ā12-12-2015 11:02 PM - edited ā02-21-2020 08:35 PM
Dear Friends,
Platform Cisco 800Series
Router#Sh version
Sample Output
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.2(4)M4, RELEASE SOFTWARE (fc2)
ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
5 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
256K bytes of non-volatile configuration memory.
125496K bytes of ATA CompactFlash (Read/Write)
The above mentioned details is some information about my router and ios
I'm using DMVPN over GRE-Tunnel and it's working fine
We have one new requirement with one another partner, they are shared and requesting to configure IP sec VPN for the interconnection
Question :-
1. What is the basic different between DMVPN and IP Sec VPN ?
2. Is my router can do this?
3. if yes how can i disable NAT-T ?, Partner is requesting to disable it
4. how can i statically configure Nat-translation for inside and outside traffic in IP sec VPN ?
If i'm configuring IP sec VPN is there any problem will affect my existing DMVPN?
Please anybody can help me?
Solved! Go to Solution.
ā12-13-2015 03:24 AM
> 1. What is the basic different between DMVPN and IP Sec VPN ?
DMVPN is also using IPsec for the traffic protection. But DMVPN also adds multipoint GRE and NHRP for additional functionality.
> 2. Is my router can do this?
Well, you are using it ... ;-)
> 3. if yes how can i disable NAT-T ?, Partner is requesting to disable it
First ask them why they want to disable it. NAT-T is part of the IPsec standard and only adds an additional UDP-Header if there is a NAT. If there is no NAT between the peers, NAT-T won't change the encapsulation. If the partner needs it to be turned off, then they are probably using a crappy implementation/platform.
If you still want to disable it:
no crypto ipsec nat-transparency udp-encapsulation
> 4. how can i statically configure Nat-translation for inside and outside traffic in IP sec VPN ?
NAT is done before encryption. Just configure your NAT rules to translate your traffic. The translated traffic is then matched against the crypto-ACLs.
> If i'm configuring IP sec VPN is there any problem will affect my existing DMVPN?
Both can coexist. But for sure, when configuring something incorrectly, you can cause problems for your existing config.
ā12-13-2015 03:24 AM
> 1. What is the basic different between DMVPN and IP Sec VPN ?
DMVPN is also using IPsec for the traffic protection. But DMVPN also adds multipoint GRE and NHRP for additional functionality.
> 2. Is my router can do this?
Well, you are using it ... ;-)
> 3. if yes how can i disable NAT-T ?, Partner is requesting to disable it
First ask them why they want to disable it. NAT-T is part of the IPsec standard and only adds an additional UDP-Header if there is a NAT. If there is no NAT between the peers, NAT-T won't change the encapsulation. If the partner needs it to be turned off, then they are probably using a crappy implementation/platform.
If you still want to disable it:
no crypto ipsec nat-transparency udp-encapsulation
> 4. how can i statically configure Nat-translation for inside and outside traffic in IP sec VPN ?
NAT is done before encryption. Just configure your NAT rules to translate your traffic. The translated traffic is then matched against the crypto-ACLs.
> If i'm configuring IP sec VPN is there any problem will affect my existing DMVPN?
Both can coexist. But for sure, when configuring something incorrectly, you can cause problems for your existing config.
ā12-13-2015 04:23 AM
Hello Karsten Iwen,
Thanks for your kind attention, tell me more about crappy implementation/platform.
If i'm applying these command is there any problem with my existing DMVPN
no crypto ipsec nat-transparency udp-encapsulation
can you please explain how to match translated traffic against Crypto-ACLs
ā12-13-2015 05:05 AM
> tell me more about crappy implementation/platform.
IPsec is a quite mature technology. In general it work quite well between different vendors. If your partner wants to have a specific component disabled, it could be an indication that his product is not that compatible with other vendors.
> If i'm applying these command is there any problem with my existing DMVPN
> no crypto ipsec nat-transparency udp-encapsulation
Can you make sure that you will never have a spoke (or your hub) behind a NAT? Then you should not disable it.
> can you please explain how to match translated traffic against Crypto-ACLs
Learning IPsec is probably not possible through a discussion-forum (you could spend a week-long training on the basics of IPsec on IOS). But with some google-search you will find some howtos on basic configuration.
ā12-13-2015 11:25 PM
well thanks for your comment
I have some idea about IP sec and i spend a lot of my time for learning it a bit months ago, but the fact is i don't have real time experience.
Anyway your comment was very use full
Hope you are doing well............
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide