cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11483
Views
5
Helpful
17
Replies

Site to Site VPN and DMVPN on same router ?

paultribe
Level 1
Level 1

Does anyone have a configuration example with a DMVPN and site to site VPN (Not Eazy VPN), on the same router.

If this is possible what impact would the configuration have on the current DMVPN router. I have read that when adding an Eazy VPN to a DMVPN router that mGRE stops functioning. Any help would be appreciated.

17 Replies 17

paultribe
Level 1
Level 1

Any one have any ideas .. I'll email any helper an iPint !

Sent from Cisco Technical Support iPhone App

Yes, I've done that successfully.

Do you want an example with the DMVPN bit as a hub or as a spoke?

Hi Marvin

Can you share to me the example with the DMVPN Hub and IPSec L2L in the same router please?

Thank you very much in advance.

Best regards.

I used CCP to build my configurations in this case as I had a lot going on (DMVPN, site-site VPN, remote access VPN, ZBFW, QoS, BGP and EIGRP!) and wanted it to all work together. You might try that for your case as well.

Here're the relevant bits for DMVPN + IPsec L2L - I've removed some of the ZBFW and QoS bits.  You will have to adapt a bit for your environment.:

interface GigabitEthernet0/0
ip address 192.168.0.0 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description WAN$FW_OUTSIDE$
bandwidth 1000000
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map Crypto_Map
!
crypto map Crypto_Map 71 ipsec-isakmp
description Tunnel to xxxxx
set peer x.x.x.x
set transform-set ESP-3DES-SHA
set isakmp-profile L2LPRF
match address XYZ
!
crypto keyring ccp-dmvpn-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxx
!
crypto keyring L2LKEY
pre-shared-key address x.x.x.x key xxxxx
!
crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0
crypto isakmp profile L2LPRF
keyring L2LKEY
match identity address x.x.x.x 255.255.255.255
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-AES-SHA1 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-AES-SHA1
set isakmp-profile ccp-dmvpn-isakmprofile
!
interface Tunnel0
description DMVPN Primary
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
no ip next-hop-self eigrp 192
no ip split-horizon eigrp 192
ip flow ingress
ip flow egress
ip nhrp authentication DMVPN_NW
ip nhrp group Tu0
ip nhrp map multicast dynamic
ip nhrp map group Tu0 service-policy output CCP-QoS-Policy-2
ip nhrp network-id 100000
ip nhrp holdtime 360
zone-member security dmvpn-zone
ip tcp adjust-mss 1360
ip summary-address eigrp 192 192.168.0.0 255.255.255.0
delay 1000
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile2 shared
!
ip access-list extended XYZ
remark Traffic via VPN to XYZ Networks
remark CCP_ACL Category=4
permit ip 192.168.0.0 0.0.0.255 <XYZ net 1> 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 <XYZ net 2> 0.0.255.255
permit ip 192.168.0.0 0.0.0.255 <XYZ net 3> 0.0.255.255
permit ip 192.168.0.0 0.0.0.255 <XYZ net 4> 0.0.1.255
!
ip nat inside source list NAT interface GigabitEthernet0/1 overload
!
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255

Thanks Marvin!

another lost soul benefited by this thread... you rocks Marvin, thanks!

Hi,

I am having trouble but my situation is a bit different. My interesting traffic is a GRE tunnel.

The tunnel destination is only reachable from a spoke.

For example

ip route e.f.g.h 255.255.255.255 10.0.0.2 !a valid spoke which can reach e.f.g.h

My problem is that Tunnel100 does not invoke the ACL for interesting traffic hence I cannot see any Phase 1 kick off.

Can anyone help me?

interface Loopback100
ip address a.b.c.d 255.255.255.255

interface Tunnel100
ip address 100.0.0.1 255.255.255.252
tunnel source a.b.c.d
tunnel destination e.f.g.h

ip access
-list extended XYZ
permite gre host a.b.c.d host e.f.g.h
deny any any

Hi Marvin

 

Your configuration doesn't work after reboot of the router ie when config is applied both tunnels pass traffic but after reboot or tunnel reset the DMVPN drops and stays in UNKNOWN state. Applying the crypto map to the source interface of the tunnel causes DMVPN  hub to lose connection with its spokes.

