Solved: Re: S2S VPN on a DMVPN hub

Murray Bown · ‎02-01-2020

Hi Guys,

Is it possible to co-host an S2S VPN and a DMVPN to terminate on the same device?

Cheers,

Murray

Rob Ingram · ‎02-03-2020

The only example I have is using a VTI rather than crypto map (as per your config) and using IKEv2 rather than IKEv1 (as per your example). Observe the "identity local" and "match identity remote" commands on the different devices, this distinguishes between the DMVPN and VTI connections.

HUB

DMVPN:

crypto ikev2 profile IKEV2_PROF
authentication local pre-share
authentication remote pre-share
identity local fqdn HUB.dmvpn.net
match identity remote fqdn domain dmvpn.net
keyring local KEYRING

interface tunnel 1
ip address 10.5.0.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication DMVPN
ip nhrp holdtime 300
ip nhrp map multicast dynamic
tunnel source gig0/0
tunnel protection ipsec profile IPSEC_PROF
tunnel mode gre multipoint

crypto ipsec transform-set TSET esp-aes esp-sha256-hmac

crypto ipsec profile IPSEC_PROF
set ikev2-profile IKEV2_PROF
set transform-set TSET

VTI:

crypto ikev2 profile IKEV2_PROF2
authentication local pre-share
authentication remote pre-share
identity local fqdn HUB.vti.only
match identity remote fqdn domain vti.only
keyring local KEYRING

crypto ipsec profile IPSEC_PROF2
set ikev2-profile IKEV2_PROF2
set transform-set TSET

interface tunnel2
ip unnumbered Loopback0
tunnel source GigabitEthernet0/0
tunnel destination 3.3.3.1
tunnel protection ipsec profile IPSEC_PROF2

-----------------------------------------
BRANCH1

DMVPN:

crypto ikev2 profile IKEV2_PROF
authentication local pre-share
authentication remote pre-share
identity local fqdn BRANCH1.dmvpn.net
match identity remote fqdn domain dmvpn.net
keyring local KEYRING

interface tunnel 1
ip address 10.5.0.10 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication DMVPN
ip nhrp holdtime 300
ip nhrp nhs 10.5.0.1 nmba 1.1.1.1 multicast
tunnel source gig0/0
tunnel protection ipsec profile IPSEC_PROF
tunnel mode gre multipoint

--------------------------------------
BRANCH2

VTI:

crypto ikev2 profile IKEV2_PROF2
authentication local pre-share
authentication remote pre-share
identity local fqdn BRANCH2.vti.only
match identity remote fqdn domain vti.only
keyring local KEYRING

crypto ipsec transform-set TSET esp-aes esp-sha256-hmac

crypto ipsec profile IPSEC_PROF2
set ikev2-profile IKEV2_PROF2
set transform-set TSET

interface tunnel2
ip unnumbered Loopback0
tunnel source GigabitEthernet0/0
tunnel destination 1.1.1.1
tunnel protection ipsec profile IPSEC_PROF2

View solution in original post

Rob Ingram · ‎02-01-2020

Hi,
Yes this is possible, I've previously tried this. Use separate ikev2 and ipsec profiles to distinguish between the DMVPN tunnel and the sVTI.

HTH

Murray Bown · ‎02-03-2020

RJI,

Do you have an example of the configuration you used?

This is what I have so far but without having a LAB I don't want to apply it to a production environment.

