cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12535
Views
185
Helpful
31
Replies

DMVPN and L2TP (IPSec)

MrBeginner
Spotlight
Spotlight

Dear all,

I am trying to integrate DMVPN and L2TP because i have different vendor devices.I have two DC.DC1 (Spoke4 ) is using non cisco. DC2 is using cisco.my spoke site are need to connect DC1 and DC2 .so i mix DMVPN and l2tp(IPSEC) .Please see the below diagram.

I am using delay value to choose the tunnel priority.But if i integrate l2tp with DMVPN is down. Please see error log.

How can i solve this problem.DC1 l2TP is already running IPSEC in production.now i need to do DMVPN only.but i worry it will be conflict each other. Please advice how to avoid ? 

 

 

31 Replies 31

Hi ,
Sorry for my careless.I found my fault now. i forget to create certificate map in spoke 1.now my dmvpn is up and i am trying to integrate with vti tunnel.

Hi ,

After configuring the two CA and two trust-points, my dmvpn connection is working fine.But my vti tunnel is doesn't up.i configure as below attachments and i debug as below.i got authentication error in vti tunnel.If i applied shared keyword in tunnel ,all tunnel is down. So i didn't put shared keyword.

 

Hi,
In your certificate map on Spoke2 you have spelt the subject-name incorrectly, that's probably why it doesn't match it.

 

crypto pki certificate map MAP_IPSEC 10
subject-name co cryto.local

 

It should be crypto based on the subject-name defined within your trustpoint called ipsec-sa

 

Is Spoke2 the VTI router? That shouldn't need any dmvpn configuration (certificate, ikev2 profile etc) assuming it only requires the VTI. Only the Hub would require the DMVPN and VTI configuration

 

HTH

Hi,

All spokes and DC1 have two tunnel ( dmvpn and vti).

now i can run one dmvpn tunnel and one vti in all router with different key pair and trustpoint.

but in my existing network is already running VTI Tunnels without rsakeypairs.

So i am trying to configure VTI tunnels without rsakeypairs. and DMVPN tunnel with keypair.

Let me know it cab be work ?

when i generate keypair without using keypair or label,it stored by named is host name+domain (eg.cbtme-hub.crypto.local.server) . So i thought we can setup another tunnel with keypair. but still doesn't work.

i also need to run redundancy in DMVPN . I have one router now ,later i will add another router in DC .So can i run dual home in one router temporarily ?  

which scenario should I need to use without interrupt existing network?

 

Hi,

In your last configuration file, the trustpoint configuration you have defined subject-name cn=dmvpn, the subject name also needs to contain the routername + dmvpn. If you look at my previous post, e.g:-

 

DMVPN

crypto pki trustpoint DC1_TP
 subject-name CN=R2.DMVPN
 rsakeypair DC1_CA

 

Replace R2 on each router with the hostname of unique ID for each router.

 

Each identity on all routers needs to be unique, but for the dmvpn certificate map in use it needs to include "dmvpn" in order to correctly match the correct ikev2 profile.

 

You need 2 unique keypairs, ideally you'd name them both to give a clear indication of there usage....obviously the keypair would then need to be referenced under the trustpoint.

 

HTH

 

Hi,
I am still testing your advice.let me know can i use NTP over VPN. I want to sync all branch router to DC2 ntp server behind DC2 router.let me know VTI tunnel aslo should be transport mode ?
do i need to adjust mtu size in VTI also ? Should i run Qos for DMVPN traffic ?

I got another the main problem is my switch and router cannot ping to my server behind the DC's router but my server can ping to switch and router local ip.PC firewall is already off. i didn't use NAT.i use static route and trunk.

Do i need put default gateway ip in switch and router ?

 

 

Hi,
The problem is, as you are using certificates the router's time need to be accurate before establishing a VPN tunnel, if the time is inaccurate it may fail. So you may have to sync the routers' via an NTP that isn't via the VPN tunnel.

Use tunnel mode

What is the mtu size of the VTI? As the other end is PA firewall, check to see what that is configured as and make sure they are configured the same.

What type of traffic is the DMVPN used for? It depends if you need to priorise traffic (voice, video) whether you need QoS?

Yes the switch would need a default gateway, it would not know how to route the traffic.

HTH

Hi,

All traffic from branch to DC pass through VPN.

if i cannot sync from VPN tunnel how should i sync DC1 or DC2 time server from branches ?

For the default gateway of switches , Switch have have 4 vlan and carry traffic with trunk to router and router have 4 vlan interfaces.(i didn't use router on the stick .my router is c892 so router have 8 port swtich and i use one switches as trunk port and connect to LAN switch)

let me know which IP should i need to set as ip default-gateway? Management VLAN interface IP ? 

MY radius server have in DC .I want to use 802.1x authentication for branches LAN network PC and devices.

Can i carry 802.1x traffic from VPN tunnel ?

Router config:

interface Vlan20
ip address 1.1.8.1 255.255.255.0
!
interface Vlan21
ip address 1.1.7.1 255.255.255.0
!
interface Vlan22
ip address 1.1.6.1 255.255.255.0
!
interface Vlan23
ip address 1.1.5.1 255.255.255.0

 

nterface GigabitEthernet7
description LAN LINK to Switch
switchport trunk native vlan 77
switchport trunk allowed vlan 1,2,20-24,1001-1005
switchport mode trunk

 

Switch Config:

interface Vlan20
description MGMT VLAN
ip address 1.1.8.100 255.255.255.0

 

interface range Gi 0/1
description UPLink to Router
switchport mode trunk
switchport trunk allowed vlan 20,21,22,23,24,1,1002,1005

 

Hi,

if i cannot sync from VPN tunnel how should i sync DC1 or DC2 time server from branches ?

Chicken and egg scenario. You need the router's time syncronised to ensure the certificates authentication properly before the tunnel can be established. You can either sync to a public NTP server or define the hub router(s) as the NTP server and permit the spokes to authenticate to it. I would use an ACL and secure NTP.

 

let me know which IP should i need to set as ip default-gateway? Management VLAN interface IP ?

If the switch trunks the vlans to the router and the router is the default gateway for the clients on those vlans and assuming you have a default route on the router you shouldn't need another route.


Can i carry 802.1x traffic from VPN tunnel ?

Yes of course, as long as the tunnel is up and can communicate with the RADIUS server and providing the switch supports 802.1x.

 

HTH

hi ,

Thanks,

For considered DC hub as a ntp master. my network don't have internet access.

can i set my HUB router as ntp server without internet or without connect NTP server ?

or In my dc i am using MS server as ntp server for other device.

should i connect my HUB router to time server from DC without tunnel and other branch router connect to my hub router as ntp server ?

 

for my swithc management ip ,

Let say I use 10.1.8.0/27 for vlan200,10.1.8.64/27 for vlan201,10.1.8.94/27 for vlan 202 (mgmt network).If i use vlan 200 as mgmt network and use 10.1.8.1 as gateway in switch,i can reachable to switch and switch can ping anywhere.but if i use other vlan as mgmt net and use other 8.65 or 8.97 as gateway in switch,switch cannot reach anywhere.let me know which reason ? my knowledge is very poor to know.

Hi,
Ok so a private WAN circuit? In that case you need to be able to route the NTP whatever device it is, as mentioned previously I'd still configure an ACL and restrict access to NTP.

Yes, you can sync the Hub router from DC and then the spoke routers can sync from the Hub.

Can you send me the full output of the router and switch (you can send privately if you don't want to upload publicly). I'll have a look to better understand your requirement

HTH

Hi,

Please see the router and switch config.I cannot ping switch to router vlan interface and router cannot ping to switch.If i cannot ping to switch i cannot implement 802.1x.

Let me know why i cannot ping to switch?

 I want to 802.1x with certificate by using MS NPS and i would like to know can implement 802.1x without type user name password again and again.I want to use one time is enough.

If my PC or device is restart ,we need to type username again ,right. So i want to store username and password permanently .

Can it be ? which method should i use ? I use NPS as only authenication .I didn't use dynamic vlan assign function.

Hi,
On the switch, you could either define a default static route via 10.10.202.129 or define "ip default-gateway 10.10.202.129" - this command is only used if "ip routing" has not been defined on the switch.

If you are doing 802.1x you have a couple of options, EAP-TLS (certificates) or PEAP/MSCHAPv2 (username/passwords). PEAP is the easiest to implement. If you configure Windows GPO this will transparently send the computer/users' AD credentials when they login to the computer, so there will not be another requirement to authenticate to the network.

Certificate authentication is usually considered more complex (depending on experience of course), this can be configured to transparently authenticate the computer/user.

HTH

Hi,

The requirement is 802.1x with CA authentication.So i try to figure out.

let me know if some machine is doen't join to Domain which authentication method can i use ?

For Eg,I our IPSec use Cert for authentication and our router didn't need to join domain.i installed root cert and client cert in router.

So i would like to know can i use same way as IPSec VPN certification in 802.1x authentication ?

(That mean i want to use cert for authentication without using username and password)

And let me know if my certificate is expired,how can i auto enroll to all our branches routers automatically ?

 

Hi,
If the computer is not joined to the domain you can still use either method however PEAP (username and password) would not be transparent, you'd be prompted to login everytime. If you wanted to use certificates then you could, you would need to create a CSR on the computer and get this manually signed and imported to the computer.

Being a member of the domain means the certificate can be provisioned automatically via GPO to the computers. When you installed the certificate to the router you had to manually initiate the certificate request.

You can use SCEP on the router to request the initial certificate and a Windows server would need to run NDES role for that to work. When the certificate is nearing expiration you can use the rollover command which should then automatically via SCEP connect to the NDES server to renew it's certificate. A lot of people however just issue certificates that last 5+ years, longer than the solution will be in place. It all depends on how secure you think it needs to be.

HTH