 

I used your provided sample config and modified as below. Logged TAC case for help.

Reply from Cisco TAC as follows:

"

Here is the restriction for IPsec when using crypto map and DMVPN:

A crypto map on a physical interface is not supported, if the physical interface is the source interface of a tunnel protection interface.

Here is the link to the document:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-cfg-vpn-ipsec.html#GUID-318AA5E9-036B-4CE8-A53E-3E15065F2F01

So, what you are seeing is an expected behaviour as it is not supported.

"

 

crypto keyring ccp-dmvpn-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key plixer
crypto keyring L2LKEY
pre-shared-key address 203.126.145.170 key Albert
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share

group 2
crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0
crypto isakmp profile L2LPRF
keyring L2LKEY
match identity address 203.126.145.170 255.255.255.255
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
set isakmp-profile ccp-dmvpn-isakmprofile
!
!
crypto map Crypto_Map 71 ipsec-isakmp
description Tunnel to 203.126.145.170
set peer 203.126.145.170
set transform-set TS
set isakmp-profile L2LPRF
match address VPN-TRAFFIC
!
interface Tunnel1
description mGRE - DMVPN Tunnel
ip address 10.164.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nhrp authentication firewall
ip nhrp network-id 1
ip nhrp holdtime 360
ip tcp adjust-mss 1360
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile protect-gre shared
!
interface GigabitEthernet1
ip address 211.24.127.72 255.255.255.0
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 10.67.1.1 255.255.255.0
ip nat inside
negotiation auto
no mop enabled
no mop sysid
!
ip nat inside source list 101 interface GigabitEthernet1 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 211.24.127.1
ip route 10.67.0.0 255.255.0.0 10.67.1.245
ip route 172.16.0.0 255.255.255.0 10.164.0.254
!
!
!
ip access-list extended VPN-TRAFFIC
permit ip 10.67.1.0 0.0.0.255 10.0.0.0 0.255.255.255
!
!
!
!

 

 


@Marvin Rhoads wrote:

I used CCP to build my configurations in this case as I had a lot going on (DMVPN, site-site VPN, remote access VPN, ZBFW, QoS, BGP and EIGRP!) and wanted it to all work together. You might try that for your case as well.

Here're the relevant bits for DMVPN + IPsec L2L - I've removed some of the ZBFW and QoS bits.  You will have to adapt a bit for your environment.:

 

interface GigabitEthernet0/0
ip address 192.168.0.0 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description WAN$FW_OUTSIDE$
bandwidth 1000000
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map Crypto_Map
!
crypto map Crypto_Map 71 ipsec-isakmp
description Tunnel to xxxxx
set peer x.x.x.x
set transform-set ESP-3DES-SHA
set isakmp-profile L2LPRF
match address XYZ
!
crypto keyring ccp-dmvpn-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxx
!
crypto keyring L2LKEY
pre-shared-key address x.x.x.x key xxxxx
!
crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0
crypto isakmp profile L2LPRF
keyring L2LKEY
match identity address x.x.x.x 255.255.255.255
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-AES-SHA1 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-AES-SHA1
set isakmp-profile ccp-dmvpn-isakmprofile
!
interface Tunnel0
description DMVPN Primary
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
no ip next-hop-self eigrp 192
no ip split-horizon eigrp 192
ip flow ingress
ip flow egress
ip nhrp authentication DMVPN_NW
ip nhrp group Tu0
ip nhrp map multicast dynamic
ip nhrp map group Tu0 service-policy output CCP-QoS-Policy-2
ip nhrp network-id 100000
ip nhrp holdtime 360
zone-member security dmvpn-zone
ip tcp adjust-mss 1360
ip summary-address eigrp 192 192.168.0.0 255.255.255.0
delay 1000
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile2 shared
!
ip access-list extended XYZ
remark Traffic via VPN to XYZ Networks
remark CCP_ACL Category=4
permit ip 192.168.0.0 0.0.0.255 <XYZ net 1> 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 <XYZ net 2> 0.0.255.255
permit ip 192.168.0.0 0.0.0.255 <XYZ net 3> 0.0.255.255
permit ip 192.168.0.0 0.0.0.255 <XYZ net 4> 0.0.1.255
!
ip nat inside source list NAT interface GigabitEthernet0/1 overload
!
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255



If anyone has any success with this please email me on initiaz.ali@gmail.com

paultribe
Level 1
Level 1

That would be great if you could ....I am looking for an example of a DMVPN spoke with an IPSec L2L configuration, the L2L should have a static crypto map I would imagine ...

