Re: DMVPN ipsec tunnel establishment concept question from Keith Barker on 2010-04-09 (Ccielab archives 04/2010)

From: Keith Barker <kbarker_at_ine.com>
Date: Thu, 8 Apr 2010 23:35:02 -0500

Jeremy-

Here is a very detailed, step by step walkthrough of the whole process:

http://blog.ine.com/2008/08/02/dmvpn-explained/

Details on latest enhancements are here:

http://blog.ine.com/2008/12/23/dmvpn-phase-3/

Regarding the cutover time for the spoke to spoke tunnels, there is absolutely a delay as IKE phase 1 and 2 are negotiated and built between the spokes. One option for minimizing this is to use DMVPN without the IPSec, and use a GET VPN overlay which removes the requirement for the spoke to spoke tunnel negotiation and still allows the benefits of IPSec. Example of the two combined, with full configs, are here:

http://blog.ine.com/2009/09/30/bob-is-back-dmvpnget-vpn-assistance-needed/

Best wishes,

Keith H. Barker, CCIE #6783
Instructor
kbarker_at_ine.com
Internetwork Expert, Inc.
http://ine.com
Toll Free: 877-224-8987
Outside US: 775-826-4344

On Apr 8, 2010, at 9:55 PM, jeremy co wrote:

> Hi folks,
>
>
> R2-------------R1(HUB)--------------------R3
>
> I faced a doubt on ipsec part of the dmvpn. I've got 3 questions:
>
> As the first packet from R2 has to go via hub since it doesn't now about
> R3's NBMA address.In the mean while that it tries to resolve NMBA address
> of R3 , still having glean adjacency , it sends packets through hub.(another
> question here is how R2 knows that it should send the packet through hub
> ???? since all of the routes coming from R1 to R2 have the next-hop of R3).
>
>
> Second question is how the tunnel establishment works here? An ipsec tunnel
> establishes between R2 and R1 for the first packet following with R1 to R3
> ipsec tunnel and after R2 and R3 knows about each others NBMA addresses
> ,they establish ipsec tunnel directly and R2-->R1 ,R1-->R3 ipsec tunnels
> will die after a while ? or being up for update exchanges between hub and
> spokes?
>
>
>
> What is the impact of dmvpn here on voice traffic? from tunnel
> establishment point of view? Is the audible voice distortion caused by
> switching from spoke-hub-spoke ipsec tunnels to spoke-spoke ipsec tunnels?
>
>
>
>
>
>
> Cheers,
>
>
> Jeremy
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Apr 08 2010 - 23:35:02 ART

This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:56 ART