Hi Piotr Yes, I agree. But I am looking for the logic that the IOS is performing. It checks for GRE header and compares the addresses. Hence, if there is a difference, then it knows that there is a NAT device.
If I enable debug crypto isakmp on the hub side, I see that that IKE Phase 1 is failing at the hub side with tunnel mode informing "proposal not chosen". If I change to transport mode, the check passes and IKE Phase 1 passes. If you check the proxy ids on the hub and spokes, they will be not mirrored. The IOS overcomes non-mirror compatibility of proxy ids in transport mode. My next question is that even in tunnel mode, the IOS can check the outer IP header with the NBMA address in the NHRP header. Why transport is required? Is that answer "that is by design"? With regards Kings On Fri, Oct 7, 2011 at 11:30 PM, Piotr Matusiak <[email protected]> wrote: > Hi Kings, > > With DMVPN spoke or hub routers behind NAT you must use IPsec Transport > mode. The GRE IP header is ONLY available to NHRP if we are NOT doing IPsec > or we are doing IPsec in transport mode. > > Regards, > Piotr > > 2011/10/7 Kingsley Charles <[email protected]> > >> Hi all >> >> When we have DMVPN hub behind a NAT device, the tunnel shouldn't come up >> because the proxy identities will not match in IPSec Phase 2 check. >> >> Hub -------------- NAT router --------------- Spoke >> >> It works, if I have the transform set in transport mode.. IOS does >> something but I am not able get a doc explaining the process >> >> The following link explains spoke behind a NAT device. I am aware that >> NHRP is NAT aware. Is that the answer? >> >> >> http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/dmvpn_dt_spokes_b_nat.html >> >> >> With regards >> KIngs >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
