12-02-2014 11:26 AM - edited 02-21-2020 07:57 PM
Hello,
I'm using a DMVPN configuration to connect various remote sites. I would like to add a new Pepwave device that requires a point to point IPSec configuration. My question is, would I run into any problems by configuring a crypto map on the interface that my virtual tunnel for the DMVPN is sourcing from? I appreciate any help! -Mark
interface Tunnel0 (DMVPN)
ip address 192.168.1.1 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
!
interface GigabitEthernet0/0
description DMVPN Outside
ip address 192.168.2.2 255.255.255.0
crypto map cisco (Will this hurt to add?)
duplex auto
speed auto
12-02-2014 11:28 AM
BTW, I've set this up in a lab and all seemed to work well but just wanted opinions if this configuration is ok and if I could expect any issues in production from it.
12-02-2014 01:18 PM
Just be careful with your encryption domain for the P2P Tunnel.
Remember P2P IPSec tunnels don't allow dynamic routing, so your scalability is limited.
Also there is an order of operations with packets moving through interfaces.
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html
12-02-2014 01:54 PM
So as long as my encryption domain (the specific network I need to traverse the P2P tunnel), you think this configuration should be stable? I was just concerned because the tunnel0 is sourced from the gi0/0 interface. If my encryption domain instructs traffic to use the P2P will it bypass using the tunnel0? Only traffic the needs to traverse the tunnel 0 will use tunnel 0, right? Seeing the command, "tunnel source GigabitEthernet0/0" makes me think that any traffic leaving gi0/0 will try to use the tunnel, but is that incorrect to think? Thanks!!
12-02-2014 07:45 PM
Only traffic that is contained within the encryption domain will get encrypted.
The GRE tunnel will be from the Tunnel Source to the Tunnel Destination. Just keep that out of the encryption domain.
You could always try an use sub-interface to keep the traffic separate.
Or start creating loopbacks and sourcing the traffic from the loopback.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide