cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3135
Views
0
Helpful
10
Replies

Cisco 1941 DMVPN and Ipsec

Chris Coho
Level 1
Level 1

Hello,

     We are starting to replace all of our ISA servers with cisco routers with DMVPN.  So far we are happy with everything but I ran into an issue.  I just set up one of our branches, and the DMVPN works fine, but this location also needs a VPN tunnel to another branch that we haven't replaced with Cisco  hardware yet.  The problem I have is as soon as I associate an ipsec site to site VPN on this router, the DMVPN drops. 

I create the Ipsec VPN:

crypto map VPN_Crypto 1 ipsec-isakmp

set transform-set ESP-3DES-SHA

set peer aa.aa.aa.aa

match address 103 (where address is allow local IP subnet to remote IP subnet)

and all works fine.  As soon as I do the following:

interface GigabitEthernet0/1

crypto map VPN_Crypto

The DMVPN drops.  If I then connect in and run:

interface GigabitEthernet0/1

no crypto map

The DMVPN comes right back up.

What could I be doing wrong?  Below is the config for the Tunnel0 DMVPN tunnel:

interface Tunnel0

bandwidth 1000

ip address 192.168.10.31 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication DMVPN_NW

ip nhrp map multicast xx.xx.xx.xx

ip nhrp map 192.168.10.10 xx.xx.xx.xx

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 192.168.10.10

zone-member security dmvpn-zone

ip tcp adjust-mss 1360

delay 1000

tunnel source GigabitEthernet0/1

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile CiscoCP_Profile1

If you need anything else from the config to assist let me know.  Our Main site router I have had no problem with it being the DMVPN hub and also having a handful of Ipsec VPNs set up on it as well.  I really appreciate any help, I really need to get both of these tunnels running simultaneously ASAP.

1 Accepted Solution

Accepted Solutions

yes, but I didn't see anything that was looking strange (well, configs generated by CCP always look strange ... ).

Perhaps you are running into a bug. Have you tried a different IOS? Personally I wouldn't use 15.2 if I don't have to. You could try 15.0(1)M8 and see if that works.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

10 Replies 10

Chris Coho
Level 1
Level 1

I should also mention, if I monitor the tunnels in CCP, when I enable the crypto map, the DMVPN tunnel dissappears from "DMVPN Tunnels" in CCP Monitoring, but it remains in "Ipsec Tunnels" as up (but I can't route over it).  And while this is going on, the site to site ipsec tunnel works fine, I can route traffic over it with no problem.

Please share your complete config (as an attachment).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Ok, it is attached.  I replaced anything private like preshared keys, certificate, etc.  And I changed Public IP addresses as follows:

DMVPN Hub IP to 100.100.100.100

Router WAN IP to 200.200.200.200

Router WAN Gateway to 200.200.200.201

Public IP of Other Branch I need to create an Ipsec VPN to 250.250.250.250

If changing those is a problem let me know.

As the configuration is included here, if you run:

interface GigabitEthernet0/1

crypto map VPN_Crypto

the DMVPN will drop and the ipsec VPN comes up (but not both)... then doing a "no crypto" will bring the DMVPN back up (but bring down the ipsec vpn)

Which is your Hub-network (IP) that you learn by EIGRP through DMVPN?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

100.100.100.100 is the public wan IP address of the Hub of the DMVPN.

Also, the internal subnet of the hub location is 10.10.0.0 /16

Also, in testing, i've found it doesn't even matter if the ipsec vpn connects, I tried setting up the ipsec VPN with one of my unused IP addresses at the branch site, so I would know the tunnel never formed, and still as soon as I added the crypto map to gigabitethernet0/1 the DMVPN dropped.

Chris Coho
Level 1
Level 1

Did you get a chance to look at my config?  Did that give you any ideas on why its not working?

yes, but I didn't see anything that was looking strange (well, configs generated by CCP always look strange ... ).

Perhaps you are running into a bug. Have you tried a different IOS? Personally I wouldn't use 15.2 if I don't have to. You could try 15.0(1)M8 and see if that works.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thank you for the recommendation.  I will try loading up the suggested IOS version (is there any issue with configs and rolling back to an older version I should be aware of?).

If that doesn't work, since I just purchased, I will add smartnet and call Cisco support to assist.

That was it!  I rolled back to the 15.0(1)M8 version you suggested and the issue is solved.

Thank you for your help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: