03-18-2023 02:03 PM
Dear team,
I hope you are all doing fine. I am really hoping on your experience and maybe the chance that somebody has faced a similar case.
We have an infrastructure with dmvpn implemented, practically one hub and some spokes. The configuration is pretty straight forward, we do not use dynamic protocols such eigrp etc. The config on the spokes are like the below :
crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set strong esp-3des esp-md5-hmac ! crypto ipsec profile cisco set security-association lifetime seconds 120 set transform-set strong
interface Tunnel0
description DMVPN to PVD_RTR1
ip address 172.16.0.200 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp map 172.16.0.1 X.X.X.X
ip nhrp map multicast X.X.X.X
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
tunnel source FastEthernet 4
tunnel mode gre multipoint
tunnel protection ipsec profile cisco
end
int fast 4
ip nat outside
ip address dhcp
int vlan 1
ip add 192.168.200.1 255.255.255.0
ip nat inside
ip route 192.168.0.0 255.255.0.0 172.168.0.1
And on the Hub is :
interface Tunnel100
description DMVPN Hub Tunnel
ip address 172.16.0.1 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
Practically on one of the sites we have a TP-Link 4G router acting as the WAN. The cisco router gets the Ip 10.10.0.10 from the dhcp service of the TP-Link. When i issue "show crypto isakamp sa"I get that the connection is active both on Hub and on Spoke site. But i can not ping the tunnel IPs. Also I see that i get packets only on the encaps of the spoke and the decaps of the Hub. I know the 4G router is behind a nat but if I am not mistaken this should cause no issues since it is the initiator of the traffic, I also though of changing the MTU of the tunnels but the mtu should only cause issues to tcp sessions and not icmp. Does anybody came accross such a case and has any ideas over this?
Solved! Go to Solution.
03-18-2023 03:17 PM
ip route 192.168.0.0 255.255.0.0 172.168.0.1
must change to
ip route 192.168.0.0 255.255.0.0 tunnel x <<- this must be change from next-hop to tunnel x
03-18-2023 02:40 PM
@Yannis94 why nat over the VPN? Either remove the nat configuration on the tunnel and vlan 1 interface or ensure you are excluding relevant networks from being translated.
03-18-2023 03:01 PM
Hello Rob, thank you for your reply. Maybe the way that I posted it is confusing. I am not natting inside the tunnel. interface fast 4 is the wan interface and that is why i have ip nat outside there, the vlan 1 interface is the one that the local users use that is why i have a nat inside there. But i have a deny in the nat list in order to no nat the communication between the two lans.
03-18-2023 03:12 PM
ip route 192.168.0.0 255.255.0.0 172.168.0.1
this next hop ip address is incorrect.
When you ping the tunnel ip, what is the source IP address? Did you specify the tunnel IP as the source?
03-18-2023 03:19 PM
You are correct. This is a typo. The correct next hop is 172.16.0.1.
Yes I do and I get time out again, there is when I see only encaps packet from the spoke side and only decaps packets from the hub side.
03-18-2023 02:44 PM
how hub or spoke know what LAN behind tunnel ??
I see static route but I dont get for which it use is it use for tunnel or for LAN pass through tunnel ?
ip route 192.168.0.0 255.255.0.0 172.168.0.1
03-18-2023 03:09 PM
Hi,
Sorry for not posting the whole information. The spoke has the subnet 192.168.200.0/24 and the hub has 192.168.1-2-3-50-60.0/24. From the hub site the route for this specific remote site:
ip route 192.168.200.0 255.255.255.0 172.16.0.200
03-18-2023 03:17 PM
ip route 192.168.0.0 255.255.0.0 172.168.0.1
must change to
ip route 192.168.0.0 255.255.0.0 tunnel x <<- this must be change from next-hop to tunnel x
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide