FlexVPN Spoke-to-Spoke Routing Override Loop
I have a Spoke Router, this Router hat a Routing to inside192.168.1.0 255.255.255.0 next hop is 10.1.1.1(10.1.1.0/29 is the tranfer network):
ip route 192.168.1.0 255.255.255.0 10.1.1.1
After active the FlexVPN i get the Routing override, then the routing is 192.168.1.0 255.255.255.0 tunnel0 in the Soke-Router. I lost the right routing, and i get the loop from Center to 192.168.1.0.
How can i let the Spoke Router to ignore the Routing from himself from Center?
One was would be to increase distance of routes received from hub.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/m1/sec-m1-cr-book/sec-cr-r2.html#wp1846954161
Similar Messages
-
Config:
Hub:
interface Virtual-Template1 type tunnel
description FlexVPN hub-to-spokes
ip unnumbered Loopback100
ip mtu 1400
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel path-mtu-discovery
tunnel protection ipsec profile default
Spokes:
interface Tunnel0
description FlexVPN tunnel
ip address negotiated
ip mtu 1400
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
tunnel source Vlan1
tunnel destination x.x.x.x
tunnel path-mtu-discovery
tunnel protection ipsec profile default
interface Virtual-Template1 type tunnel
description FlexVPN spoke-to-spoke
ip unnumbered Loopback101
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
tunnel protection ipsec profile default
Hub-Spoke works perfectly.
When pinging from a spoke to another spoke's LAN IP, the router misses one ping, returns 1 or two, then missing all other pings until the next reload (clear crypto session does not reset fully). The spoke used to ping will bring up a Virtual Access interface, and then immediately bing up a second Virtual Access interface, then show an invalid SPI is shown (authentication is identical).
Unfortunately, the issue is not always consistent. Sometimes, after a reload on all routers, one router will retain the ability to ping, other times no routers can ping. Here is an example:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.3.1, timeout is 2 seconds:
Dec 21 19:38:20.793: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x,
prot=50, spi=0xE4981ED6(3835174614), srcaddr=x.x.x.x, input interface=Dialer0...
Success rate is 40 percent (2/5), round-trip min/avg/max = 96/100/104 ms
Thanks for any helpJohn,
The error means that no matching SPI was found for inbound encrypted traffic on that ingress interface.
Is that your interface towards ISP? If so and the SPI actually exists in your SADB but somehow is not associated properly.
When/if opening a case please attach:
- show crypto ipsec sa
- show crypto map
(taken ideally before and after trying to do spoke-to-spoke tunnel)
I found reference to a similar problem in our archive, but customer become unresponsive after a while and no resolution was provided.
One thing you CAN try is to go to 15.2.4M-latest. And see if the problem persists.
M. -
Is it possible to have 2 DMVPN tunnels on a spoke router having 2 ISPs to the same hub?
I have a router R1 acting as a hub for DMVPN. I have a spoke router R2 which has 2 ISPs. Can I establish a DMVPN tunnel via each ISPs to R1 from R2?
the other posters are correct all you need is osx lion. i have tried it out and it works.
the bottom line and most important thing to remember about multiple users using the same mac is:
each user needs their seperate account. for example, if bob is on the screen, and tim logs on using vnc
then tim gets his own desktop and kbd and mouse. but if bob is on the screen and bob logs on using vnc
then they share the same desktop
so if u want say 2 or 5 users or whatever the limit is, and i don't know. you are going to need 2 or 5 or whatever
seperate users
on the host mac you go into system preferences, sharing, screen sharing, and turn it on
and on the remote mac you run finder, click on connect to server and type vnc:// and the address to the computer
like vnc://192.168.1.4 and it should work great over the local network
theres no other hardware or software you need, you just need to be running osx lion
there is also vnc clients available you can download that might be better then the vnc client in finder -
DM-VPN with Static NAT for Spoke Router. Require Expert Help
Dear All,
This is my first time to write something .
i have configure DM-VPN, and it's working fine, now i want to configure static nat.
some people will think why need static nat if it's working fine.
let me tell you why i need. what is my plan.
i have HUB with 3 spoke. some time i go out side of my office and not able to access my spoke computer by Terminal Services. because its by dynamic ip address. so what i think i'll give one Static NAT on my HUB Router that if any one or Me Hit the Real/Public IP address of my HUB WAN Interface from any other Remote location so redirect this quiry to my Terminal Service computer which located in spoke network.
will for that i try but fail.
will again the suggestion will come. why not to use .. Easy VPN. well sound great. but then i have to keep my notebook with me.
i'll also do it but now i need that how to do Static NAT. like for normal Router i am doing which is not part of VPN.
ip nat inside source static tcp 192.168.1.10 3389 interface Dialer1 3389
but this time this command is not working, because the ip address which i mention it's related HUB Network not Spoke
spose spoke Network: 192.168.2.0/24
and i want on HUB Router:
ip nat inside source static tcp 192.168.2.10 3389 interface Dialer1 3389
i am using Cisco -- 887 and 877 ADSL Router.
but it's not working, Need experts help. please write your comment's which are very important for me. waiting for your commant's
fore more details please see the diagram.
for Contact Me: [email protected]hi rvarelac thank you for reply :
i allready done that , i put a deny statements in nat access-list excluding the vpn traffic , but the problem still there !
