Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
5
Helpful
4
Replies

DMVPN spokes: "ipsec profile my-profile shared" & "mode"...

Go to solution
jmaxwellUSAF
VIP
VIP

‎02-23-2024 12:23 PM

Hello.

GIVEN: 3 DMVPN spokes each connect to 2 hubs at different physical locations. Each spoke is configured with "ipsec profile my-profile shared"

QUESTION: Must a spoke connecting to 2 hubs with a shared profile be configured mutually exclusively with "mode tunnel" or "mode transport" for both tunnel connections?

If above answer is yes, is it possible for the hub to accept some spokes that use "mode tunnel" and other spokes that use "mode transport"?

thank you.

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
tvotna
Spotlight
Spotlight

‎02-24-2024 10:58 AM

Shared tunnel protection implies that there is only one IPSec profile applied to few tunnel interfaces which share same tunnel source. This basically means that you can set only one mode, either tunnel mode or transport mode in the corresponding transform-set.

If you don't share tunnel source between two tunnel interfaces, you don't need shared tunnel protection and hence can use two different IPSec profiles and two different transform-sets, e.g. one transport mode and the other one tunnel mode.

If one spoke is configured in transport mode and the other one is configured in tunnel mode they should be able to connect to the same hub if hub is configured with "mode transport". The full syntax is: "mode {transport [require] | tunnel}" which means that router is able to accept both tunnel and transport connections, unless "require" is given. NB: I tested this long ago and probably it wasn't DMVPN. On the other hand, I don't see why DMVPN should be different.

HTH

 

View solution in original post

4 Replies 4

Go to solution
tvotna
Spotlight
Spotlight

‎02-24-2024 10:58 AM

Shared tunnel protection implies that there is only one IPSec profile applied to few tunnel interfaces which share same tunnel source. This basically means that you can set only one mode, either tunnel mode or transport mode in the corresponding transform-set.

If you don't share tunnel source between two tunnel interfaces, you don't need shared tunnel protection and hence can use two different IPSec profiles and two different transform-sets, e.g. one transport mode and the other one tunnel mode.

If one spoke is configured in transport mode and the other one is configured in tunnel mode they should be able to connect to the same hub if hub is configured with "mode transport". The full syntax is: "mode {transport [require] | tunnel}" which means that router is able to accept both tunnel and transport connections, unless "require" is given. NB: I tested this long ago and probably it wasn't DMVPN. On the other hand, I don't see why DMVPN should be different.

HTH

 

Go to solution
MHM Cisco World
VIP
VIP

‎02-25-2024 02:23 AM

I need to know are both hub use same NBMA or not ?
i.e. the hub tunnel IP is in same subnet or not ?

MHM

Go to solution
jmaxwellUSAF
VIP
VIP
In response to MHM Cisco World

‎02-26-2024 05:56 AM

Tunnel 1 and tunnel 2 use different subnets.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to jmaxwellUSAF

‎02-26-2024 06:57 AM

if that case then you must use shared keyword for ipsec profile that protect both tunnel
for mode dont config it in hub the router will accept both transport and tunnel mode 

for spoke the transport is mandatory if you use spoke behind NAT 
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-16-10/sec-conn-dmvpn-xe-16-10-book/sec-conn-dmvpn-dt-spokes-b-nat.pdf

MHM

Customers Also Viewed These Support Documents