09-18-2013 08:51 AM - edited 02-21-2020 07:09 PM
Hello All,
I am trying to build a DMVPN solution for two sites each with secondary ISPs.
The solution works "sort of", but doesn't seem very robust (sometimes a router reload is required if VPN doesn't come up after ISP failover)
I was wondering if anyone had any suggestions to my config below?
Thanks!
!!!!HUB!!!!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
crypto isakmp policy 3
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile dmvpn
set security-association lifetime seconds 1800
set transform-set aes256
set pfs group5
!
crypto ipsec profile dmvpn2
set security-association lifetime seconds 1800
set transform-set aes256
set pfs group5
!
!
interface Tunnel0
ip address 10.255.255.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 53
no ip split-horizon eigrp 53
ip nhrp authentication secret1
ip nhrp map multicast dynamic
ip nhrp network-id 6
ip nhrp holdtime 300
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 545
tunnel protection ipsec profile dmvpn shared
!
interface Tunnel1
ip address 10.255.254.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 53
no ip split-horizon eigrp 53
ip nhrp authentication secret1
ip nhrp map multicast dynamic
ip nhrp network-id 7
ip nhrp holdtime 300
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0/0/0
tunnel mode gre multipoint
tunnel key 546
tunnel protection ipsec profile dmvpn2 shared
!
interface Tunnel2
ip address 10.255.253.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 53
no ip split-horizon eigrp 53
ip nhrp authentication secret1
ip nhrp map multicast dynamic
ip nhrp network-id 8
ip nhrp holdtime 300
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 547
tunnel protection ipsec profile dmvpn shared
!
interface Tunnel3
ip address 10.255.252.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 53
no ip split-horizon eigrp 53
ip nhrp authentication secret1
ip nhrp map multicast dynamic
ip nhrp network-id 9
ip nhrp holdtime 300
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0/0/0
tunnel mode gre multipoint
tunnel key 548
tunnel protection ipsec profile dmvpn2 shared
!
interface FastEthernet0/0/0
description Secondary ISP
ip address 199.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface VLAN1
description LAN
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
description Primary ISP
ip address 200.1.1.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 53
network 10.255.252.0 0.0.0.255
network 10.255.253.0 0.0.0.255
network 10.255.254.0 0.0.0.255
network 10.255.255.0 0.0.0.255
network 192.168.1.0
eigrp stub connected
no auto-summary
!
!
ip route 0.0.0.0 0.0.0.0 199.1.1.2 5
ip route 0.0.0.0 0.0.0.0 200.1.1.2
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
!!!SPOKE!!!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
crypto isakmp policy 3
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile dmvpn
set security-association lifetime seconds 1800
set transform-set aes256
set pfs group5
!
crypto ipsec profile dmvpn2
set security-association lifetime seconds 1800
set transform-set aes256
set pfs group5
!
!
!
interface VLAN1
ip address 192.168.0.1 255.255.255.0
no ip redirects
!
interface Tunnel0
ip address 10.255.255.5 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication secret1
ip nhrp map 10.255.255.1 200.1.1.1
ip nhrp map multicast 200.1.1.1
ip nhrp network-id 6
ip nhrp holdtime 300
ip nhrp nhs 10.255.255.1
ip nhrp registration timeout 30
delay 1000
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 545
tunnel protection ipsec profile dmvpn shared
!
interface Tunnel1
ip address 10.255.254.5 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication secret1
ip nhrp map 10.255.254.1 199.1.1.1
ip nhrp map multicast 199.1.1.1
ip nhrp network-id 7
ip nhrp holdtime 300
ip nhrp nhs 10.255.254.1
delay 1500
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 546
tunnel protection ipsec profile dmvpn shared
!
interface Tunnel2
ip address 10.255.253.5 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication secret1
ip nhrp map multicast 200.1.1.1
ip nhrp map 10.255.253.1 200.1.1.1
ip nhrp network-id 8
ip nhrp holdtime 300
ip nhrp nhs 10.255.253.1
ip nhrp registration timeout 30
delay 1000
tunnel source FastEthernet0/0/0
tunnel mode gre multipoint
tunnel key 547
tunnel protection ipsec profile dmvpn2 shared
!
interface Tunnel3
ip address 10.255.252.5 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication secret1
ip nhrp map multicast 199.1.1.1
ip nhrp map 10.255.252.1 199.1.1.1
ip nhrp network-id 9
ip nhrp holdtime 300
ip nhrp nhs 10.255.252.1
delay 1500
tunnel source FastEthernet0/0/0
tunnel mode gre multipoint
tunnel key 548
tunnel protection ipsec profile dmvpn2 shared
!
interface FastEthernet0/0/0
description Secondary Internet
ip address 201.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Primary Internet
ip address 201.2.2.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 53
distribute-list 1 out
network 10.255.252.0 0.0.0.255
network 10.255.253.0 0.0.0.255
network 10.255.254.0 0.0.0.255
network 10.255.255.0 0.0.0.255
network 192.168.0.0
offset-list 1 out 12800 Tunnel1
eigrp stub connected
no auto-summary
!
!
ip route 0.0.0.0 0.0.0.0 201.2.2.2
ip route 0.0.0.0 0.0.0.0 201.1.1.2 5
!
!
access-list 1 permit 192.168.0.0
access-list 1 permit 10.255.255.0 0.0.0.255
access-list 1 permit 10.255.254.0 0.0.0.255
access-list 1 permit 10.255.253.0 0.0.0.255
access-list 1 permit 10.255.252.0 0.0.0.255
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
09-24-2013 06:14 AM
These tunnels work, but EIGRP will sometimes not update the route. Does anyone have any insight into EIGRP in a setup like this?
09-25-2013 12:43 AM
William,
1) Missing DPDs. That will explain "sometimes a reload is required"
invalid-SPI-recovery will not help much, but you can keep it configured.
2) Stub on hub side? That's a bit odd isn't it? It's in fact not a stub. My suggestion is go phase3 design way and advertise summaries from hub. But that's up to you.
M.
09-25-2013 05:41 AM
Hello,
Thanks for the response!
I left the stub on the hub while troubleshooting, it has since been removed.
By DPD, do you mean "crypto isakmp keepalive 10 periodic"?
I've since added that (spoke and hub) and while the tunnels work great (they fail over, can ping 10.255.25x.x) the routes do not update which lead me to believe it's an EIGRP problem. Is there something else I should do for DPD?
Thanks again
Will
Can't edit the original post, so:
!Hub
crypto isakmp keepalive 10 periodic
router eigrp 53
network 10.255.252.0 0.0.0.255
network 10.255.253.0 0.0.0.255
network 10.255.254.0 0.0.0.255
network 10.255.255.0 0.0.0.255
network 192.168.1.0
no auto-summary
!Spoke
crypto isakmp keepalive 10 periodic
router eigrp 53
network 10.255.252.0 0.0.0.255
network 10.255.253.0 0.0.0.255
network 10.255.254.0 0.0.0.255
network 10.255.255.0 0.0.0.255
network 192.168.0.0
eigrp stub connected
no auto-summary
09-25-2013 05:49 AM
10 seconds periodic might be to steep if you want to scale.
Non-periodic 30/5 work OK for DMVPN :-)
Yes the problem with prefixes is not core DMVPN problem, most likelt the RP doing something odd (hence my suggestion to check the stubbines)
Try with BGP? :-)
12-26-2019 04:00 AM
12-26-2019 04:26 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide