q

ip nhrp network-id 3

ip nhrp holdtime 450

ip nhrp nhs 10.1.0.1

ip tcp adjust-mss 1360

ip ospf network broadcast

shutdown

tunnel source FastEthernet0/0

tunnel destination q.q.q.q

tunnel protection ipsec profile DEFAULT_IPSEC_PROFILE

interface FastEthernet0/0

ip address x.x.x.x 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map MYMAP

access-list 101 permit ip 192.168.74.128 0.0.0.127 192.168.72.0 0.0.1.255

-----------------------------------------------

After I did "no shutdown" on Tunnel3 DMVPN connection with q.q.q.q became successfully established. But the old IPSEC connections including the one with y.y.y.y broke down.

----------------------------------------------

CiscoNSK(config-if)#no shutdown

*Jun 3 13:54:48.241: ISAKMP (1059): received packet from y.y.y.y dport 500 sport 500 Global (R) QM_IDLE

*Jun 3 13:54:48.241: ISAKMP: set new node 680641784 to QM_IDLE

*Jun 3 13:54:48.241: ISAKMP:(1059): processing HASH payload. message ID = 680641784

*Jun 3 13:54:48.241: ISAKMP:(1059): processing NOTIFY DPD/R_U_THERE protocol 1

spi 0, message ID = 680641784, sa = 65FB08A0

*Jun 3 13:54:48.241: ISAKMP:(1059):deleting node 680641784 error FALSE reason "Informational (in) state 1"

*Jun 3 13:54:48.241: ISAKMP:(1059):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jun 3 13:54:48.241: ISAKMP:(1059):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Jun 3 13:54:48.245: ISAKMP:(1059):DPD/R_U_THERE received from peer y.y.y.y, sequence 0xA21FE2

*Jun 3 13:54:48.245: ISAKMP: set new node 416677855 to QM_IDLE

*Jun 3 13:54:48.245: ISAKMP:(1059):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 1702230736, message ID = 416677855

*Jun 3 13:54:48.245: ISAKMP:(1059): seq. no 0xA21FE2

*Jun 3 13:54:48.245: ISAKMP:(1059): sending packet to 195.98.68.177 my_port 500 peer_port 500 (R) QM_IDLE

*Jun 3 13:54:48.245: ISAKMP:(1059):Sending an IKE IPv4 Packet.

*Jun 3 13:54:48.245: ISAKMP:(1059):purging node 416677855

*Jun 3 13:54:48.245: ISAKMP:(1059):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

------------------------------------------------

When I shutdown Tunnel3 the connection with y.y.y.y is immediately restored.

Is there any chance to make the ordinary VPN with a 'crypto map' and the VPN with an IPSEC-protected GRE tunnel to live together?

Thanks.

Rozsa Illes · ‎06-17-2011

Hello Viktor,

Not sure if you tried this but if I used different source address for tunnel, I could bring up both the regular crypto map and the dmvpn tunnel (I used a loopback as tunnel source in my case):

interface Tunnel0

ip address 1.1.1.2 255.255.255.0

ip mtu 1400

ip nhrp authentication passwd

ip nhrp map 1.1.1.1 10.0.2.2

ip nhrp network-id 1000

ip nhrp holdtime 600

ip nhrp nhs 1.1.1.1

tunnel source Loopback10

tunnel destination 10.0.2.2

tunnel protection ipsec profile fsmipsecprofile

I could not find another way.

Warm Regards,

Rose