DMVPN SPOKE BEHIND ISP ROUTER PERFORMING STATIC NAT

Report Inappropriate Content · ‎07-10-2017

Hi Guys,

I am in a scenario wherein my one of the DMVPN spoke is behind the ISP router which is performing NAT, the NAT is static and only performed once on the ISP router. The point to point connection from my spoke router to ISP router is defined by RFC1918 address. I have enabled " crypto ipsec nat-transparency udp-encapsulation" on both the spoke and hub side which enables NAT traversal. The DMVPN tunnel source in my router is sourced to private IP, which is a point to point connection to the ISP router. I have allowed UDP,

isakmp Internet Security Association and Key Management Protocol (500)

non500-isakmp Internet Security Association and Key Management Protocol (4500)

on both the end. I believe my DMVPN configuration is correct and NHRP inherently supports NAT-T. But, I am still not able to bring this tunnel up. Any suggestion. Request you guys to let me know if i am missing something.

Spooster IT Services · ‎07-10-2017

Hi nabinshrestha21,

You also need to allow ESP protocol as well.

How many total number of tunel interface you are creating on each side?

Can you post or attached the config related to tunnel and crypto?

Spooster IT Services Team

Karsten Iwen · ‎07-21-2017

> You also need to allow ESP protocol as well.

ESP doesn't need to be allowed. In a NAT/PAT environment there is no native ESP-traffic, it's all encapsulated in UDP.

Karsten Iwen · ‎07-21-2017

Your above mentioned command is not needed as NAT-T is enabled by default in IOS.

Do a "debug crypto isakmp" to see how far the session gets.