cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1185
Views
5
Helpful
4
Replies

DMVPN and IPSEC using same interface

Mark Mattix
Level 2
Level 2

Hello,

I'm using a DMVPN configuration to connect various remote sites. I would like to add a new Pepwave device that requires a point to point IPSec configuration. My question is, would I run into any problems by configuring a crypto map on the interface that my virtual tunnel for the DMVPN is sourcing from? I appreciate any help!  -Mark

 

interface Tunnel0 (DMVPN)
 ip address 192.168.1.1 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
!
interface GigabitEthernet0/0
 description DMVPN Outside
 ip address 192.168.2.2 255.255.255.0
crypto map cisco (Will this hurt to add?)
 duplex auto
 speed auto

4 Replies 4

Mark Mattix
Level 2
Level 2

BTW, I've set this up in a lab and all seemed to work well but just wanted opinions if this configuration is ok and if I could expect any issues in production from it. 

Just be careful with your encryption domain for the P2P Tunnel.

Remember P2P IPSec tunnels don't allow dynamic routing, so your scalability is limited.

 

Also there is an order of operations with packets moving through interfaces.

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

 

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/

So as long as my encryption domain (the specific network I need to traverse the P2P tunnel), you think this configuration should be stable? I was just concerned because the tunnel0 is sourced from the gi0/0 interface. If my encryption domain instructs traffic to use the P2P will it bypass using the tunnel0? Only traffic the needs to traverse the tunnel 0 will use tunnel 0, right? Seeing the command, "tunnel source GigabitEthernet0/0" makes me think that any traffic leaving gi0/0 will try to use the tunnel, but is that incorrect to think? Thanks!!

Only traffic that is contained within the encryption domain will get encrypted.

 

The GRE tunnel will be from the Tunnel Source to the Tunnel Destination. Just keep that out of the encryption domain.

 

You could always try an use sub-interface to keep the traffic separate.

Or start creating loopbacks and sourcing the traffic from the loopback.

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/