Cisco IOS router DMVPN connection with OSPF routing

Today me and my colleague where troubleshooting why EIGRP didn’t work on a Cisco DMVPN connection between 2 sites. We saw that the cisco router could make an connection with the vpn crypto configuration. We thought the connection is okay but unfortunallity the routing didn’t work so good.  We couldn’t get any data from site 1 to site 2 and back.

I thought maybe OSPF will work and yes it worked.

Below a sample configuration to configure a DMVPN connection with ospf routing.

First the Hub configuration

aaa new-model
 !
 !
 aaa authentication login cvpn local
 aaa authentication login default local
 aaa authentication ppp default local
 aaa authorization network default local
 !
 aaa session-id common
 !
 crypto keyring CK_DMVPN
 pre-shared-key address 0.0.0.0 0.0.0.0 key <your key>
 crypto logging session
 crypto logging ezvpn
 !
 crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 crypto isakmp fragmentation
 crypto isakmp nat keepalive 15
 !
 crypto isakmp client configuration group <your groupname>
 key <preshared key>
 dns <your dns server >
 domain < your local domain >
 pool VPNCLIENTDHCP
 acl ACL-VPN-CLIENT
 save-password
 crypto isakmp profile CIP_CVPN_CLIENT
 match identity group <your groupname>
 client authentication list CVPN
 isakmp authorization list CVPN
 client configuration address respond
 crypto isakmp profile CIP_DMVPN
 keyring CK_DMVPN
 match identity address 0.0.0.0
 !
 !
 crypto ipsec transform-set CIT_CVPN_CLIENT esp-aes 256 esp-sha-hmac
 crypto ipsec transform-set CIT_DMVPN_AESSSHA esp-aes 256 esp-sha-hmac
 mode transport
 !
 crypto ipsec profile CIP_DMVPN
 set security-association lifetime seconds 300
 set transform-set CIT_DMVPN_AESSSHA
 set isakmp-profile CIP_DMVPN
 !
 interface Loopback10
 description Bypass NAT for IPsec
 ip address 1.1.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip route-cache same-interface
 ip route-cache policy
 !
 interface Tunnel10
 ip address <IP ADDRESS 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip flow ingress
 ip nhrp authentication <nhrp-name>
 ip nhrp map multicast dynamic
 ip nhrp network-id 1438
 ip nhrp holdtime 600
 ip route-cache same-interface
 ip route-cache policy
 ip tcp adjust-mss 1400
 ip ospf network broadcast
 ip ospf priority 2
 delay 1000
 tunnel source < outgoing interface >
 tunnel mode gre multipoint
 tunnel key 1438
 tunnel protection ipsec profile CIP_DMVPN
 !
 router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 network <tunnel LAN network> 0.0.0.255 area 0
 network <local LAN network > 0.0.0.255 area 0
ip local pool VPNCLIENTDHCP <start ip dhcp> <end ip dhcp>
route-map RMP_Vlan1_NO_NAT permit 10
 match ip address ACL_Vlan1_NO_NAT
 set ip next-hop 1.1.1.2
interface Vlan1
 ip policy route-map RMP_Vlan1_NO_NAT

Below a sample configuration for a SPOKE router ( the router on the remote site )

crypto keyring CK_DMVPN
 pre-shared-key address 0.0.0.0 0.0.0.0 key <your key>
 crypto logging session
 crypto logging ezvpn
 !
 crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 crypto isakmp nat keepalive 15
 crypto isakmp profile CIP_DMVPN
 keyring CK_DMVPN
 match identity address 0.0.0.0
 !
 !
 crypto ipsec transform-set CIT_DMVPN_AESSSHA esp-aes 256 esp-sha-hmac
 mode transport
 !
 crypto ipsec profile CIP_DMVPN
 set security-association lifetime seconds 300
 set transform-set CIT_DMVPN_AESSSHA
 set isakmp-profile CIP_DMVPN
interface Loopback10
 description Bypass NAT for IPsec
 ip address 1.1.2.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip route-cache same-interface
 ip route-cache policy
interface Tunnel10
 ip address <tunnel ip address> 255.255.255.0
 ip mtu 1440
 ip flow ingress
 ip nhrp authentication <nhrp-name>
 ip nhrp map <hub tunnel ip> <hub external ip>
 ip nhrp network-id 1438
 ip nhrp holdtime 600
 ip nhrp nhs <hub tunnel ip>
 ip route-cache same-interface
 ip route-cache policy
 ip tcp adjust-mss 1400
 ip ospf network broadcast
 ip ospf priority 2
 delay 1000
 tunnel source <outgoing interface>
 tunnel destination <hub external ip>
 tunnel key 1438
 tunnel protection ipsec profile CIP_DMVPN
router ospf 1
 router-id 1.1.2.1
 log-adjacency-changes
 network <Tunnel LAN NETWORK> 0.0.0.255 area 0
 network <Local LAN NETWORK > 0.0.0.255 area 0

I figured out that OSPF uses by default the loopback addres so if this is the same address as on the main site. OSPF won’t work. To resolve this issue you need to configure a new loopback and configure below “router ospf <id>” and unique ID based on ip address.

Download the file for the hub-router click here
Download the file for the spoke-router click here

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s