03-17-2013 10:19 AM - edited 02-21-2020 06:46 PM
I have a DMVPN working between multiple spokes and a hub. All routers are using IOS 15+. The hub is behind a static IP while the spokes are on DHCP IP on the internet. The DMVPN works well, but in order to send multicast traffic between spokes, I wanted to setup a static GRE on the side to the same hub between the spokes. Unfortunately, I am unable to get my 2nd tunnel to work. I'm guessing it's in the IPSEC profiles that I'm doing something wrong.
Here's the hub:
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 2
crypto isakmp key testpassword address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set MyTransformSet esp-aes esp-sha512-hmac
mode transport
crypto ipsec transform-set BackupSet esp-aes esp-sha512-hmac
mode transport
!
crypto ipsec profile BackupProfile
set transform-set BackupSet
!
crypto ipsec profile MyProfile
set transform-set MyTransformSet
!
interface Tunnel0
bandwidth 10000
ip address 10.1.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 2
load-interval 30
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile MyProfile
!
interface Tunnel10
bandwidth 2000
ip address 192.168.200.1 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 67890
tunnel protection ipsec profile BackupProfile
and a sample spoke:
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 2
crypto isakmp key testpassword address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set MyTransformSet esp-aes esp-sha512-hmac
mode transport
crypto ipsec transform-set BackupSet esp-aes esp-sha512-hmac
mode transport
!
crypto ipsec profile BackupProfile
set transform-set BackupSet
!
crypto ipsec profile MyProfile
set transform-set MyTransformSet
!
interface Tunnel0
bandwidth 10000
ip address 10.1.1.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast <PUBLIC HUB IP>
ip nhrp map 10.1.1.1 <PUBLIC HUB IP>
ip nhrp network-id 1
ip nhrp nhs 10.1.1.1
ip nhrp shortcut
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 0
load-interval 30
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile MyProfile
!
interface Tunnel10
bandwidth 2000
ip address 192.168.200.3 255.255.255.0
ip mtu 1400
ip pim sparse-mode
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel destination <PUBLIC HUB IP>
tunnel key 67890
tunnel protection ipsec profile BackupProfile
I have tried sharing the ipsec profile from the DMVPN profile and that didn't work either. I am not able at all to ping between hub-spoke on the static GRE tunnel.
Any ideas appreciated!
03-17-2013 11:29 AM
Hi,
Why would you create a separate GRE/IPsec tunnel for the SPOKE to SPOKE communication?
Check this out:
Configuration Guide: single hub single cloud spoke-to-spoke DMVPN
HTH.
Portu.
03-17-2013 11:35 AM
03-17-2013 11:35 AM
As I can see from output you provided, multicast between all the spokes is already should work without statig gre tunnels.
03-17-2013 12:03 PM
According to this: http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_1.html and all other doc I have found online as well as by experience, spoke-to-spoke multicast is not supported.
"•No IP multicast traffic can be exchanged between spokes."
The DMVPN tunnel I have works #1 in unicast. The fully mesh comes up successfully. It also does work in getting multicast between spoke and hub, but I'm trying to get spoke-to-spoke multicast, hence why the 2nd tunnel. Why I want to do this is not really important. My issue is that I can't get the 2nd static tunnel to work and if you can help me with that one part, I would appreciate it.
Thanks!
03-17-2013 12:33 PM
I thing you should enable nhrp on tunnel 10 interfaces on hub and spokes as long as you're using gre-multipoint type of tunnel - otherwise the hub won't have a chance of knowing spoke's nbma-address. Or just use regular gre-tunnel on the hub.
03-17-2013 12:47 PM
Thanks Andrew,
On the hub, I can't use a regular gre-tunnel as I don't know the destination ip (the spokes are on the internet, with ip that change). I'll try enabling nhrp on tunnel 10 and get back to you.
03-17-2013 01:01 PM
Alright, enabling nhrp on tunnel 10 didn't work. Any other suggestions?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide