Hello Gregory, thanks for your answer, Static NAT may work but I want to simulate the NAT inside the core network where I don't have a control.
You are right in saying GNS3 it is not like the real equipment. However the Cisco documentation regarding DMVPN behind nat it is not clear at all. there are a lot of "may ". Also the scenario the put as example is just a spoke behind NAT. That scenario works correctly in GNS3. http://www.cisco.com/c/en/us/td/docs/ios/sec_secure_connectivity/configuration/guide/15_0/sec_secure_connectivity_15_0_book/dmvpn_dt_spokes_b_nat.html So I've just the suspect something is wrong. Thanks Cristiano 2014-02-21 11:47 GMT+00:00 Gregory Volcy <[email protected]>: > Change your nat from pat to static. Also remember gns3 is not real > equipment you have other issues other then cisco dmvpn config that my case > that issue. My be your chasing a ghost. > On Feb 21, 2014 6:31 AM, "Cristiano Guerrieri" <[email protected]> wrote: > >> Hi all, >> I'm running a bit of tests using GNS3. I built several scenarios using >> DMVPN. There is one in particular that is driving me crazy . >> >> >> Basically I have two spokes behind the same NAT router and the HUB is >> facing the NAT router. NAT router and HUB are onto the same network. >> >> The problem I'm running into is I have only a spoke working (able to ping >> the hub) at time, even though, under the "sh dmvpn" I can see both spokes >> correctly registered. The working spoke however has intermittent >> connection >> toward the hub. >> >> Interface: Tunnel0, IPv4 NHRP Details >> Type:Hub, Total NBMA Peers (v4/v6): 2 >> >> # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target >> Network >> ----- --------------- --------------- ----- -------- ----- >> ----------------- >> 1 0.0.0.0 1.1.1.1 NHRP never IX >> 1.1.1.1/32 >> >> 2 172.16.1.2 1.1.1.2 UP 00:00:20 DN >> 1.1.1.2/32 >> Claimed Addr. 10.2.2.2 >> 0 172.16.1.2 1.1.1.3 UP 00:00:34 DN >> 1.1.1.3/32 >> Claimed Addr. 10.2.2.3 >> >> >> HUB-1#sh ip nhrp detail >> 1.1.1.2/32 via 1.1.1.2 >> Tunnel0 created 00:12:11, expire 01:47:48 >> Type: dynamic, Flags: unique registered >> NBMA address: 172.16.1.2 >> (Claimed NBMA address: 10.2.2.2) >> 1.1.1.3/32 via 1.1.1.3 >> Tunnel0 created 00:12:25, expire 01:50:47 >> Type: dynamic, Flags: unique registered >> NBMA address: 172.16.1.2 >> (Claimed NBMA address: 10.2.2.3) >> >> >> >> Below the ping form spoke 1 >> >> Type escape sequence to abort. >> Sending 1000, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: >> !!!!.!.!!!!!!!.!.!!!!!!!!!!!!!!!!!!!!!!.!.!!!!!!!!!!!!!!!!!!!!!!.!.!!! >> !!!!!!!!!!!!!!!!!!! >> *Mar 1 00:03:38.131: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify >> failed for connection >> id=1.!.!!!!!!!!!!!!!!!!!!!!!!!!!.!.!!!!!!!!!!!!!!!!!!!! >> !!!!!.!!!!!!!!!!!!!!!.!!!!!!!!.!!!!!!!!!!!!!!!.!!!!!!!!.!!!!!!!!!!!!!! >> !.!!!!!!!!!!!!!.!.!!!!!!!!!!!!!!!!!!!!!!.!.!!!!!!!!!!!!!!!!!!!!!!!!!!! >> !!!!!!!.!!!!.!!!!!!!!!!!!!!!!!!! >> >> >> I've noticed that %CRYPTO-4-RECVD_PKT_MAC_ERR. Looking at the Cisco >> documentation looks like the packet is corrupted or there is a problem >> with >> the link. >> >> Pinging from both spokes at the same time when Spoke-1 works spoke-2 >> cannot >> ping the hub and viceversa. This moves from one to the other randomly. >> >> >> Below the relevant configs >> >> HUB-1#sh run | sec crypto >> crypto isakmp policy 10 >> encr aes >> authentication pre-share >> crypto isakmp key test address 0.0.0.0 0.0.0.0 >> crypto ipsec transform-set trans-dmvpn esp-3des esp-sha-hmac >> mode transport >> crypto ipsec profile DMVPN >> set transform-set trans-dmvpn >> HUB-1#sh run inter tunnel 0 >> Building configuration... >> >> Current configuration : 296 bytes >> ! >> interface Tunnel0 >> ip address 1.1.1.1 255.255.255.0 >> no ip redirects >> ip nhrp authentication test >> ip nhrp map multicast dynamic >> ip nhrp network-id 1 >> ip ospf network point-to-multipoint >> tunnel