Re: Cisco DMVPN Configuration Question

[Garrett Skjelstad <garrett () skjelstad org>]

No way around this with DMVPN.

Sent from my iPhone

On Aug 16, 2013, at 9:05, Ray Soucy <rps () maine edu> wrote:

> Don't usually poke NANOG for a second pair of eyes, but got hit with an
> urgent need to get connectivity up on a small budget.
>
> I've run into a situation where I require multiple DMVPN spokes to be
> behind a single NAT IP (picture of things to come with CGN?)
>
> The DMVPN endpoint works fine behind NAT until a 2nd is added behind the
> same IP address.  At that point the hub gets confused and I start seeing
> packet loss to the endpoints in a round-robin fashion.
>
> As far as I can see Cisco documentation says pretty clearly that each DMVPN
> spoke requires a unique IP address.  Is there any way around this, or do I
> need to be looking at an alternative VPN solution?
>
> Hub config:
>
> ----8<----
> description DMVPN
> bandwidth 100000
> ip address 10.231.254.1 255.255.255.0
> no ip redirects
> ip mtu 1400
> ip nhrp authentication ! removed
> ip nhrp map multicast dynamic
> ip nhrp network-id 1
> ip nhrp redirect
> ip tcp adjust-mss 1360
> tunnel source ! removed
> tunnel mode gre multipoint
> tunnel key 0
> tunnel protection ipsec profile DMVPN
> ----8<----
>
> Spoke:
>
> ----8<----
> interface Tunnel2
> description DMVPN
> bandwidth 100000
> ip vrf forwarding DMVPN
> ip address 10.231.254.10 255.255.255.0
> no ip redirects
> ip mtu 1400
> ip nhrp authentication ! removed
> ip nhrp map multicast ! removed
> ip nhrp map 10.231.254.1 ! removed
> ip nhrp network-id 1
> ip nhrp nhs 10.231.254.1
> ip nhrp shortcut
> ip tcp adjust-mss 1360
> tunnel source FastEthernet0/0
> tunnel mode gre multipoint
> tunnel key 0
> tunnel protection ipsec profile DMVPN
> end
> ----8<----
>
> -- 
> Ray Patrick Soucy
> Network Engineer
> University of Maine System
>
> T: 207-561-3526
> F: 207-561-3531
>
> MaineREN, Maine's Research and Education Network
> www.maineren.net