No way around this with DMVPN.
Sent from my iPhone
On Aug 16, 2013, at 9:05, Ray Soucy wrote:
> Don't usually poke NANOG for a second pair of eyes, but got hit with an
> urgent need to get connectivity up on a small budget.
>
> I've run into a situation where I require multiple DMVPN spokes to be
> behind a single NAT IP (picture of things to come with CGN?)
>
> The DMVPN endpoint works fine behind NAT until a 2nd is added behind the
> same IP address. At that point the hub gets confused and I start seeing
> packet loss to the endpoints in a round-robin fashion.
>
> As far as I can see Cisco documentation says pretty clearly that each DMVPN
> spoke requires a unique IP address. Is there any way around this, or do I
> need to be looking at an alternative VPN solution?
>
> Hub config:
>
> 8<
> description DMVPN
> bandwidth 10
> ip address 10.231.254.1 255.255.255.0
> no ip redirects
> ip mtu 1400
> ip nhrp authentication ! removed
> ip nhrp map multicast dynamic
> ip nhrp network-id 1
> ip nhrp redirect
> ip tcp adjust-mss 1360
> tunnel source ! removed
> tunnel mode gre multipoint
> tunnel key 0
> tunnel protection ipsec profile DMVPN
> 8<
>
> Spoke:
>
> 8<
> interface Tunnel2
> description DMVPN
> bandwidth 10
> ip vrf forwarding DMVPN
> ip address 10.231.254.10 255.255.255.0
> no ip redirects
> ip mtu 1400
> ip nhrp authentication ! removed
> ip nhrp map multicast ! removed
> ip nhrp map 10.231.254.1 ! removed
> ip nhrp network-id 1
> ip nhrp nhs 10.231.254.1
> ip nhrp shortcut
> ip tcp adjust-mss 1360
> tunnel source FastEthernet0/0
> tunnel mode gre multipoint
> tunnel key 0
> tunnel protection ipsec profile DMVPN
> end
> 8<
>
> --
> Ray Patrick Soucy
> Network Engineer
> University of Maine System
>
> T: 207-561-3526
> F: 207-561-3531
>
> MaineREN, Maine's Research and Education Network
> www.maineren.net