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp key 12344321 address 1.1.1.1
crypto ipsec transform-set Remote-Site esp-aes esp-sha-hmac
mode tunnel
crypto map s2s 100 ipsec-isakmp
set peer 1.1.1.1
set transform-set Remote-Site
match address vpnacl
interface GigabitEthernet0/0
crypto map s2s
Extended IP access list lantointernet
30 deny icmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
40 deny igmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
50 deny ip 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
80 permit ip any any -
L2L traffic multiple spokes routing
I have an issue that I'm hoping you can shed some light on this. I have 3 sites all connected with VPN/IPsec ikev2 tunnels using ASA 5505 and 5510 with 8.4+ code. Please see the image below for more details on my setup. All VPN tunnels are up and sending traffic across from the immediate neighbor, the issue is that I cannot ping or access ASA3's subnet from ASA2's or ASA2's subnet from ASA3's, what am I missing from my configuration? Please see below, and thank you in advance for any assistance you can provide with this.
ASA 3 VPN Config: protocol esp integrity sha-1crypto ipsec security-association pmtu-aging infinitecrypto map crypto_map 1 match address AS3_ACLcrypto map crypto_map 1 set peer 1.1.1.1crypto map crypto_map 1 set ikev2 ipsec-proposal aes_256crypto map crypto_map interface outsidecrypto ca trustpool policycrypto ikev2 policy 1 encryption aes-256 integrity sha256 group 2 prf sha256 lifetime seconds 86400tunnel-group 1.1.1.1 type ipsec-l2ltunnel-group 1.1.1.1 general-attributes default-group-policy ipsec_group_policytunnel-group 1.1.1.1 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** vpn-idle-timeout 6000 vpn-session-timeout none vpn-tunnel-protocol ikev2nat (inside,outside) source static all_inside_networks all_inside_networks destination static all_outside_networks all_outside_networks no-proxy-arp route-lookupobject-group network all_inside_networks network-object 10.0.1.0 255.255.255.0object-group network all_outside_networks network-object 10.0.0.0 255.255.255.0 network-object 10.0.18.0 255.255.255.0access-list ASA3_ACL extended permit ip object-group all_inside_networks object-group all_outside_networksASA1 VPN configcrypto map crypto_map 1 match address ASA3_ACLcrypto map crypto_map 1 set peer 3.3.3.3crypto map crypto_map 1 set ikev2 ipsec-proposal aes_256crypto map crypto_map 2 match address ASA2_ACLcrypto map crypto_map 2 set peer 2.2.2.2crypto map crypto_map 2 set ikev2 ipsec-proposal aes_256crypto map crypto_map interface outsidetunnel-group 3.3.3.3 type ipsec-l2ltunnel-group 3.3.3.3 general-attributes default-group-policy ipsec_group_policytunnel-group 3.3.3.3 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****tunnel-group 2.2.2.2 type ipsec-l2ltunnel-group 2.2.2.2 general-attributes default-group-policy ipsec_group_policytunnel-group 2.2.2.2 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****access-list ASA3_ACL extended permit ip object-group all_inside_networks object-group ASA3access-list ASA2_ACL extended permit ip object-group all_inside_networks object-group ASA2nat (inside,outside) source static all_inside_networks all_inside_networks destination static all_outside_networks all_outside_networks no-proxy-arp route-lookupobject-group network all_outside_networks network-object 10.0.1.0 255.255.255.0 network-object 10.0.18.0 255.255.255.0object-group network ASA2 network-object 10.0.18.0 255.255.255.0object-group network ASA3 network-object 10.0.1.0 255.255.255.0object-group network all_inside_networks network-object 10.0.0.0 255.255.255.0tunnel-group 3.3.3.3 type ipsec-l2ltunnel-group 3.3.3.3 general-attributes default-group-policy ipsec_group_policytunnel-group 3.3.3.3 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****tunnel-group 2.2.2.2 type ipsec-l2ltunnel-group 2.2.2.2 general-attributes default-group-policy ipsec_group_policytunnel-group 2.2.2.2 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****group-policy ipsec_group_policy internalgroup-policy ipsec_group_policy attributes vpn-idle-timeout 6000 vpn-session-timeout none vpn-tunnel-protocol ikev2
-
FlexVPN Cannot Ping From Spoke LAN only
Topology:
Hub:
(hub lan: 10.0.1.0/24) > (lan int [ip nat inside], g0/0: 10.0.1.1) > (flex interface, loopback100: 172.31.100.1) > (flex virtual interface, Virtual-Template1: ip unnumbered loopback100) > (wan int [ip nat outside], dialer0 - g0/1) > ISP
Spoke:
(hub lan: 10.0.3.0/24) > (lan int [ip nat inside], vlan1: 10.0.3.1) > (flex interface, Tunnel0 ip address negotiated, tunnel source vlan 1) > (wan int, dialer0 [ip nat inside] - f0/4) > ISP
I have full reachability from both routers.
Hub router can ping 172.31.100.x, 10.0.3.1 and hosts on 10.0.3.0/24 via standard ping, or extended and sourced from 10.0.1.1 or g0/0
Spoke router can ping 172.31.100.1, 10.0.1.1 and hosts on 10.0.1.0/24 via standard ping, or extended and sourced from 10.0.3.1 or vlan1
Partial reachability from lan hosts
Hub hosts can ping 172.31.100.x and 10.0.3.1, but not hosts on 10.0.3.0/24 (Possibly because host cannot reply to echo request?)
Spoke hosts cannot ping 172.31.100.1, 10.0.1.1 or hosts on 10.0.1.0/24
Any help would be appreciatedWe've been working with these confs for a while, so they aren't as clean as they could be, but here they are
---HUB---
version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname HUB
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.152-4.M5.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
enable secret xxxxx
aaa new-model
aaa group server radius FLEXVPN_AUTH-C_SERVER_GROUP
server-private 10.0.1.15 key xxxxx
aaa authentication login default local
aaa authentication login xxxxxVPN_VPN_XAUTH local
aaa authentication login FLEXVPN_AUTH-C_LIST group FLEXVPN_AUTH-C_SERVER_GROUP
aaa authorization exec default local
aaa authorization network default local
aaa authorization network xxxxxVPN_VPN_GROUP local
aaa authorization network FLEXVPN_AUTH-Z_LIST local
aaa session-id common
clock timezone CST -6 0
clock summer-time CDT recurring
clock calendar-valid
no ip source-route
no ip gratuitous-arps
ip cef
no ip bootp server
ip domain name xxxxx.net
ip name-server 166.102.165.13
ip name-server 166.102.165.11
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 4.2.2.1
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group VPN_GROUP
key chain EIGRP_KEY_CHAIN
key 1
key-string xxxxx
crypto pki trustpoint FLEXVPN_RA_TP
enrollment terminal
serial-number none
fqdn vpn.xxxxx.net
ip-address none
subject-name cn=vpn.xxxxx.net
revocation-check crl
eckeypair FLEXVPN_RA_TP-Key
crypto pki certificate chain FLEXVPN_RA_TP
certificate 460000.. nvram:xxxxx#2.cer
certificate ca 59A43A15.. nvram:xxxxx#BC60CA.cer
license udi pid CISCO1921/K9 sn xxxxx
archive
path ftp://xxxxx
write-memory
username xxxxx privilege 15 password xxxxx
redundancy
crypto ikev2 authorization policy default
pool FLEX_SPOKES_POOL
route set interface
crypto ikev2 authorization policy FLEXVPN_RA_LOCAL_POLICY
pool FLEXVPN_RA_POOL
dns 10.0.1.15
netmask 255.255.255.0
def-domain xxxxx.net
route set access-list FLEXVPN_RA_ACL
crypto ikev2 proposal SHA1-only
encryption aes-cbc-256
integrity sha1
group 5
crypto ikev2 policy SHA1-only
match fvrf any
proposal SHA1-only
crypto ikev2 keyring FLEX_KEY
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local xxxxx
pre-shared-key remote xxxxx
crypto ikev2 profile FLEX_IKEv2
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local FLEX_KEY
aaa authorization group psk list default default
virtual-template 1
crypto ikev2 profile FLEXVPN_RA_IKEv2_PROFILE
match identity remote key-id xxxxx.net
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint FLEXVPN_RA_TP
dpd 60 2 on-demand
aaa authentication eap FLEXVPN_AUTH-C_LIST
aaa authorization group eap list FLEXVPN_AUTH-Z_LIST FLEXVPN_RA_LOCAL_POLICY
virtual-template 10
crypto ikev2 dpd 30 5 on-demand
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto logging session
crypto isakmp client configuration group xxxxxVPN
key xxxxx
pool xxxxxVPN_POOL
acl xxxxxVPN_ACL
netmask 255.255.255.0
crypto isakmp profile xxxxxVPN_IKE_PROFILE
match identity group xxxxxVPN
client authentication list xxxxxVPN_VPN_XAUTH
isakmp authorization list xxxxxVPN_VPN_GROUP
client configuration address respond
virtual-template 100
crypto ipsec transform-set xxxxxVPN_SET esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set IKEv2 esp-gcm
mode transport
crypto ipsec profile xxxxxVPN_IPSEC_PROFILE
set transform-set xxxxxVPN_SET
set isakmp-profile xxxxxVPN_IKE_PROFILE
crypto ipsec profile FLEXVPN_RA_IPSEC_PROFILE
set ikev2-profile FLEXVPN_RA_IKEv2_PROFILE
crypto ipsec profile default
set transform-set IKEv2
set ikev2-profile FLEX_IKEv2
interface Loopback100
ip address 172.31.100.1 255.255.255.255
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 10.0.1.1 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Virtual-Template1 type tunnel
description FlexVPN hub-to-spokes
ip unnumbered Loopback100
ip mtu 1400
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel path-mtu-discovery
tunnel protection ipsec profile default
