Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2528
Views
0
Helpful
4
Replies

DMVPN Transform-set mode tunnel coexist with Transform-set mode transport

Alfredo
Frequent Visitor
Frequent Visitor

‎09-25-2019 11:28 AM - last edited on ‎02-24-2020 11:18 AM by Level 13

Hi,

My problm : 

-  I have a HUB configured with a transform-set mode tunnel 

-  A spoke behind NAT device.

how could i integrate the spoke into the dmvpn ?    without changing the HUB configuration 

 

Capture.PNG

Labels:
0 Helpful
4 Replies 4

Santhosha Shetty
Cisco Employee
Cisco Employee

‎09-25-2019 08:41 PM

Hi,

Depends on how HUB is configured and how does it verify spoke identity, can you share the hub configuration?

 

Regards,

Santhosh

0 Helpful

Alfredo
Frequent Visitor
Frequent Visitor

‎09-26-2019 01:21 AM

Thanks Santhosha Shetty

 

SPOKE behinde NAT config : 

 

crypto isakmp policy 1

encr aes

authentication pre-share

group 5

crypto isakmp key ****** address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 30 periodic

!

crypto ipsec security-association replay window-size 1024

!

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

mode tunnel 

!

crypto ipsec profile IPSEC-DMVPN

set transform-set ESP-AES-SHA

 

Interface Tunnel 1

bandwidth 10000

ip address 10.0.0.155 255.255.255.0

ip tcp adjust-mss 1360

load-interval 30

delay 10

tunnel gi1

tunnel mode gre multipoint

tunnel key 10

ip nhrp authentication PASSWORD

ip nhrp map multicast x.x.x.x

ip nhrp map 10.0.0.1 x.x.x.x

ip nhrp network-id 10

ip nhrp holdtime 600

ip nhrp nhs 10.0.0.1

ip nhrp shortcut

if-state nhrp

tunnel protection ipsec profile IPSEC-DMVPN shared

 

 

 

HUB config :

 

 

crypto isakmp policy 1

encr aes

authentication pre-share

group 5

crypto isakmp key ****** address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 30 periodic

!

crypto ipsec security-association replay window-size 1024

mode tunnel

!

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

mode tunnel 

!

crypto ipsec profile IPSEC-DMVPN

set transform-set ESP-AES-SHA

 

Interface Tunnel 1

bandwidth 10000

ip address 10.0.0.1 255.255.255.0

ip tcp adjust-mss 1360

load-interval 30

delay 10

tunnel gi1

tunnel mode gre multipoint

tunnel key 10

ip nhrp authentication PASSWORD

ip nhrp network-id 10

ip nhrp holdtime 600

ip nhrp nhs 10.0.0.1

ip nhrp shortcut

if-state nhrp

tunnel protection ipsec profile IPSEC-DMVPN shared

 

 

0 Helpful

Santhosha Shetty
Cisco Employee
Cisco Employee

‎09-26-2019 01:40 AM

Hi,

 

As the identity match is pretty open, the config should work just fine. You just need to make sure UDP-4500 (NAT-T) connectivity is complete between the peers.

 

Regards,

Santhosh

0 Helpful

Alfredo
Frequent Visitor
Frequent Visitor

‎09-26-2019 01:47 AM

Thanks

 

The connectivity is ok. but the problm is that my HUB registers the private address (and not the Spoke Public IP)  on NHRP mapping entries. 

 

I think the problm is in the transfert-set mode 

 

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-2mt/sec-conn-dmvpn-dmvpn.html#GUID-D8F6839F-D735-4C8E-A199-602CDD8F7DD0

0 Helpful
Customers Also Viewed These Support Documents