Re: DMVPN working with static IPSEC GRE simultaneously

nicblais1 · ‎03-17-2013

I have a DMVPN working between multiple spokes and a hub. All routers are using IOS 15+. The hub is behind a static IP while the spokes are on DHCP IP on the internet. The DMVPN works well, but in order to send multicast traffic between spokes, I wanted to setup a static GRE on the side to the same hub between the spokes. Unfortunately, I am unable to get my 2nd tunnel to work. I'm guessing it's in the IPSEC profiles that I'm doing something wrong.

Here's the hub:

crypto isakmp policy 10

encr aes 256

hash sha512

authentication pre-share

group 2

crypto isakmp key testpassword address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10

!

crypto ipsec transform-set MyTransformSet esp-aes esp-sha512-hmac

mode transport

crypto ipsec transform-set BackupSet esp-aes esp-sha512-hmac

mode transport

!

crypto ipsec profile BackupProfile

set transform-set BackupSet

!

crypto ipsec profile MyProfile

set transform-set MyTransformSet

!

interface Tunnel0

bandwidth 10000

ip address 10.1.1.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp redirect

ip tcp adjust-mss 1360

ip ospf network broadcast

ip ospf priority 2

load-interval 30

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 12345

tunnel protection ipsec profile MyProfile

!

interface Tunnel10

bandwidth 2000

ip address 192.168.200.1 255.255.255.0

no ip redirects

ip mtu 1400

ip pim sparse-mode

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 67890

tunnel protection ipsec profile BackupProfile

and a sample spoke:

crypto isakmp policy 10

encr aes 256

hash sha512

authentication pre-share

group 2

crypto isakmp key testpassword address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10

!

crypto ipsec transform-set MyTransformSet esp-aes esp-sha512-hmac

mode transport

crypto ipsec transform-set BackupSet esp-aes esp-sha512-hmac

mode transport

!

crypto ipsec profile BackupProfile

set transform-set BackupSet

!

crypto ipsec profile MyProfile

set transform-set MyTransformSet

!

interface Tunnel0

bandwidth 10000

ip address 10.1.1.3 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp map multicast <PUBLIC HUB IP>

ip nhrp map 10.1.1.1 <PUBLIC HUB IP>

ip nhrp network-id 1

ip nhrp nhs 10.1.1.1

ip nhrp shortcut

ip tcp adjust-mss 1360

ip ospf network broadcast

ip ospf priority 0

load-interval 30

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 12345

tunnel protection ipsec profile MyProfile

!

interface Tunnel10

bandwidth 2000

ip address 192.168.200.3 255.255.255.0

ip mtu 1400

ip pim sparse-mode

ip tcp adjust-mss 1360

tunnel source FastEthernet0/0

tunnel destination <PUBLIC HUB IP>

tunnel key 67890

tunnel protection ipsec profile BackupProfile

I have tried sharing the ipsec profile from the DMVPN profile and that didn't work either. I am not able at all to ping between hub-spoke on the static GRE tunnel.

Any ideas appreciated!

Javier Portuguez · ‎03-17-2013

Hi,

Why would you create a separate GRE/IPsec tunnel for the SPOKE to SPOKE communication?

Check this out:

Configuration Guide: single hub single cloud spoke-to-spoke DMVPN

HTH.

Portu.

Javier Portuguez · ‎03-17-2013

And:

DYNAMIC MULTIPOINT VPN SPOKE TO SPOKE DIRECT TUNNELING

Andrew Phirsov · ‎03-17-2013

As I can see from output you provided, multicast between all the spokes is already should work without statig gre tunnels.

nicblais1 · ‎03-17-2013

According to this: http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_1.html and all other doc I have found online as well as by experience, spoke-to-spoke multicast is not supported.

"•No IP multicast traffic can be exchanged between spokes."

The DMVPN tunnel I have works #1 in unicast. The fully mesh comes up successfully. It also does work in getting multicast between spoke and hub, but I'm trying to get spoke-to-spoke multicast, hence why the 2nd tunnel. Why I want to do this is not really important. My issue is that I can't get the 2nd static tunnel to work and if you can help me with that one part, I would appreciate it.

Thanks!

Andrew Phirsov · ‎03-17-2013

I thing you should enable nhrp on tunnel 10 interfaces on hub and spokes as long as you're using gre-multipoint type of tunnel - otherwise the hub won't have a chance of knowing spoke's nbma-address. Or just use regular gre-tunnel on the hub.

nicblais1 · ‎03-17-2013

Thanks Andrew,

On the hub, I can't use a regular gre-tunnel as I don't know the destination ip (the spokes are on the internet, with ip that change). I'll try enabling nhrp on tunnel 10 and get back to you.

nicblais1 · ‎03-17-2013

Alright, enabling nhrp on tunnel 10 didn't work. Any other suggestions?