Cisco DMVPN Configuration Question
Don't usually poke NANOG for a second pair of eyes, but got hit with an urgent need to get connectivity up on a small budget. I've run into a situation where I require multiple DMVPN spokes to be behind a single NAT IP (picture of things to come with CGN?) The DMVPN endpoint works fine behind NAT until a 2nd is added behind the same IP address. At that point the hub gets confused and I start seeing packet loss to the endpoints in a round-robin fashion. As far as I can see Cisco documentation says pretty clearly that each DMVPN spoke requires a unique IP address. Is there any way around this, or do I need to be looking at an alternative VPN solution? Hub config: ----8<---- description DMVPN bandwidth 100000 ip address 10.231.254.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication ! removed ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp redirect ip tcp adjust-mss 1360 tunnel source ! removed tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile DMVPN ----8<---- Spoke: ----8<---- interface Tunnel2 description DMVPN bandwidth 100000 ip vrf forwarding DMVPN ip address 10.231.254.10 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication ! removed ip nhrp map multicast ! removed ip nhrp map 10.231.254.1 ! removed ip nhrp network-id 1 ip nhrp nhs 10.231.254.1 ip nhrp shortcut ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile DMVPN end ----8<---- -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
No way around this with DMVPN. Sent from my iPhone On Aug 16, 2013, at 9:05, Ray Soucy <rps@maine.edu> wrote:
Don't usually poke NANOG for a second pair of eyes, but got hit with an urgent need to get connectivity up on a small budget.
I've run into a situation where I require multiple DMVPN spokes to be behind a single NAT IP (picture of things to come with CGN?)
The DMVPN endpoint works fine behind NAT until a 2nd is added behind the same IP address. At that point the hub gets confused and I start seeing packet loss to the endpoints in a round-robin fashion.
As far as I can see Cisco documentation says pretty clearly that each DMVPN spoke requires a unique IP address. Is there any way around this, or do I need to be looking at an alternative VPN solution?
Hub config:
----8<---- description DMVPN bandwidth 100000 ip address 10.231.254.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication ! removed ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp redirect ip tcp adjust-mss 1360 tunnel source ! removed tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile DMVPN ----8<----
Spoke:
----8<---- interface Tunnel2 description DMVPN bandwidth 100000 ip vrf forwarding DMVPN ip address 10.231.254.10 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication ! removed ip nhrp map multicast ! removed ip nhrp map 10.231.254.1 ! removed ip nhrp network-id 1 ip nhrp nhs 10.231.254.1 ip nhrp shortcut ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile DMVPN end ----8<----
-- Ray Patrick Soucy Network Engineer University of Maine System
T: 207-561-3526 F: 207-561-3531
MaineREN, Maine's Research and Education Network www.maineren.net
participants (2)
-
Garrett Skjelstad
-
Ray Soucy