12-10-2014 08:40 AM - edited 02-21-2020 07:58 PM
Hello,
I have been seaching the community for a while but I cannot see an answer.
I have a DMVPN network in deployment two of the spoke are behind NAT. They are connecting perfectly and OSPF is forming adjacenies.
The odd thing I noticed was when I try to ping to network behind a spoke it looks like the connection is formed via the hub. When I do a show dmvpn from the hub I get the LAN addresses behind NAT showing:
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.168.10.250 192.168.99.2 UP 5d09h D
1 172.16.0.217 192.168.99.4 UP 05:56:55 D
When a spoke pings a network behind another spoke the spoke DMVPN command shows this:
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 [PUBLIC IP ADDRESS] 192.168.99.1 UP 1d11h S
192.168.99.4 UP 00:00:03 D
To me this does not look correct. How can I force the spokes to create a tunnel with each other rather than via the spoke?
Any help appreciated tunnel interface configs are below:
Hub
interface Tunnel0 ip address 192.168.99.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 600 ip ospf network broadcast ip ospf hello-interval 30 ip ospf priority 255 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile LF-DMVPN end
Spoke 1
interface Tunnel0 ip address 192.168.99.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp map multicast {hub public ip} ip nhrp map 192.168.99.1 {hub public ip} ip nhrp network-id 1 ip nhrp holdtime 600 ip nhrp nhs 192.168.99.1 ip ospf network non-broadcast ip ospf priority 0 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile LF-DMVPN end
Spoke 2
interface Tunnel0 ip address 192.168.99.4 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp map multicast {hub public ip} ip nhrp map 192.168.99.1 {hub public ip} ip nhrp network-id 1 ip nhrp holdtime 600 ip nhrp nhs 192.168.99.1 ip ospf network non-broadcast ip ospf priority 0 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile LF-DMVPN end
12-11-2014 05:09 AM
In case anybody has the same issue. I manged to fix this.
First the transformation set needs to be mode transport
crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
mode transport
After that the connection was still going via the hub but I noticed that the ISAKMP phase one did not have a key for the other spoke.
Hope this helps someone with the same problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide