Cisco IOS router DMVPN connection with OSPF routing

Today me and my colleague where troubleshooting why EIGRP didn’t work on a Cisco DMVPN connection between 2 sites. We saw that the cisco router could make an connection with the vpn crypto configuration. We thought the connection is okay but unfortunallity the routing didn’t work so good.  We couldn’t get any data from site 1 to site 2 and back.
I thought maybe OSPF will work and yes it worked.
Below a sample configuration to configure a DMVPN connection with ospf routing.
First the Hub configuration

aaa new-model
 aaa authentication login cvpn local
 aaa authentication login default local
 aaa authentication ppp default local
 aaa authorization network default local
 aaa session-id common
 crypto keyring CK_DMVPN
 pre-shared-key address key <your key>
 crypto logging session
 crypto logging ezvpn
 crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 crypto isakmp fragmentation
 crypto isakmp nat keepalive 15
 crypto isakmp client configuration group <your groupname>
 key <preshared key>
 dns <your dns server >
 domain < your local domain >
 crypto isakmp profile CIP_CVPN_CLIENT
 match identity group <your groupname>
 client authentication list CVPN
 isakmp authorization list CVPN
 client configuration address respond
 crypto isakmp profile CIP_DMVPN
 keyring CK_DMVPN
 match identity address
 crypto ipsec transform-set CIT_CVPN_CLIENT esp-aes 256 esp-sha-hmac
 crypto ipsec transform-set CIT_DMVPN_AESSSHA esp-aes 256 esp-sha-hmac
 mode transport
 crypto ipsec profile CIP_DMVPN
 set security-association lifetime seconds 300
 set transform-set CIT_DMVPN_AESSSHA
 set isakmp-profile CIP_DMVPN
 interface Loopback10
 description Bypass NAT for IPsec
 ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip route-cache same-interface
 ip route-cache policy
 interface Tunnel10
 ip address <IP ADDRESS
 no ip redirects
 ip mtu 1440
 ip flow ingress
 ip nhrp authentication <nhrp-name>
 ip nhrp map multicast dynamic
 ip nhrp network-id 1438
 ip nhrp holdtime 600
 ip route-cache same-interface
 ip route-cache policy
 ip tcp adjust-mss 1400
 ip ospf network broadcast
 ip ospf priority 2
 delay 1000
 tunnel source < outgoing interface >
 tunnel mode gre multipoint
 tunnel key 1438
 tunnel protection ipsec profile CIP_DMVPN
 router ospf 1
 network <tunnel LAN network> area 0
 network <local LAN network > area 0
ip local pool VPNCLIENTDHCP <start ip dhcp> <end ip dhcp>
route-map RMP_Vlan1_NO_NAT permit 10
 match ip address ACL_Vlan1_NO_NAT
 set ip next-hop
interface Vlan1
 ip policy route-map RMP_Vlan1_NO_NAT

Below a sample configuration for a SPOKE router ( the router on the remote site )

crypto keyring CK_DMVPN
 pre-shared-key address key <your key>
 crypto logging session
 crypto logging ezvpn
 crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 crypto isakmp nat keepalive 15
 crypto isakmp profile CIP_DMVPN
 keyring CK_DMVPN
 match identity address
 crypto ipsec transform-set CIT_DMVPN_AESSSHA esp-aes 256 esp-sha-hmac
 mode transport
 crypto ipsec profile CIP_DMVPN
 set security-association lifetime seconds 300
 set transform-set CIT_DMVPN_AESSSHA
 set isakmp-profile CIP_DMVPN
interface Loopback10
 description Bypass NAT for IPsec
 ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip route-cache same-interface
 ip route-cache policy
interface Tunnel10
 ip address <tunnel ip address>
 ip mtu 1440
 ip flow ingress
 ip nhrp authentication <nhrp-name>
 ip nhrp map <hub tunnel ip> <hub external ip>
 ip nhrp network-id 1438
 ip nhrp holdtime 600
 ip nhrp nhs <hub tunnel ip>
 ip route-cache same-interface
 ip route-cache policy
 ip tcp adjust-mss 1400
 ip ospf network broadcast
 ip ospf priority 2
 delay 1000
 tunnel source <outgoing interface>
 tunnel destination <hub external ip>
 tunnel key 1438
 tunnel protection ipsec profile CIP_DMVPN
router ospf 1
 network <Tunnel LAN NETWORK> area 0
 network <Local LAN NETWORK > area 0

I figured out that OSPF uses by default the loopback addres so if this is the same address as on the main site. OSPF won’t work. To resolve this issue you need to configure a new loopback and configure below “router ospf <id>” and unique ID based on ip address.
Download the file for the hub-router click here
Download the file for the spoke-router click here

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Exit mobile version