interface Virtual-Template10 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile FLEXVPN_RA_IPSEC_PROFILE
interface Dialer0
mtu 1492
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1450
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password xxxxx
ppp pap sent-username [email protected] password xxxxx
no cdp enable
router eigrp 1
distribute-list EIGRP_SUMMARY_PFLIST out Virtual-Template1
network 10.0.1.0 0.0.0.255
network 172.30.200.0 0.0.0.255
network 172.31.100.1 0.0.0.0
passive-interface GigabitEthernet0/0
ip local pool xxxxxVPN_POOL 172.30.255.1 172.30.255.254
ip local pool FLEX_SPOKES_POOL 172.31.100.10 172.31.100.254
ip local pool FLEXVPN_RA_POOL 172.30.200.1 172.30.200.254
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.30.200.0 255.255.255.0 Null0
ip access-list standard FLEXVPN_RA_ACL
permit 10.0.1.0 0.0.0.255
permit 10.0.2.0 0.0.0.255
permit 10.0.3.0 0.0.0.255
permit 10.0.4.0 0.0.0.255
ip access-list standard MGMT_ACL
permit 172.30.200.0 0.0.0.255
permit 172.31.254.0 0.0.0.255
permit 10.0.1.0 0.0.0.255
ip access-list extended xxxxxVPN_ACL
permit ip 172.30.255.0 0.0.0.255 any
permit ip 10.0.1.0 0.0.0.255 any
permit ip 172.31.254.0 0.0.0.255 any
ip prefix-list EIGRP_SUMMARY_PFLIST seq 10 permit 10.0.1.0/24
ip prefix-list EIGRP_SUMMARY_PFLIST seq 20 permit 172.30.200.0/24
ip prefix-list EIGRP_SUMMARY_PFLIST seq 30 permit 172.31.100.1/32
access-list 1 permit 10.0.1.0 0.0.0.255
route-map EIGRP_SUMMARY_RMAP permit 10
match ip address prefix-list EIGRP_SUMMARY_PFLIST
control-plane
banner motd Cxxxxx
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class MGMT_ACL in
privilege level 15
transport input telnet ssh
line vty 5 15
transport input all
scheduler allocate 20000 1000
ntp update-calendar
ntp server 1.pool.ntp.org
ntp server 0.pool.ntp.org prefer
end
---SPOKE---
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname SPOKE
boot-start-marker
boot system flash:c880data-universalk9-mz.152-4.M5.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
enable secret xxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
clock calendar-valid
no ip source-route
no ip gratuitous-arps
no ip bootp server
ip domain name xxxxx.net
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 4.2.2.1
ip cef
no ipv6 cef
multilink bundle-name authenticated
key chain EIGRP_KEY_CHAIN
key 1
key-string xxxxx
license udi pid CISCO881-SEC-K9 sn FTX1740854N
archive
path ftp://xxxxx
write-memory
username xxxxx privilege 15 password xxxxx
crypto ikev2 authorization policy default
route set interface
crypto ikev2 keyring FLEX_KEY
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local xxxxx
pre-shared-key remote xxxxx
crypto ikev2 profile FLEX_IKEv2
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local FLEX_KEY
aaa authorization group psk list default default
virtual-template 1
crypto ikev2 dpd 30 5 on-demand
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto ipsec transform-set IKEv2 esp-gcm
mode transport
crypto ipsec profile default
set transform-set IKEv2
set ikev2-profile FLEX_IKEv2
interface Loopback101
ip address 172.31.101.3 255.255.255.255
interface Tunnel0
description FlexVPN tunnel
ip address negotiated
ip mtu 1400
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
tunnel source Vlan1
tunnel destination x.x.x.x
tunnel path-mtu-discovery
tunnel protection ipsec profile default
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address dhcp
no ip unreachables
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1 type tunnel
description FlexVPN spoke-to-spoke
ip unnumbered Loopback101
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
tunnel protection ipsec profile default
interface Vlan1
ip address 10.0.3.1 255.255.255.0
ip helper-address 10.0.1.15
no ip unreachables
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list INTERNET_BOUND_ACL interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip access-list standard INTERNET_BOUND_ACL
permit 10.0.3.0 0.0.0.255
ip access-list standard MGMT_ACL
permit 172.30.255.0 0.0.0.255
permit 172.31.100.0 0.0.0.255
permit 10.0.1.0 0.0.0.255
permit 10.0.3.0 0.0.0.255
permit 172.30.200.0 0.0.0.255
access-list 99 permit 10.0.3.0
control-plane
banner motd xxxxx
line con 0
no modem enable
line aux 0
line vty 0 4
access-class MGMT_ACL in
privilege level 15
transport input telnet ssh
ntp update-calendar
ntp server 0.pool.ntp.org prefer
ntp server 1.pool.ntp.org
end -
DMVPN split tunnling issue, not able to by pass http traffic at spoke end.
