Today me and my colleague where troubleshooting why EIGRP didn’t work on a Cisco DMVPN connection between 2 sites. We saw that the cisco router could make an connection with the vpn crypto configuration. We thought the connection is okay but unfortunallity the routing didn’t work so good. We couldn’t get any data from site 1 to site 2 and back.
I thought maybe OSPF will work and yes it worked.
Below a sample configuration to configure a DMVPN connection with ospf routing.
First the Hub configuration
aaa new-model ! ! aaa authentication login cvpn local aaa authentication login default local aaa authentication ppp default local aaa authorization network default local ! aaa session-id common ! crypto keyring CK_DMVPN pre-shared-key address 0.0.0.0 0.0.0.0 key <your key> crypto logging session crypto logging ezvpn ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 crypto isakmp fragmentation crypto isakmp nat keepalive 15 ! crypto isakmp client configuration group <your groupname> key <preshared key> dns <your dns server > domain < your local domain > pool VPNCLIENTDHCP acl ACL-VPN-CLIENT save-password crypto isakmp profile CIP_CVPN_CLIENT match identity group <your groupname> client authentication list CVPN isakmp authorization list CVPN client configuration address respond crypto isakmp profile CIP_DMVPN keyring CK_DMVPN match identity address 0.0.0.0 ! ! crypto ipsec transform-set CIT_CVPN_CLIENT esp-aes 256 esp-sha-hmac crypto ipsec transform-set CIT_DMVPN_AESSSHA esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile CIP_DMVPN set security-association lifetime seconds 300 set transform-set CIT_DMVPN_AESSSHA set isakmp-profile CIP_DMVPN ! interface Loopback10 description Bypass NAT for IPsec ip address 1.1.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip route-cache same-interface ip route-cache policy ! interface Tunnel10 ip address <IP ADDRESS 255.255.255.0 no ip redirects ip mtu 1440 ip flow ingress ip nhrp authentication <nhrp-name> ip nhrp map multicast dynamic ip nhrp network-id 1438 ip nhrp holdtime 600 ip route-cache same-interface ip route-cache policy ip tcp adjust-mss 1400 ip ospf network broadcast ip ospf priority 2 delay 1000 tunnel source < outgoing interface > tunnel mode gre multipoint tunnel key 1438 tunnel protection ipsec profile CIP_DMVPN ! router ospf 1 router-id 1.1.1.1 log-adjacency-changes network <tunnel LAN network> 0.0.0.255 area 0 network <local LAN network > 0.0.0.255 area 0 ip local pool VPNCLIENTDHCP <start ip dhcp> <end ip dhcp> route-map RMP_Vlan1_NO_NAT permit 10 match ip address ACL_Vlan1_NO_NAT set ip next-hop 1.1.1.2 interface Vlan1 ip policy route-map RMP_Vlan1_NO_NAT
Below a sample configuration for a SPOKE router ( the router on the remote site )
crypto keyring CK_DMVPN pre-shared-key address 0.0.0.0 0.0.0.0 key <your key> crypto logging session crypto logging ezvpn ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 crypto isakmp nat keepalive 15 crypto isakmp profile CIP_DMVPN keyring CK_DMVPN match identity address 0.0.0.0 ! ! crypto ipsec transform-set CIT_DMVPN_AESSSHA esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile CIP_DMVPN set security-association lifetime seconds 300 set transform-set CIT_DMVPN_AESSSHA set isakmp-profile CIP_DMVPN interface Loopback10 description Bypass NAT for IPsec ip address 1.1.2.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip route-cache same-interface ip route-cache policy interface Tunnel10 ip address <tunnel ip address> 255.255.255.0 ip mtu 1440 ip flow ingress ip nhrp authentication <nhrp-name> ip nhrp map <hub tunnel ip> <hub external ip> ip nhrp network-id 1438 ip nhrp holdtime 600 ip nhrp nhs <hub tunnel ip> ip route-cache same-interface ip route-cache policy ip tcp adjust-mss 1400 ip ospf network broadcast ip ospf priority 2 delay 1000 tunnel source <outgoing interface> tunnel destination <hub external ip> tunnel key 1438 tunnel protection ipsec profile CIP_DMVPN router ospf 1 router-id 1.1.2.1 log-adjacency-changes network <Tunnel LAN NETWORK> 0.0.0.255 area 0 network <Local LAN NETWORK > 0.0.0.255 area 0
I figured out that OSPF uses by default the loopback addres so if this is the same address as on the main site. OSPF won’t work. To resolve this issue you need to configure a new loopback and configure below “router ospf <id>” and unique ID based on ip address.
Download the file for the hub-router click here
Download the file for the spoke-router click here