Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1647
Views
0
Helpful
1
Replies

Static NAT & DMVPN Hub

Go to solution
Uhlig.Tim
Level 1
Level 1

‎09-05-2018 03:48 AM - edited ‎02-21-2020 09:27 PM

Hey folks,

 

In my company we're using DMVPN to connect a lot of branches to our headquarter.

It usually works as expected, but there are some branches connected to a provider router which is using a private network to connect us. So NAT is in place.

 

If I take a look on a branch router, having some side-to-side tunnels up with "show dmvpn detail", I get the following:

 

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
2 194.59.23.100 10.4.1.1 UP 4d19h S 10.4.1.1/32
194.59.23.100 10.4.1.6 UP 00:00:26 I2 10.4.1.6/32
1 185.16.113.13 10.4.1.2 UP 00:00:30 D 10.4.1.2/32
1 213.253.192.18 10.4.1.4 UP 00:00:09 DN 10.4.1.4/32
Claimed Addr. 10.42.76.96
1 172.17.5.5 10.4.1.5 UP 00:00:25 DLX 10.4.1.5/32
1 62.233.220.198 10.4.1.7 UP 00:00:33 D 10.4.1.7/32
1 80.254.162.21 10.4.1.100 UP 00:00:15 DN 10.4.1.100/32
Claimed Addr. 192.168.178.2
1 188.203.248.203 10.4.1.101 UP 00:00:16 D 10.4.1.101/32
1 82.163.237.3 10.4.1.210 UP 4d19h DN 10.4.1.210/32
Claimed Addr. 10.100.100.254

 

All branches which are behind a NAT showing up these "claimed addresses".

Is that an issue? Or is that just a hint, that it is a nat'ed ip. Tunnel ip 10.4... is using 192.168... to build the IPSec tunnel and it is a registration in NBMA? 192.168. in this example is the phys. address assigned to us via DHCP from the provider.

 

One spoke-to-spoke connection is facing an issue, every day.

If you do "show dmvpn" on the side which is not nat'ed, I get the following:

 

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 194.59.23.100 10.4.1.1 UP 3d19h S
1 185.16.113.13 10.4.1.2 UP 3d19h D
1 213.253.192.18 10.4.1.4 UP 2d00h DNX

 

If anyone in this office tries to reach a server/service behind 213.253.192.18 it is not possible.

X marks "socket closed"

 

"show dmvpn detail" is showing me a claimed address, like in all nat'ed branches.

1 213.253.192.18 10.4.1.4 UP 2d00h DNX 10.4.1.4/32
Claimed Addr. 10.42.76.96

 

If I clear the dmvpn session to this branch and ping the internal address (10.4.1.4) to bring up the tunnel again, the tunnel is built as expected without any issues.

 

show dmvpn:

1 213.253.192.18 10.4.1.4 UP 00:00:03 DN

 

Later the day I'll face the same issue again and I need to clear and bring it up again to fix it.

 

So I think there could be an issue with our configuration on nat'ed branch routers.

Do you guys could help me to figure it out?

 

I read something, that others using a loopback address as tunnel source with a private IP to fix that.

Instead of the outside interface connected to the ISP NAT router, but I'm not sure if I understand it correctly.

 

 

 

Config of the branch I talked about (just the relevant stuff):

Router is a 881 and version is 15.3(3)M9,

 


!
crypto keyring dmvpn
pre-shared-key address 0.0.0.0 0.0.0.0 key "Key"
!
crypto isakmp policy 1
encr aes 192
authentication pre-share
group 16
!
crypto isakmp policy 2
encr aes 192
authentication pre-share
group 15
!
crypto isakmp policy 3
encr aes 192
authentication pre-share
group 14
!
crypto isakmp policy 4
encr aes 192
authentication pre-share
group 5
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 6
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp profile dmvpn
keyring dmvpn
match identity address 0.0.0.0
!
!
crypto ipsec transform-set dmvpn_trans_3des esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set dmvpn_trans_3des_comp esp-3des esp-md5-hmac comp-lzs
mode transport
crypto ipsec transform-set dmvpn_trans_aes esp-aes 192 esp-sha-hmac
mode transport
crypto ipsec transform-set dmvpn_trans_aes_comp esp-aes 192 esp-sha-hmac comp-lz s
mode transport
!
!
crypto ipsec profile dmvpn
set security-association lifetime seconds 900
set transform-set dmvpn_trans_aes_comp dmvpn_trans_aes dmvpn_trans_3des_comp dm vpn_trans_3des
set isakmp-profile dmvpn
!
!
!
!
!
!
!
interface Tunnel1
description VPN Spoke 1
ip address 10.5.1.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication "auth-key"
ip nhrp map 10.5.1.1 194.59.23.101
ip nhrp map multicast 194.59.23.101
ip nhrp network-id 16135
ip nhrp holdtime 120
ip nhrp nhs 10.5.1.1
ip tcp adjust-mss 1382
load-interval 60
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key "key"
tunnel protection ipsec profile dmvpn shared
!
interface Tunnel2
description VPN Spoke1
ip address 10.4.1.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication "auth key"
ip nhrp map multicast 194.59.23.100
ip nhrp map 10.4.1.1 194.59.23.100
ip nhrp network-id 16124
ip nhrp holdtime 120
ip nhrp nhs 10.4.1.1
no ip split-horizon
ip tcp adjust-mss 1382
load-interval 60
delay 10
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key "key"
tunnel protection ipsec profile dmvpn shared
!
!
interface FastEthernet4
description --- Cable Internet ---
ip address dhcp
ip access-group outside_out out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in max-fragments 8 max-reassemblies 1024
no ip route-cache cef
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description --- LAN ---
ip address 192.168.4.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 1024
ip tcp adjust-mss 1452
load-interval 60
!
!
router eigrp 10
no default-information in
network 10.4.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
network 192.168.4.0
network 192.168.44.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-export source Tunnel2
ip flow-export version 9
ip flow-export destination 10.101.1.29 10514
!
ip dns server
ip nat inside source list NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.223.1
ip ssh version 2
!
!
ip access-list extended NAT
permit ip 192.168.4.0 0.0.0.255 any
ip access-list extended outside_out
permit icmp any any
permit esp any any
permit gre any any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq ftp-data
permit tcp any any eq ftp
permit tcp any any eq smtp
permit tcp any any eq domain
permit tcp any any eq pop3
permit tcp any any eq 1701
permit tcp any any eq 1723
permit udp any any eq domain
permit udp any any eq ntp
permit udp any any eq isakmp
permit udp any any eq 1701
permit udp any any eq 1723
permit udp any any eq non500-isakmp
permit udp any eq domain any
permit udp any eq ntp any
permit udp any eq isakmp any
permit udp any eq 1701 any
permit udp any eq 1723 any
permit udp any eq non500-isakmp any
permit tcp any host 195.56.199.7
permit udp any host 10.101.1.29
deny ip any any
!
......

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Uhlig.Tim
Level 1
Level 1

‎03-15-2019 08:36 AM

It was a firmware bug.
The router was delivered with a newer and not recommended firmware (forgot which one).
After a downgrade, the issue has been solved.
Now the router uses the recommended firmware.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Uhlig.Tim
Level 1
Level 1

‎03-15-2019 08:36 AM

It was a firmware bug.
The router was delivered with a newer and not recommended firmware (forgot which one).
After a downgrade, the issue has been solved.
Now the router uses the recommended firmware.
0 Helpful
Customers Also Viewed These Support Documents