Dear all,
I would appreciate please help me out to resolve following issue.
I have been using DMVPN setup (Routing protocol EIGRP) for 20 site no issue at all and everything is perfectly working.
Now I received one request that I would need to split corporate legitimate traffic and internet traffic at spoke end, so all internet traffic has to forward via local ADSL connection , but I tried to resolve it but spoke router is continuously forwarding all traffic to tunnel.
Moreover I found on internet that DMVPN has limitation that split tunneling is not possible.
Please can you suggest me how can I forward internet traffic (HTTP) via local ADSL connection
thanks and regards,I agree with Marcin.
At the spoke you would need to add a static default route for the internet traffic. You are also, most likely, injecting a default route into the EIGRP process at the hub, but the static route at the spokes will override this as it has a lower metric. Depending on your setup, if the ADSL line is on a different interface than that of the DMVPN you could leave the EIGRP default route and use it as a backup incase the ADSL goes down. But if they are both located off the same interface then there is no point in keeping the injected default route.
Please remember to rate and select a correct answer -
Internet access via hairpinning for Spoke to Hub IPSec VPN
I have a hub and spoke configuration with a number of site-to-site IPsec VPNs from 857's terminating on an 1811 at the hub. Also in the mix is a client-to-site (EZVPN) which also terminates at the hub.
I need to ensure all traffic destined for the internet goes out through the hub 1811. I've looked at trying to use a form of hairpinning so that "interesting traffic" from remote sites gets NATted at the hub router to the internet.
I have seen a number of configurations (in these forums) where internet-directed traffic from EZVPN clients is forced via a hairpin out via the hub router. I am trying to emulate that feature with the site-to-site IPSec VPNs - where internet directed traffic from spokes must go through the hub router, and not be permitted to go directly to the internet from the spoke routers.
Attached are configs for the hub router and one of the spoke routers, and a pdf diagram.
I can get traffic to the internet (in my test lab) from the lookback connector (1.1.1.1) by extended command pings, I have connectivity from the spoke1 lan to the hub lan (pings again); but not from the spoke1 lan to the internet via the hub router.
Thanks in advance for any help
PhilThanks, guys. Yes, those two access lists did need some attention.
I've changed the access list on the spoke router from
access-list 120 permit ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.255.255
to
access-list 120 permit ip 192.168.8.0 0.0.0.255 any
which allows traffic from the spoke lan out to the internet via the hub router. I've also taken NAT off the spoke router.
But I also need to change the matching access list on the hub router. I changed the old access list from
access-list 121 permit ip 192.168.0.0 0.0.255.255 192.168.8.0 0.0.0.255
to
access-list 121 permit ip any 192.168.8.0 0.0.0.255
but I couldn't pass any traffic over the VPN. If I remove access-list 121 completely, then traffic does pass, but the crypto map on the hub router becomes "incomplete".
When the tunnel is up, and passing traffic, I can ping an internet address (in my lab), but not all traffic is getting through. Every second ping times out, often there are 3 or 4 pings that time out.
Any suggestions as to what to do with the access list (121) on the hub router, and what can I do to get more reliable results (i.e. get every ping to work)?
TIA
Phil -
DMVPN Hub and Spoke behind NAT device
Hi All,
I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
But My case i involve in both situation.
1) HUB have a Load Balancer (2 WAN Link) ISP A & B
2) Spoke have Load Balancer (2 WAN Link) ISP A & B
Now the requirement is Spoke ISP A Tunnel to HUB ISP A. Spoke ISP B tunnel to HUB ISP B
So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
Any problem will face with this setup? Any guide?
