Showing results for 
Search instead for 
Did you mean: 

DMVPN infrastructure behind a 4G router


Dear team,

I hope you are all doing fine. I am really hoping on your experience and maybe the chance that somebody has faced a similar case.
We have an infrastructure with dmvpn implemented, practically one hub and some spokes. The configuration is pretty straight forward, we do not use dynamic protocols such eigrp etc. The config on the spokes are like the below :

crypto isakmp policy 10
hash md5
authentication pre-share

crypto isakmp key cisco123 address

crypto ipsec transform-set strong esp-3des esp-md5-hmac 
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong 

interface Tunnel0
description DMVPN to PVD_RTR1
ip address
ip nhrp map multicast dynamic
ip nhrp map X.X.X.X
ip nhrp map multicast X.X.X.X
ip nhrp network-id 1
ip nhrp nhs
tunnel source FastEthernet 4
tunnel mode gre multipoint
tunnel protection ipsec profile cisco
int fast 4
ip nat outside
ip address dhcp

int vlan 1
ip add
ip nat inside

ip route

And on the Hub is :
interface Tunnel100
description DMVPN Hub Tunnel
ip address
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint

Practically on one of the sites we have a TP-Link 4G router acting as the WAN. The cisco router gets the Ip from the dhcp service of the TP-Link. When i issue "show crypto isakamp sa"I get that the connection is active both on Hub and on Spoke site. But i can not ping the tunnel IPs. Also I see that i get packets only on the encaps of the spoke and the decaps of the Hub. I know the 4G router is behind a nat but if I am not mistaken this should cause no issues since it is the initiator of the traffic, I also though of changing the MTU of the tunnels but the mtu should only cause issues to tcp sessions and not icmp. Does anybody came accross such a case and has any ideas over this?

1 Accepted Solution

Accepted Solutions

ip route
must change to 
ip route tunnel x <<- this must be change from next-hop to tunnel x

View solution in original post

7 Replies 7

Rob Ingram
VIP Master VIP Master
VIP Master

@Yannis94 why nat over the VPN? Either remove the nat configuration on the tunnel and vlan 1 interface or ensure you are excluding relevant networks from being translated.

Hello Rob, thank you for your reply. Maybe the way that I posted it is confusing. I am not natting inside the tunnel. interface fast 4 is the wan interface and that is why i have ip nat outside there, the vlan 1 interface is the one that the local users use that is why i have a nat inside there. But i have a deny in the nat list in order to no nat the communication between the two lans. 

ip route

this next hop ip address is incorrect.

When you ping the tunnel ip, what is the source IP address? Did you specify the tunnel IP as the source?

You are correct. This is a typo. The correct next hop is 


Yes I do and I get time out again, there is when I see only encaps packet from the spoke side and only decaps packets from the hub side. 

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

how hub or spoke know what LAN behind tunnel ??
I see static route but I dont get for which it use is it use for tunnel or for LAN pass through tunnel ?
ip route


Sorry for not posting the whole information. The spoke has the subnet and  the hub has 192.168.1-2-3-50-60.0/24. From the hub site the route for this specific remote site:

ip route


ip route
must change to 
ip route tunnel x <<- this must be change from next-hop to tunnel x

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers