Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1644
Views
5
Helpful
4
Replies

DMVPN, Spokes behind NAT probleme

Alfredo
Level 1
Level 1

‎09-24-2019 12:35 PM - edited ‎02-21-2020 09:45 PM

Hi,

 

I have a problm with my DMVPN architecture :

 

- The HUBs are config with transform-set mode tunnel.

- Spokes behinde NAT device.

DMVPN

How can I fix this problem without changing the hub configuration? Thanks !

 

Capture.PNG

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎09-24-2019 12:59 PM

Hi, You don't need to run transport mode, it's recommended to.
What exactly is the problem you are facing? Please provide configs and output of debugs.

Alfredo
Level 1
Level 1
In response to Rob Ingram

‎09-24-2019 01:11 PM

the problm is taht my HUBs are configured with transform-set mode tunnel and i have a spoke behid a NAT. 

 

spoke config : 

 

crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key xxxxxxxxxxx address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC-DMVPN
set transform-set ESP-AES-SHA
!
!
!
!
!
!
!
!
!
!
interface Tunnel10

bandwidth 10000
ip address 10.18.0.155 255.255.255.0
no ip redirects
ip nhrp authentication password
ip nhrp map multicast x.x.x.x
ip nhrp map 10.18.0.1 x.x.x.x
ip nhrp network-id 10
ip nhrp nhs 10.18.0.1
ip tcp adjust-mss 1360
load-interval 30
delay 10
if-state nhrp
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile IPSEC-DMVPN shared
!

 

 

 

Hub config : 

 

crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp xxxxxxxxxxx  address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC-DMVPN
set transform-set ESP-AES-SHA
!
!
!
!
!
!
!
!
!
!
interface Tunnel10

bandwidth 10000
ip address 10.18.0.1 255.255.255.0
no ip redirects
ip nhrp authentication password

ip nhrp redirect
ip nhrp network-id 10
ip tcp adjust-mss 1360
load-interval 30
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile IPSEC-DMVPN shared
!

0 Helpful

Alfredo
Level 1
Level 1
In response to Alfredo

‎09-24-2019 01:15 PM

the official doc of cisco says:

Prerequisites for Dynamic Multipoint VPN (DMVPN)
 Before a multipoint GRE (mGRE) and IPsec tunnel can be established, you must define an Internet Key
Exchange (IKE) policy by using the crypto isakmp policy command.
 For the NAT-Transparency Aware enhancement to work, you must use IPsec transport mode on
the transform set. Also, even though NAT-Transparency can support two peers (IKE and IPsec)
being translated to the same IP address (using the User Datagram Protocol [UDP] ports to
differentiate them [that is, Peer Address Translation (PAT)]), this functionality is not supported
for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT
translated. They can have the same IP address before they are NAT translated.

 

 

So, how can i bypass this problem ? 

 

Thanks !

0 Helpful

Alfredo
Level 1
Level 1
In response to Rob Ingram

‎09-24-2019 01:21 PM

NHRP could only "see" and use the private IP address of the spoke for its mapping entries. Effective with the NAT-Transparency Aware DMVPN enhancement, NHRP can now learn and use the NAT public address for its mappings as long as IPsec transport mode is used (which is the recommend IPsec mode for DMVPN networks).

0 Helpful
Customers Also Viewed These Support Documents