Sent from Cisco Technical Support iPhone App

Yes a crypto map selects the traffic presented to the outside interface for encapsulation into the site-site VPN. The DMVPN traffic is put into the tunnel based on EIGRP learning the routes to the other DMVPN sites via that interface.

Below are the pertinent bits from a working config. My example asctually has two DMVPN hubs (primary and backup site) with preference given to the primary via a lower EIGRP delay.

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

!

crypto isakmp policy 71

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key address  

crypto isakmp key address 0.0.0.0       

!

crypto ipsec security-association replay window-size 1024

!

crypto ipsec transform-set Transform esp-aes 256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-AES-SHA

!

!

!

crypto map Crypto_Map 71 ipsec-isakmp

description Tunnel

set peer

set transform-set ESP-3DES-SHA

match address

!

!

!

!        

!

interface Tunnel0

description DMVPN Primary

bandwidth 1000

ip address 10.0.0.5 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip flow ingress

ip nhrp authentication DMVPN_NW

ip nhrp map multicast

ip nhrp map 10.0.0.1

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 10.0.0.1

ip tcp adjust-mss 1360

delay 1000

tunnel source GigabitEthernet0/1

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile CiscoCP_Profile1 shared

!

interface Tunnel1

description DMVPN Secondary

bandwidth 1000

ip address 10.0.1.5 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip flow ingress

ip nhrp authentication DMVPN_NW

ip nhrp map multicast

ip nhrp map 10.0.1.4

ip nhrp network-id 110000

ip nhrp holdtime 360

ip nhrp nhs 10.0.1.4

ip tcp adjust-mss 1360

delay 2000

tunnel source GigabitEthernet0/1

tunnel mode gre multipoint

tunnel key 110000

tunnel protection ipsec profile CiscoCP_Profile1 shared

!

interface Null0

no ip unreachables

!

!

interface GigabitEthernet0/0

description inside

ip address 192.168.5.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

no ip route-cache cef

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description outside

ip address 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

ip verify unicast reverse-path

duplex auto

speed auto

no cdp enable

no mop enabled

crypto map Crypto_Map

!

router eigrp 192

network 10.0.0.0 0.0.0.255

network 10.0.1.0 0.0.0.255

network 192.168.5.0

distance eigrp 15 16

!

!

ip forward-protocol nd

!

ip access-list extended

remark Traffic via VPN

permit ip 192.168.5.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.5.0 0.0.0.255 192.168.65.0 0.0.0.255

permit ip 192.168.5.0 0.0.0.255 172.30.0.0 0.0.255.255

Sorry to steal someone's thread (I did post my own thread also), but I have a very similar issue and see that it was a very recent thread so I wanted to ask, did you have any issues with this setup?  I have the same setup, a DMVPN spoke and an ipsec site to site tunnel, and as soon as i enable the crypto map on the outside interface, the dmvpn drops.  If I remove the crypto map, the dmvpn comes right back up.  The config was already very similar to the one listed above, and I then went in and added any configuration that was missing in mine, but the problem persists.  Did you experience this at all?  Any thoughts?

Thanks

Dear Chris,

 

Did you find a solution for the

"Site to Site VPN and DMVPN on same router and same interface " 

problem ?  I have the same issue , as soon the crypto map xxx was  configured on the outside interface, we lost connectivity to the router.

 

Because a reload there are also no logs etc..

It was reachable through DMVPN.

So if you got it working, can you please post your config ?

ISR4k Plattform

 

Thanks!

Gabor

This is not possible according to Cisco Documetation/TAC

 

Here is the restriction for IPsec when using crypto map and DMVPN:

A crypto map on a physical interface is not supported, if the physical interface is the source interface of a tunnel protection interface.

Here is the link to the document:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-cfg-vpn-ipsec.html#GUID-318AA5E9-036B-4CE8-A53E-3E15065F2F01

So, what you are seeing is an expected behaviour as it is not supported.

 

"

paultribe
Level 1
Level 1

Thanks

Sent from Cisco Technical Support iPhone App