said by meta:The advantage of true multipoint DMVPN is that the spokes can build tunnels to eachother and communicate.
Please double check in the lab that its still possible (and they dont have to go through the hub) to get traffic from spoke A to spoke B.
Ok, I took it upon myself to try and get a phase 2 implementation... I believe I have succeeded, however any input would be appreciated.
From what I can tell is that there was an ipsec problem using the same tunnel source in the mGRE tunnel. A command was added in the IOS to allow for this. On the spoke we add:
tunnel protection ipsec profile cisco
sharedThe
shared key word allows you to use the same tunnel source apparently.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
crypto isakmp policy 3
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
bandwidth 1000
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1440
no ip next-hop-self eigrp 90
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
no ip split-horizon eigrp 90
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface Tunnel1
bandwidth 1000
ip address 172.17.1.1 255.255.255.0
no ip redirects
ip mtu 1440
no ip next-hop-self eigrp 90
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 600
no ip split-horizon eigrp 90
delay 1000
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 199.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 200.1.1.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 90
network 172.16.1.0 0.0.0.255
network 172.17.1.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 199.1.1.2
ip route 0.0.0.0 0.0.0.0 200.1.1.2 5
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
SPOKE:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
crypto isakmp policy 3
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
!
interface Loopback0
ip address 192.168.244.1 255.255.255.0
no ip redirects
!
interface Tunnel0
bandwidth 1000
ip address 172.16.1.2 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast 199.1.1.1
ip nhrp map 172.16.1.1 199.1.1.1
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.16.1.1
ip nhrp registration timeout 30
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco shared
!
interface Tunnel1
bandwidth 1000
ip address 172.17.1.2 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast 200.1.1.1
ip nhrp map 172.17.1.1 200.1.1.1
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 172.17.1.1
delay 1500
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco shared
!
interface FastEthernet0/0
ip address 201.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
router eigrp 90
offset-list 1 out 12800 Tunnel1
network 172.16.1.0 0.0.0.255
network 172.17.1.0 0.0.0.255
network 192.168.244.0
distribute-list 1 out
no auto-summary
eigrp stub connected
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 201.1.1.2
!
!
access-list 1 permit 172.168.16.0
access-list 1 permit 172.168.17.0
access-list 1 permit 192.168.244.0
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end