source FastEthernet0/0 >> tunnel mode gre multipoint >> tunnel protection ipsec profile DMVPN >> ! >> end >> >> Current configuration : 98 bytes >> ! >> interface FastEthernet0/0 >> ip address 172.16.1.1 255.255.255.0 >> duplex auto >> speed auto >> ! >> end >> HUB-1#sh run inter fas 0/1 >> Building configuration... >> >> Current configuration : 101 bytes >> ! >> interface FastEthernet0/1 >> ip address 192.168.200.1 255.255.255.0 >> duplex auto >> speed auto >> ! >> ---------------------------------------- >> >> Spoke-1#sh run | s crypto >> crypto isakmp policy 10 >> encr aes >> authentication pre-share >> crypto isakmp key test address 0.0.0.0 0.0.0.0 >> crypto ipsec transform-set trans esp-3des esp-sha-hmac >> mode transport >> crypto ipsec profile DMVPN >> set transform-set trans >> >> Building configuration... >> >> Current configuration : 380 bytes >> ! >> interface Tunnel0 >> ip address 1.1.1.2 255.255.255.0 >> no ip redirects >> ip nhrp authentication test >> ip nhrp map multicast dynamic >> ip nhrp map 1.1.1.1 172.16.1.1 >> ip nhrp map multicast 172.16.1.1 >> ip nhrp network-id 1 >> ip nhrp nhs 1.1.1.1 >> ip ospf network point-to-multipoint >> tunnel source FastEthernet0/0 >> tunnel mode gre multipoint >> tunnel protection ipsec profile DMVPN >> end >> >> >> Spoke-1#sh run int fas 0/0 >> Building configuration... >> >> Current configuration : 92 bytes >> ! >> interface FastEthernet0/0 >> ip address 10.2.2.2 255.255.255.0 >> speed 100 >> full-duplex >> end >> >> Spoke-1#sh run int fas 0/1 >> Building configuration... >> >> Current configuration : 92 bytes >> ! >> interface FastEthernet0/1 >> ip address 10.1.1.1 255.255.255.0 >> speed 100 >> full-duplex >> >> >> >> --------------------------------------- >> >> Spoke-2#sh run | s crypto >> crypto isakmp policy 10 >> encr aes >> authentication pre-share >> crypto isakmp key test address 0.0.0.0 0.0.0.0 >> crypto ipsec transform-set trans esp-3des esp-sha-hmac >> mode transport >> crypto ipsec profile DMVPN >> set transform-set trans >> Spoke-2# >> >> Spoke-2#sh run int tun 0 >> Building configuration... >> >> Current configuration : 380 bytes >> ! >> interface Tunnel0 >> ip address 1.1.1.3 255.255.255.0 >> no ip redirects >> ip nhrp authentication test >> ip nhrp map multicast dynamic >> ip nhrp map 1.1.1.1 172.16.1.1 >> ip nhrp map multicast 172.16.1.1 >> ip nhrp network-id 1 >> ip nhrp nhs 1.1.1.1 >> ip ospf network point-to-multipoint >> tunnel source FastEthernet0/0 >> tunnel mode gre multipoint >> tunnel protection ipsec profile DMVPN >> end >> >> >> Spoke-2#sh run in fas 0/0 >> Building configuration... >> >> Current configuration : 92 bytes >> ! >> interface FastEthernet0/0 >> ip address 10.2.2.3 255.255.255.0 >> speed 100 >> full-duplex >> end >> >> Spoke-2#sh run in fas 0/1 >> Building configuration... >> >> Current configuration : 94 bytes >> ! >> interface FastEthernet0/1 >> ip address 172.31.1.1 255.255.255.0 >> speed 100 >> full-duplex >> end >> >> --------------------------------- >> >> NAT-1#sh run int fas 0/0 >> Building configuration... >> >> Current configuration : 133 bytes >> ! >> interface FastEthernet0/0 >> ip address 172.16.1.2 255.255.255.0 >> ip nat outside >> ip virtual-reassembly >> speed 100 >> full-duplex >> end >> >> NAT-1#sh run int fas 0/1 >> Building configuration... >> >> Current configuration : 130 bytes >> ! >> interface FastEthernet0/1 >> ip address 10.2.2.1 255.255.255.0 >> ip nat inside >> ip virtual-reassembly >> speed 100 >> full-duplex >> end >> >> NAT-1#sh run | i nat >> ip nat outside >> ip nat inside >> ip nat inside source list 1 interface FastEthernet0/0 overload >> NAT-1# >> >> >> >> >> >> Any Ideas or suggestions? >> >> Thanks, >> Cristiano >> _______________________________________________ >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> >> iPexpert on YouTube: www.youtube.com/ipexpertinc >> > _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
