Solved: Classic DMVPN over IPSec. Force UDP/4500 instead ESP?

Utair Corporation · ‎09-25-2012

Hi, we've got classic DMVPN scheme with central router and spokes, all IOS routers.

One of remote sites has bad ISP, which filters GRE and ESP (i beleive they filter all except tcp, udp and icmp).

Is there any way to force spoke using udp/4500 instead ESP?

Any over suggestions? Spoke's IP is dynamic, and changes over time.

Jennifer Halim · ‎09-25-2012

The router should already have NAT-T enabled by default, but if it is disabled, then you can configure the following:

crypto ipsec nat-transparency

View solution in original post

Jennifer Halim · ‎09-25-2012

The router should already have NAT-T enabled by default, but if it is disabled, then you can configure the following:

crypto ipsec nat-transparency

Utair Corporation · ‎09-25-2012

There is NO NAT in fact. So they do not negotiate NAT-T, and use ESP.

"Correct answer" clicked unintentionally.

Jennifer Halim · ‎09-25-2012

Ahh, if there is NO NAT in the path then it would not negotiate NAT-T.

Unfortunately you can't force encapsulation of ESP when there is no NAT device in the path.

Is there anyway you can place your DMVPN router behind a router that performs NAT?

Utair Corporation · ‎09-25-2012

There is no other router at site and that would be bad solution anyway.

GP cisco · ‎12-01-2016

Just encase anyone else runs into this issue the only way i have found to force nat-t for DMVPN is to setup a loop back and set it up for nat and use this as the source for the tunnel.

This way you don't need another router you are doing the nat and DMVPN inside the one router.

I would still like to know if there is any way to not use ESP but UDP encapsulation directly as this would be useful for strange location like cloud vm providers and some parts of the world (china). Rather than force a spoke to be behind nat wen really the issue is that ESP is blocked.

Cheers