Sample config at HUB.
interface Tunnel0
bandwidth 1000
ip address 172.16.1.1 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
interface Tunnel1
bandwidth 1000
ip address 172.17.1.1 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 600
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco
Spoke Config
interface Tunnel0
bandwidth 1000
ip address 172.16.1.2 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map 172.16.1.1 199.1.1.1
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.16.1.1
delay 1000
tunnel source FastEthernet0/0
tunnel destination 199.1.1.1
tunnel key 0
tunnel protection ipsec profile cisco
interface Tunnel1
bandwidth 1000
ip address 172.17.1.2 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map 172.17.1.1 200.1.1.1
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 172.17.1.1
delay 1500
tunnel source FastEthernet0/0
tunnel destination 200.1.1.1
tunnel key 1
tunnel protection ipsec profile ciscoHi Marcin,
thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below is TAC's explanation. All is good now. Thanks
. Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum. Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check. In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT." -
[rspan in 'hub+spoke' topology]
Hi,
I have the topology depicted in the attached drawing.
What we want to achieve is to enable rspan to replicate monitored traffic from access switches (3550 spokes) to a core switch (6500 hub).
The configuration in general is working and looks like this:
HUB:
monitor session 1 destination interface Gix/y
monitor session 1 source remote vlan z
SPOKES:
monitor session 1 source interface Gix/y
monitor session 1 destination remote vlan z
As stated previosly the environment is working, but...we're having one problem. The uplinks from the spokes to the hub are almost full. After doing some troubleshooting, we found that span traffic is being replicated by the hub to the spokes. The reason I say this is that when i remove the rspan vlan (on the core switch) from the uplink to the hubs the output traffic from core to access (or input on the access switches) goes down in the same amount being received by the network analyzer. when i add the vlan on the uplink trunk again, the traffic going out of the core to the access switches goes up by the same amount being sent to the network analyzer.
Like i said, the rspan part seems to be working fine, but the uplinks to the access switches are getting full because the hub switch is copying the span traffic to all uplinks which is not what we want.
Two questions here:
1.- Is this the way rspan is supposed to work in this environment?
2.- if not, is there a way to turn off this behavior or does it sound like a bug to you?
Thanks in advance!
c.Hello,
in Hub and Spoke - as in any other L3VPN - traffic will flow in the opposite direction of IP routing updates. In a Hub and Spoke setup the spoke sites should get routing updates from the hub site. Thus one faces a split horizon problem: updates learned at the hub CE from a neighbor (PE) will not be sent back over the same interface to that neighbor. Hence the simple solution is: one VRF and interface to announce spoke routes from the PE to the hub CE and another interface terminating in a second VRF to announce the routes from the hub CE back into the MPLS VPN environment.
Just as a side note: this results in an unusual load pattern on the two hub CE interfaces. Both interfaces will have nearly only load in one direction.
Hope this helps! Please rate all posts.
Regards, Martin -
DMVPN Spoke with 2 internet link
Hi All,
I am stuck in a situation where we have 2 hubs one in HQ and one in DR site. Both hubs are configured to have different dmvpn cloud. We have some branches with two internet links one adsl and another 3G.
I want to setup dmvpn in such a way so that if adsl goes down then dmvpn tuneel should come up via 3G.
What I know is i would require different tunnels on spoke for achieving this. Currently on each spoke I have two tunnels one terminates on HQ and another terminates on DR and both are live. I am managing routes via eigrp.
My question is that do I need to create another dmvpn cloud for this to work as I can not use same subnet IP on new tunnels which will be having 3G as source ? or shall I create new subnet for tunnels which will work over 3G ??
if i create new tunnel for 3G network then what will be the configuration on HQ & DR as we have only on internet link on DR & HO.
can anybody help me on this ?
just need idea how to achive it. my full dmvpn is working over internet no private mpls....Hi Jain,
You can let HQ and DR in same DMVPN Cloud. In HQ, do Static NHRP MAP to DR and vise versa.
Spoke routers, create two static NHRP Map and NHS.
Tunnel0
description Spoke
ip nhrp map multicast HQ-WAN-IP
ip nhrp map HQ-Tunnel-IP HQ-WAN-IP
ip nhrp map multicast DR-WAN-IP
ip nhrp map DR-Tunnel-IP DR-WAN-IP
ip nhrp network-id 123
ip nhrp holdtime 60
ip nhrp nhs HQ-Tunnel-IP
ip nhrp nhs DR-Tunnel-IP
This will allow you use one DMVPN cloud for two Hub.
Secondly, for spoke failover to 3G, you would need to create another DMVPN Tunnel at HUB and SPOKE router
At HUB, use different Tunnel IP, but tunnel source will be same. In order this to work, i will suggest you to use DMVPN over IPSec. Use Diffrent tunnel key and ip nhrp network-id for both tunnel interface. Use "shared" command when apply ipsec policy in Tunnel interface.
