Re: DMVPN with IPsec In Tunnel Mode

ene777ene · ‎03-31-2025

Most trainings and tutorials have DMVPN running with IPsec in Transport mode. However multiple spokes may be behind the same CG-NAT server... therefore the spokes may end up with the same public facing IP. I know this will break DMVPN.

Can I just enable tunnel mode on the IPsec portion? If so I would expect to have three IP Headers then, would the GRE IP header, which would then be encrypted, and the added IPSec Tunnel IP header then have the same source and destination?

ulineosan · ‎03-31-2025

For DMVPN over carrier grade NAT you will want to use tunnel mode instead of transport mode. Tunnel mode will fix the duplicate IP issue you can sometimes see since it encrypts the entire GRE packet. If the IPSEC headers for two different spokes have the same IP on the CG-NAT side, they will have different ports. I suppose there would be three headers; you have the IPSEC tunnel header, the GRE header, then the original packet header.

ene777ene · ‎03-31-2025

Ok, so I could configure everything as normal for DMVPN with IPsec, but omit the setting of transport mode, therefore leaving it in tunnel mode, and it will just work?

In this case do you believe the two added IP headers (IPsec and GRE added headers) would contain the same source and destination IPs? Basically double tunneled to the same source and destination public IP addresses?

I was having real issues finding DMVPN setups with IPsec in tunnel mode but actually think I may have found it in this setup: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html

Does that look correct? It appears to be what I want, with the exception of the spokes being setup for phase2 and 3 of DMVPN, where as I only need them to operate at phase 1 - easy fix there.

Thanks!