Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
0
Helpful
1
Replies

DMVPN Spoke to Spoke Issue

Euan McGregor
Level 4
Level 4

‎12-10-2014 08:40 AM - edited ‎02-21-2020 07:58 PM

Hello,

I have been seaching the community for a while but I cannot see an answer.

I have a DMVPN network in deployment two of the spoke are behind NAT. They are connecting perfectly and OSPF is forming adjacenies.

The odd thing I noticed was when I try to ping to network behind a spoke it looks like the connection is formed via the hub. When I do a show dmvpn from the hub I get the LAN addresses behind NAT showing:

 

Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 192.168.10.250     192.168.99.2    UP    5d09h     D
     1 172.16.0.217       192.168.99.4    UP 05:56:55     D

When a spoke pings a network behind another spoke the spoke DMVPN command shows this:

 

Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent  Peer NBMA Addr Peer Tunnel Add    State    UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 [PUBLIC IP ADDRESS]     192.168.99.1    UP    1d11h     S
                                                   192.168.99.4    UP 00:00:03     D

To me this does not look correct. How can I force the spokes to create a tunnel with each other rather than via the spoke?

Any help appreciated tunnel interface configs are below:

Hub

interface Tunnel0
 ip address 192.168.99.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp holdtime 600
 ip ospf network broadcast
 ip ospf hello-interval 30
 ip ospf priority 255
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile LF-DMVPN
end

Spoke 1

interface Tunnel0
 ip address 192.168.99.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast {hub public ip}
 ip nhrp map 192.168.99.1 {hub public ip}
 ip nhrp network-id 1
 ip nhrp holdtime 600
 ip nhrp nhs 192.168.99.1
 ip ospf network non-broadcast
 ip ospf priority 0
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile LF-DMVPN
end

Spoke 2

interface Tunnel0
 ip address 192.168.99.4 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast {hub public ip}
 ip nhrp map 192.168.99.1 {hub public ip}
 ip nhrp network-id 1
 ip nhrp holdtime 600
 ip nhrp nhs 192.168.99.1
 ip ospf network non-broadcast
 ip ospf priority 0
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile LF-DMVPN
end
Labels:
0 Helpful
1 Reply 1

Euan McGregor
Level 4
Level 4

‎12-11-2014 05:09 AM

In case anybody has the same issue. I manged to fix this.

 

First the transformation set needs to be mode transport

crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac 
 mode transport

After that the connection was still going via the hub but I noticed that the ISAKMP phase one did not have a key for the other spoke.

Hope this helps someone with the same problem.

 

 

0 Helpful
Customers Also Viewed These Support Documents