09-25-2012 08:18 PM - edited 02-21-2020 06:21 PM
Hi, we've got classic DMVPN scheme with central router and spokes, all IOS routers.
One of remote sites has bad ISP, which filters GRE and ESP (i beleive they filter all except tcp, udp and icmp).
Is there any way to force spoke using udp/4500 instead ESP?
Any over suggestions? Spoke's IP is dynamic, and changes over time.
Solved! Go to Solution.
09-25-2012 08:23 PM
The router should already have NAT-T enabled by default, but if it is disabled, then you can configure the following:
crypto ipsec nat-transparency
09-25-2012 08:23 PM
The router should already have NAT-T enabled by default, but if it is disabled, then you can configure the following:
crypto ipsec nat-transparency
09-25-2012 09:00 PM
There is NO NAT in fact. So they do not negotiate NAT-T, and use ESP.
"Correct answer" clicked unintentionally.
09-25-2012 09:15 PM
Ahh, if there is NO NAT in the path then it would not negotiate NAT-T.
Unfortunately you can't force encapsulation of ESP when there is no NAT device in the path.
Is there anyway you can place your DMVPN router behind a router that performs NAT?
09-25-2012 09:25 PM
There is no other router at site and that would be bad solution anyway.
12-01-2016 08:51 AM
Just encase anyone else runs into this issue the only way i have found to force nat-t for DMVPN is to setup a loop back and set it up for nat and use this as the source for the tunnel.
This way you don't need another router you are doing the nat and DMVPN inside the one router.
I would still like to know if there is any way to not use ESP but UDP encapsulation directly as this would be useful for strange location like cloud vm providers and some parts of the world (china). Rather than force a spoke to be behind nat wen really the issue is that ESP is blocked.
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide