No way around this with DMVPN. Sent from my iPhone
On Aug 16, 2013, at 9:05, Ray Soucy <r...@maine.edu> wrote: > Don't usually poke NANOG for a second pair of eyes, but got hit with an > urgent need to get connectivity up on a small budget. > > I've run into a situation where I require multiple DMVPN spokes to be > behind a single NAT IP (picture of things to come with CGN?) > > The DMVPN endpoint works fine behind NAT until a 2nd is added behind the > same IP address. At that point the hub gets confused and I start seeing > packet loss to the endpoints in a round-robin fashion. > > As far as I can see Cisco documentation says pretty clearly that each DMVPN > spoke requires a unique IP address. Is there any way around this, or do I > need to be looking at an alternative VPN solution? > > Hub config: > > ----8<---- > description DMVPN > bandwidth 100000 > ip address 10.231.254.1 255.255.255.0 > no ip redirects > ip mtu 1400 > ip nhrp authentication ! removed > ip nhrp map multicast dynamic > ip nhrp network-id 1 > ip nhrp redirect > ip tcp adjust-mss 1360 > tunnel source ! removed > tunnel mode gre multipoint > tunnel key 0 > tunnel protection ipsec profile DMVPN > ----8<---- > > Spoke: > > ----8<---- > interface Tunnel2 > description DMVPN > bandwidth 100000 > ip vrf forwarding DMVPN > ip address 10.231.254.10 255.255.255.0 > no ip redirects > ip mtu 1400 > ip nhrp authentication ! removed > ip nhrp map multicast ! removed > ip nhrp map 10.231.254.1 ! removed > ip nhrp network-id 1 > ip nhrp nhs 10.231.254.1 > ip nhrp shortcut > ip tcp adjust-mss 1360 > tunnel source FastEthernet0/0 > tunnel mode gre multipoint > tunnel key 0 > tunnel protection ipsec profile DMVPN > end > ----8<---- > > -- > Ray Patrick Soucy > Network Engineer > University of Maine System > > T: 207-561-3526 > F: 207-561-3531 > > MaineREN, Maine's Research and Education Network > www.maineren.net
