Andrey, sorry, the router eigrp section is as follows on both hub and spoke
router eigrp 100 passive-interface default no passive-interface Tunnel100 network 10.1.1.0 0.0.0.255 no auto-summary I hadnt yet added the traffic to be protected by this tunnel, because its production traffic that is being routed via a primary route. The DMVPN is for backup purposes. I didnt want to have traffic re-routed suddenly and possibly cause all sorts of trouble, so I only included the Tunnel network, until it comes up, then I can include some test subnets On Tue, May 17, 2011 at 9:52 AM, Andrey <[email protected]> wrote: > Hi Mark, > > in router eigrp section you need to specify interface tunnel network and > "interesting traffic" network on hub & spoke. > > -- > Best regards, > Andrey > > On Tue, May 17, 2011 at 3:46 AM, Mark Senteza <[email protected]>wrote: > >> Hey all, >> >> A real scenario that I'd appreciate your opinion on. >> >> I've got a DMVPN setup that I'm trying to deploy. The endpoints sit inside >> the secure network, so I'm using NAT's on the ASAs to give them a public >> presence. The VPN wont come up though, and I'm trying to figure out what I'm >> missing and where I should be looking. Appreciate any responses. >> >> >> The DMVPN routers sit behind ASAs on either end. The logical topology >> looks like: >> >> *Router-R1 (DMVPN HUB) Gi0/0.600 -----Router-RA----------ASA-1* >> --------------------INTERNET-------------------*ASA-2---------------Router-RB----------------Gi0/0.603 >> Router-R2 (DMVPN Spoke)* >> >> The tunnel source interfaces at both ends have NAT'd IPs on the ASAs and >> use these IPs for peering. >> >> Configs are as follows: >> >> *ROUTER-R1* (DMVPN Hub) >> >> crypto isakmp policy 10 >> encr aes >> authentication pre-share >> group 2 >> >> crypto isakmp key dmvpnpasswd address 222.222.222.222 >> >> crypto ipsec transform-set AESSHA-TRANSFORM esp-aes esp-sha-hmac >> >> crypto ipsec profile DMVPN >> set transform-set AESSHA-TRANSFORM >> >> >> interface Tunnel100 >> description GI DMVPN Hub Interface >> ip address 10.1.1.1 255.255.255.248 >> no ip redirects >> no ip next-hop-self eigrp 100 >> ip nhrp map multicast dynamic >> ip nhrp network-id 100 >> no ip split-horizon eigrp 100 >> delay 150000 >> tunnel source GigabitEthernet0/0.600 >> tunnel mode gre multipoint >> tunnel key 100 >> tunnel protection ipsec profile DMVPN >> >> interface GigabitEthernet0/0.600 >> ip address 10.10.1.1 255.255.255.0 >> >> router eigrp 100 >> passive-interface default >> no passive-interface Tunnel100 >> network 10.255.254.48 0.0.0.7 >> no auto-summary >> >> >> *ASA-1* >> >> static (inside,outside) 111.111.111.111 10.10.1.1 netmask 255.255.255.255 >> >> access-list OUTSIDE line 66 extended permit esp host 222.222.222.222 >> host 111.111.111.111 (hitcnt=0) 0x628ac306 >> access-list OUTSIDE line 66 extended permit gre host 222.222.222.222 >> host 111.111.111.111 (hitcnt=0) 0x1e349ff8 >> access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 >> host 111.111.111.111 eq isakmp (hitcnt=0) 0x0a22d45b >> access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 >> host 111.111.111.111 eq 4500 (hitcnt=0) >> >> ************************************** >> >> *ROUTER-R2* >> >> crypto isakmp policy 10 >> encr aes >> authentication pre-share >> group 2 >> >> crypto isakmp key dmvpnpasswd address 111.111.111.111 >> >> crypto ipsec transform-set AESSHA-TRANSFORM esp-aes esp-sha-hmac >> >> crypto ipsec profile DMVPN >> set transform-set AESSHA-TRANSFORM >> >> interface Tunnel100 >> description GI DMVPN Spoke Interface >> ip address 10.1.1.2 255.255.255.248 >> no ip redirects >> ip nhrp map 10.1.1.1 111.111.111.111 >> ip nhrp map multicast 111.111.111.111 >> ip nhrp network-id 100 >> ip nhrp nhs 10.1.1.1 >> delay 150000 >> tunnel source GigabitEthernet0/0.603 >> tunnel mode gre multipoint >> tunnel key 100 >> tunnel protection ipsec profile DMVPN >> >> interface GigabitEthernet0/0.603 >> ip address 10.20.2.2 255.255.255.0 <- This >> has been NAT'd to 222.222.222.222 on the ASA-B firewall, which I dont have >> visibility into. >> >> router eigrp 100 >> passive-interface default >> no passive-interface Tunnel100 >> network 10.1.1.0 0.0.0.7 >> no auto-summary >> >> >> *Observations:* >> >> 1. I can ping from the DMVPN spoke to the DMVPN hub, using the Public IPs >> and I see the hit-count on the ASA increasing, so I know for sure that the >> routing is fine and the NAT on the remote ASA that I dont manage are >> correct. >> 2. None of the crypto protocol traffic I'm allowing inbound shows any hit >> count. >> >> 3. The following is the "show crypto isakmp sa" output from the DMVPN >> spoke (Router-2) >> >> dst src state >> conn-id status >> 111.111.111.111 10.20.2.2 MM_NO_STATE 0 ACTIVE >> 111.111.111.111 10.20.2.2 MM_NO_STATE 0 ACTIVE (deleted) >> >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
