asked on
can dmvpn and ipsec coexist together
Hi there,
I've a cisco router that ive configured as a DMVPN and there are other spokes that connect to this DMVPN. Now, there is a client who only has IPSec configured at their end and they want to connect to this VPN tunnel. From my understanding, it wont work because in order for them to connect to our network, they need DMVPN client configuration on their cisco router ? Right ?
Now, am thinking if i create a simple IPSec tunnel on my existing router, will it cause any conflict with the existing DMVPN tunnel. In short, can a separate IPSec tunnel coexist with a DMVPN tunnel... Configuration is given below.
I've a cisco router that ive configured as a DMVPN and there are other spokes that connect to this DMVPN. Now, there is a client who only has IPSec configured at their end and they want to connect to this VPN tunnel. From my understanding, it wont work because in order for them to connect to our network, they need DMVPN client configuration on their cisco router ? Right ?
Now, am thinking if i create a simple IPSec tunnel on my existing router, will it cause any conflict with the existing DMVPN tunnel. In short, can a separate IPSec tunnel coexist with a DMVPN tunnel... Configuration is given below.
VPN-Hub#sh running-config
Building configuration...
Current configuration : 6303 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN-Hub
!
boot-start-marker
boot system flash c1841-advipservicesk9-mz.124-18.bin
boot-end-marker
!
no logging console
enable secret 5 xxx
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
username admin privilege 15 password 0 xxx
!
!
!
!
crypto isakmp policy 15
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set tset esp-aes
mode transport
!
crypto ipsec profile cisco
set transform-set tset
!
!
!
!
interface Tunnel0
ip address 172.20.1.1 255.255.0.0
no ip redirects
ip mtu 1400
ip nhrp authentication xxx
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
tunnel source x.x.x.x
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.224
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.194 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
switchport mode trunk
!
interface Vlan1
no ip address
!
router eigrp 2
network 172.16.0.192 0.0.0.7
network 172.20.0.0
distance eigrp 180 180
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip http server
no ip http secure-server
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login local
!
scheduler allocate 20000 1000
end
RoutersVPNSwitches / Hubs
Last Comment
pollara
I don't see why not. Just create a separate crypto policy, etc.
ASKER
In DMVPN, we use
crypto isakmp key xxx address 0.0.0.0 0.0.0.0 (which means any peer/client)
and in IPSEc, we use
crypto isakmp key xxx address 1.1.1.1 (where 1.1.1.1 is the remote address of the other peer)
I'm just wondering if the two statements may conflict with each other ?
crypto isakmp key xxx address 0.0.0.0 0.0.0.0 (which means any peer/client)
and in IPSEc, we use
crypto isakmp key xxx address 1.1.1.1 (where 1.1.1.1 is the remote address of the other peer)
I'm just wondering if the two statements may conflict with each other ?
ASKER
and ofcourse different keys in the above statement ...
Good point! And it's very hard to find documentation on dmvpn- only one Cisco doc comes up, which I think you have.
You may be able to also assign the dmvpn crypto map to a non-tunnel interface in the traditional way, and configure the other side in the traditional way, using the same key. Can you test that?
You may be able to also assign the dmvpn crypto map to a non-tunnel interface in the traditional way, and configure the other side in the traditional way, using the same key. Can you test that?
ASKER
ok i'll try that today and update ...
ASKER
as soon as i apply the crypto map on the inside interface on one of the router (Config for DMVPN has already been done on this router) ... I loose my own access to that inside interface ... Also, it breaks the existing DMVPN tunnel and I couldn't reach the other sites with which DMVPN was already established ...
ASKER
Is this even right configuration for ipsec. Forget about DMVPN, I am just trying to get a basic IPSec working here ? 2 routers directly connected ... Is this config correct ?
.....
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.2
!
!
crypto ipsec transform-set tset esp-des
!
crypto map smap 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set tset
match address 101
!
interface FastEthernet0/0 (Inside LAN interface)
ip address 200.100.50.100 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1 (Public interface)
ip address 1.1.1.1 255.0.0.0
duplex auto
speed auto
crypto map smap
!
access-list 101 permit ip any any
.....
.....
Given below is a show ip route on this router (obviously looks a bit incomplete) ... Maybe am doing ipsec after a while, bit rusty with it .... ;) .. cant recall if we needed to give static route to other end's LAN I.P or should my ACL take care of that ? thnx...
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 1.0.0.0/8 is directly connected, FastEthernet0/1
C 200.100.50.0/24 is directly connected, FastEthernet0/0
.....
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.2
!
!
crypto ipsec transform-set tset esp-des
!
crypto map smap 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set tset
match address 101
!
interface FastEthernet0/0 (Inside LAN interface)
ip address 200.100.50.100 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1 (Public interface)
ip address 1.1.1.1 255.0.0.0
duplex auto
speed auto
crypto map smap
!
access-list 101 permit ip any any
.....
.....
Given below is a show ip route on this router (obviously looks a bit incomplete) ... Maybe am doing ipsec after a while, bit rusty with it .... ;) .. cant recall if we needed to give static route to other end's LAN I.P or should my ACL take care of that ? thnx...
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 1.0.0.0/8 is directly connected, FastEthernet0/1
C 200.100.50.0/24 is directly connected, FastEthernet0/0
ASKER
ok, i just revised the concept of basic ipsec tunnel, hadnt done it in a while...got the basic ipsec to work .... i was applying crypto map on the inside interface previously which is wrong, appllied it on the public interface ... however, the problem of ipsec co-existing with dmvpn still exists .... as soon as i enable the command of crypto isakmp key 0 cisco address x.x.x.x when the command crypto isakmp key 0 cisco address 0.0.0.0 already exists; my vpn comes into a MM_failure state ... This error as per my understanding is a VPN-Phase-1 error i.e. ISAKMP negotiation ... so it means that there is definetly a conflict happening...and i cant find a forum or link on cisco that talks abt the two tunnels co-existing together ...
I've asked our SE to look into it. I'll let you know when I hear something. Is it popssible to get the client to change their configuration?
ASKER
I wish that was the case but all clients are requesting to use ipsec...
Further to my research above, I've seen that the moment i apply crypto map command on my public I.P being used for DMVPN, I loose connectivity to my DMVPN clients... The IpSec works but not the DMVPN ....
Further to my research above, I've seen that the moment i apply crypto map command on my public I.P being used for DMVPN, I loose connectivity to my DMVPN clients... The IpSec works but not the DMVPN ....
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
thanks
So it's working now?
ASKER
Yes, i had to deny the gre traffic in IpSec's interesting traffic and it worked afterwards ... My ACL before wasn't specific which is why I had to come across all these issues but still good learning ...Now my ipsec and dmvpn can co-exist together ... thanks a lot for ur help !
Could you please provide an example of your crypto configuration so others can see you achieved it?