Sample config at Hub( I only show the difference in Tunnel config)
tunne0
description ***Primary Tunnel***
ip address x.x.x.x
ip nhrp network-id 1
tunnel key 1
tunnel protection ipsec profile TN-DMVPN shared
tunne1
description ***Primary Tunnel***
ip address y.y.y.y
ip nhrp network-id 2
tunnel key 2
tunnel protection ipsec profile TN-DMVPN shared
At Spoke, you configure same as primary tunnel, but make sure to change network-id and tunnel key. Here, you may no need to use "shared" command when apply ipsec policy
Hope this helps.
Regards,
Nagis -
DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router
Hi Guys,
I'm in a mess, I have Cisco 877-K9 router which sits behind an ASA 5510 FW.
The Design :
Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
||
ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
||
Switch
||
LAN
Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not able to ping any LAN IP at Spoke site nor am I able to ping my LAN from any Spoke site.
I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
Thanks,
Aj.Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
1) what RProtocol r u using?
a) It's OSPF
2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
(on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
(I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
3) are your tunnels config correctly? try show crypto ipsec sa
a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
4) on your hub'spoke do a debug ip icmp
a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
Additional to the info above, Please also note :
I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
So I guess I'm stuck on the point that My Cisco HUB is unable to talk to my LAN, If I can get the HUB to talk to the internal LAN, I would be able to ping clients on LAN from any Spoke or clients behind Spokes.
From HUB router I'm able to ping clients behind Spokes.
Does that give any Ideas ?
Thanks in Advance.
Aj. -
Cannot console in or telnet to Router
Router console connection will not open and connect. Cannot telnet to the Router as well. Any suggestions? This is on a frame relay hub and spoke router that is in production. Thanks!
Speed in the terminal emulation software could be the issue and flow control should be set to none. Also, it could be caused be memory problems. If memory gets highly utilized or fragemented telnet and console sessions won't open and the only fix is a reboot.
-
DMVPN Hub router with static NAT
Hi everyone,
I'm trying to setup a lab enviroment to stablish a DMVPN. I have two routers CISCO 2811, IOS version 12.4(3j). I need to configure those routers to stablish a DMVPN. For the spoke router, I have have an ISP that provides dynamic addressing. For the hub router, I have a public static IP address assignde by the ISP. But I have a Watchguard firewall in the middle doing static 1-to-1 NAT for that address. Now the questions are:
1) Can I stablish the DMVPN between the routers with that firewall in the middle?
2) In case it is possible, what will the physical hub address be? And is there something I need to change on the firewall configuration?
3) In case it isn't possible, what other options do I have to stablish a VPN tunnel between the routers in those conditions?
Is there is anything else you need to know to understand the situation, please ask. I haven't configure neither of the routers yet, because I think I need to be sure of these concepts first. Thanks for any help you could bring.
Gustavo!
-
Help! My 2691xm router is deaf to ISAKMP
Hello.
I am trying to set up a DMVPN.
The setup is the following:
1751-V is a spoke - c1700-advsecurityk9-mz.124-15.T14.bin
2691xm is a hub - c2691-advsecurityk9-mz.124-15.T14.bin
As I stated in the title, my clients' 2691xm router is deaf to ISAKMP. It is configured as a hub for DMVPN, and doesn't show that it is receiving anything VPN-related. The 1751-V on the other hand is very noisy sending out alot of IKE requests to the 2691xm.
I made the 1751-V talk to my home's 1751-V with a slightly modified version of the 2691xm's config without any problems. I didn't get access through the VPN quite yet, but they at least got through ISAKMP.
I turned on "debug dmvpn all all" and "term mon", and I get NO ouput from the 2691xm.
I also get nothing from "show crypto isakmp sa".
I thought the traffic might be blocked by the ISP. I called and asked, and it isn't.
I thought the traffic might be stopped at the firewall, so I set the relevant ports to log traffic as evident in the next paste.
router-1#show access-list INTERNET_IN
Extended IP access list INTERNET_IN
70 permit udp any any eq isakmp log (2576 matches)
80 permit gre any any log
90 permit esp any any log
So I AM getting traffic through to the router, but my router isn't reacting to it?
Below are snippets of relevant configs.
HUB:
Internet: int fa0/1 - T1 w/ static IP through ethernet
LAN : int fa0/0 - lan 192.168.20.1
ip multicast-routing
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ABCD address 0.0.0.0 no-xauth
crypto ipsec transform-set TRANSFORM_1 esp-aes 256 esp-sha-hmac
crypto ipsec profile PROFILE_1
set security-association lifetime seconds 600
set transform-set TRANSFORM_1
set pfs group2
interface Tunnel0
ip pim sparse-mod
bandwidth 1536
ip address 10.0.20.20 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source fa0/1
tunnel mode gre multipoint
tunnel protection ipsec profile PROFILE_1
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 600
ip nhrp authentication ABCD ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
router eigrp 1
network 10.0.20.0 0.0.0.255
network 192.168.20.0 0.0.0.255
no auto-summary
ip access-list extended NAT_TRAFFIC
deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
route-map NONAT permit 10
match ip address NAT_TRAFFIC
ip nat inside source route-map NONAT interface fa0/1 overload
SPOKE:
Internet: int dialer0 - DSL, PPPoE, DHCP
LAN : int vlan0 - 192.168.22.1
ip multicast-routing
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ABCD address 0.0.0.0 no-xauth
crypto ipsec transform-set TRANSFORM_1 esp-aes 256 esp-sha-hmac
crypto ipsec profile PROFILE_1
set security-association lifetime seconds 600
set transform-set TRANSFORM_1
set pfs group2
interface Tunnel0
ip pim sparse-mod
bandwidth 1536
ip address 10.0.20.22 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source d0
tunnel mode gre multipoint
tunnel protection ipsec profile PROFILE_1
ip nhrp map 10.0.20.20 2691_WAN_IP
ip nhrp map multicast 2691_WAN_IP
ip nhrp network-id 20
ip nhrp holdtime 600
ip nhrp nhs 10.0.20.20
ip nhrp authentication ABCD ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
router eigrp 1
network 10.0.20.0 0.0.0.255
network 192.168.22.0 0.0.0.255
no auto-summary
eigrp stub connected
ip access-list extended NAT_TRAFFIC
deny ip 192.168.22.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.22.0 0.0.0.255 any
route-map NONAT permit 10
match ip address NAT_TRAFFIC
ip nat inside source route-map NONAT interface Dialer0 overload
As I previously said, 2691xm DOES NOT REACT. Only thing I have been able to determine is the router DOES NOT block traffic on port 500 UDP.
Here is some output from 1751-v (spoke router).
ISAKMP: set new node 0 to QM_IDLE
ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 1751_WAN_IP, remote 2691_WAN_IP)
ISAKMP: Error while processing SA request: Failed to initialize SA
ISAKMP: Error while processing KMI message 0, error 2.
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
router-1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
2691_WAN_IP 1751_WAN_IP MM_NO_STATE 0 0 ACTIVE
2691_WAN_IP 1751_WAN_IP MM_NO_STATE 0 0 ACTIVE (deleted)
The 1751-v works with another 1751-v (to an extent), just not the 2691xm I need it to work with.
Please help as this is driving me CRAZY!!!!
I would appreciate ANY suggestions/comments/critisicms/hypotheses/requests/ANYTHING!!!!
-VittorioHere is the requested information:
interface Tunnel0
bandwidth 1536
ip address 10.0.20.20 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip pim sparse-mode
ip nhrp authentication ABADCADS
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 600
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile PROFILE_1
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
interface FastEthernet0/1
ip address INTERNET_ADDRESS 255.255.255.248
ip access-group INTERNET_IN in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
router eigrp 1
network 10.0.20.0 0.0.0.255
network 192.168.20.0
no auto-summary
ip access-list extended INTERNET_IN
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit tcp any any established
permit udp any eq domain any
permit udp any any eq ntp
permit udp any any eq isakmp log
permit gre any any log
permit esp any any log
permit udp any eq ntp any
permit tcp any any eq 22
deny ip any any log-input
ip access-list extended NAT_TRAFFIC
deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
ip nat inside source route-map NONAT interface FastEthernet0/1 overload
Thank you, please tell me if you need anything else
-Vittorio
Maybe you are looking for
-
How to know Sales Organization and distribution channel for a material
How to know Sales Organization and distribution channel for a created material
-
How to test SQL query performance - realiably?
I have certain queries and I want to test which one is faster, and how big is the difference. How can I do this reliably? The problem is, when I execute the queries, Oracle does it's caching and execution planning and whatnot, and results of the quer
-
In VB 2 call a form (say it's Form2), we just type Form2.show How can I do the similiar thing in Java? I wish 2 make a splash screen n display 4 about 3 seconds n later it unload itself n calls another form.
-
Okay so I have been working on this project for a few months now, it's about 5-10 minutes long. It consists of some Photo-Jpeg quicktime files, a photo and some wave/mp3 files. I finally finished editing the other day, but it never lets me export. It
-
Hi All, I am trying to get public cert from godaddy for NAC, there are two options for web server: Apache-ModSSL, and Apache-SSL in order to submit CSR. can you please let me know which web server I should choose? thanks Alex