Solved: DMVPN infrastructure behind a 4G router

Yannis94 · ‎03-18-2023

Dear team,

I hope you are all doing fine. I am really hoping on your experience and maybe the chance that somebody has faced a similar case.
We have an infrastructure with dmvpn implemented, practically one hub and some spokes. The configuration is pretty straight forward, we do not use dynamic protocols such eigrp etc. The config on the spokes are like the below :

crypto isakmp policy 10
hash md5
authentication pre-share

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!

crypto ipsec transform-set strong esp-3des esp-md5-hmac 
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong

interface Tunnel0
description DMVPN to PVD_RTR1
ip address 172.16.0.200 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp map 172.16.0.1 X.X.X.X
ip nhrp map multicast X.X.X.X
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
tunnel source FastEthernet 4
tunnel mode gre multipoint
tunnel protection ipsec profile cisco
end
int fast 4
ip nat outside
ip address dhcp

int vlan 1
ip add 192.168.200.1 255.255.255.0
ip nat inside

ip route 192.168.0.0 255.255.0.0 172.168.0.1

And on the Hub is :
interface Tunnel100
description DMVPN Hub Tunnel
ip address 172.16.0.1 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint

Practically on one of the sites we have a TP-Link 4G router acting as the WAN. The cisco router gets the Ip 10.10.0.10 from the dhcp service of the TP-Link. When i issue "show crypto isakamp sa"I get that the connection is active both on Hub and on Spoke site. But i can not ping the tunnel IPs. Also I see that i get packets only on the encaps of the spoke and the decaps of the Hub. I know the 4G router is behind a nat but if I am not mistaken this should cause no issues since it is the initiator of the traffic, I also though of changing the MTU of the tunnels but the mtu should only cause issues to tcp sessions and not icmp. Does anybody came accross such a case and has any ideas over this?

MHM Cisco World · ‎03-18-2023

ip route 192.168.0.0 255.255.0.0 172.168.0.1
must change to
ip route 192.168.0.0 255.255.0.0 tunnel x <<- this must be change from next-hop to tunnel x

View solution in original post

Rob Ingram · ‎03-18-2023

@Yannis94 why nat over the VPN? Either remove the nat configuration on the tunnel and vlan 1 interface or ensure you are excluding relevant networks from being translated.

Yannis94 · ‎03-18-2023

Hello Rob, thank you for your reply. Maybe the way that I posted it is confusing. I am not natting inside the tunnel. interface fast 4 is the wan interface and that is why i have ip nat outside there, the vlan 1 interface is the one that the local users use that is why i have a nat inside there. But i have a deny in the nat list in order to no nat the communication between the two lans.

Rob Ingram · ‎03-18-2023

ip route 192.168.0.0 255.255.0.0 172.168.0.1

this next hop ip address is incorrect.

When you ping the tunnel ip, what is the source IP address? Did you specify the tunnel IP as the source?

Yannis94 · ‎03-18-2023

You are correct. This is a typo. The correct next hop is 172.16.0.1.

Yes I do and I get time out again, there is when I see only encaps packet from the spoke side and only decaps packets from the hub side.

MHM Cisco World · ‎03-18-2023

how hub or spoke know what LAN behind tunnel ??
I see static route but I dont get for which it use is it use for tunnel or for LAN pass through tunnel ?
ip route 192.168.0.0 255.255.0.0 172.168.0.1

Yannis94 · ‎03-18-2023

Hi,

Sorry for not posting the whole information. The spoke has the subnet 192.168.200.0/24 and the hub has 192.168.1-2-3-50-60.0/24. From the hub site the route for this specific remote site:

ip route 192.168.200.0 255.255.255.0 172.16.0.200

MHM Cisco World · ‎03-18-2023

ip route 192.168.0.0 255.255.0.0 172.168.0.1
must change to
ip route 192.168.0.0 255.255.0.0 tunnel x <<- this must be change from next-hop to tunnel x