crypto isakmp policy 1
authentication pre-share
group 2
lifetime 43200
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key xxxxxx address xxx.xxx.xxx.xxx
crypto isakmp key xxxxxx address 0.0.0.0
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set TS_Strong esp-aes esp-sha256-hmac
mode transport
crypto ipsec transform-set TS_Strong_S2S esp-aes esp-sha256-hmac
mode tunnel
!
!
crypto ipsec profile protect-DMVPN-gre
set security-association lifetime seconds 43200
set transform-set TS_Strong
!
!
!
crypto map S2S_VPN local-address GigabitEthernet0/1
crypto map S2S_VPN 10 ipsec-isakmp
description tunnel from EHQ to Cat
set peer xxx.xxx.xxx.xxx
set transform-set TS_Strong_S2S
match address 116
!
!
interface Tunnel0
description mGRE-DMVPN TUNNEL
bandwidth 100000
ip address 172.19.255.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 2000
no ip split-horizon eigrp 2000
ip nhrp authentication xxxxxx
ip nhrp network-id 1
ip tcp adjust-mss 1360
tunnel source xxx.xxx.xxx.xxx
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile protect-DMVPN-gre
!
interface GigabitEthernet0/1
ip address xxx.xxx.xxx.xxx 255.255.255.192
ip access-group INTERNET-IN in
duplex auto
speed auto
crypto map S2S_VPN
!
!
ip access-list extended INTERNET-IN
permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
!
!
access-list 116 permit gre host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx

Rob Ingram · ‎02-03-2020

The only example I have is using a VTI rather than crypto map (as per your config) and using IKEv2 rather than IKEv1 (as per your example). Observe the "identity local" and "match identity remote" commands on the different devices, this distinguishes between the DMVPN and VTI connections.

HUB

DMVPN:

crypto ikev2 profile IKEV2_PROF
authentication local pre-share
authentication remote pre-share
identity local fqdn HUB.dmvpn.net
match identity remote fqdn domain dmvpn.net
keyring local KEYRING

interface tunnel 1
ip address 10.5.0.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication DMVPN
ip nhrp holdtime 300
ip nhrp map multicast dynamic
tunnel source gig0/0
tunnel protection ipsec profile IPSEC_PROF
tunnel mode gre multipoint

crypto ipsec transform-set TSET esp-aes esp-sha256-hmac

crypto ipsec profile IPSEC_PROF
set ikev2-profile IKEV2_PROF
set transform-set TSET

VTI:

crypto ikev2 profile IKEV2_PROF2
authentication local pre-share
authentication remote pre-share
identity local fqdn HUB.vti.only
match identity remote fqdn domain vti.only
keyring local KEYRING

crypto ipsec profile IPSEC_PROF2
set ikev2-profile IKEV2_PROF2
set transform-set TSET

interface tunnel2
ip unnumbered Loopback0
tunnel source GigabitEthernet0/0
tunnel destination 3.3.3.1
tunnel protection ipsec profile IPSEC_PROF2

-----------------------------------------
BRANCH1

DMVPN:

crypto ikev2 profile IKEV2_PROF
authentication local pre-share
authentication remote pre-share
identity local fqdn BRANCH1.dmvpn.net
match identity remote fqdn domain dmvpn.net
keyring local KEYRING

interface tunnel 1
ip address 10.5.0.10 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
ip nhrp authentication DMVPN
ip nhrp holdtime 300
ip nhrp nhs 10.5.0.1 nmba 1.1.1.1 multicast
tunnel source gig0/0
tunnel protection ipsec profile IPSEC_PROF
tunnel mode gre multipoint

--------------------------------------
BRANCH2

VTI:

crypto ikev2 profile IKEV2_PROF2
authentication local pre-share
authentication remote pre-share
identity local fqdn BRANCH2.vti.only
match identity remote fqdn domain vti.only
keyring local KEYRING

crypto ipsec transform-set TSET esp-aes esp-sha256-hmac

crypto ipsec profile IPSEC_PROF2
set ikev2-profile IKEV2_PROF2
set transform-set TSET

interface tunnel2
ip unnumbered Loopback0
tunnel source GigabitEthernet0/0
tunnel destination 1.1.1.1
tunnel protection ipsec profile IPSEC_PROF2

Muhammad Awais Khan · ‎02-01-2020

just realize confirmation is already posted by our VIP advisor :) . cannot delete my post so removing my comments :) but agree with @Rob Ingram it is possible to use it on same device and can be done on same interface with some considerations like excluding DMVPN tunnel traffic from split tunnel list of IPSEC