With DMVPN you would normally

anand kumar · ‎06-06-2017

Hi All,

We have dmvpn configured to multi nodes from our Office

interface Tunnel2
description MULTI-POINT GRE TUNNEL for BRANCHES
ip address 172.26.3.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 600
ip ospf network broadcast
ip ospf cost 130
delay 1000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint

& we have crypto map applied on source interface
interface GigabitEthernet0/0
ip address x.128.4.94 255.255.255.192
no ip redirects
load-interval 30
duplex full
speed 1000
crypto map ITC<<

but we are not using this crypto map anywhere
ITC-COLO-VPN-02#sh crypto map tag ITC | i peer
(missing peer or access-list definitions)
Current peer: x.70.241.91
(missing peer or access-list definitions)
Current peer: y.241.165.66
(missing peer or access-list definitions)
Current peer: z.241.165.78
(missing peer or access-list definitions)
Current peer: w.41.155.150
(missing peer or access-list definitions)
Current peer: v.241.165.74

ITC-COLO-VPN-02#sh crypto session
Crypto session current status

Interface: Tunnel2
Session status: UP-ACTIVE
Peer: x.203.170.98 port 7479
Session ID: 0
IKEv1 SA: local x.128.4.94/4500 remote x.203.170.98/7479 Active
IPSEC FLOW: permit 47 host x.128.4.94 host x.203.170.98
Active SAs: 2, origin: crypto map

Can we remove that crypto map ITC from gig0/0, which isnt useful.

Philip D'Ath · ‎06-12-2017

With DMVPN you would normally have a line like this on your Tunnel interface:

 tunnel protection ipsec profile ...profile-name...

In your case this line is missing, and it looks like it is being done by the crypto map instead.

Vpn to Meraki Z1 Site to Site from Cisco 3900 Router