In that case, you have to pay attention on\u00a0IPsec encap mode…<\/p>\n
<\/p>\n
http:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/ios-xml\/ios\/sec_conn_dmvpn\/configuration\/12-4t\/sec-conn-dmvpn-12-4t-book\/sec-conn-dmvpn-dt-spokes-b-nat.html<\/p>\n
\nNHRP Registration<\/h4>\n
\nWhen an NHRP registration is received, the hub checks the source IP address on the encapsulating GRE\/IP header of the NHRP packet with the source NBMA IP address, which is contained in the NHRP registration packet. If these IP addresses are different, then NHRP knows that NAT is changing the outer IP header source address. The hub preserves both the pre- and post-NAT address of the registered spoke.<\/p>\n
\n\n
\n Note<\/b><\/td>\n \n
\nIf encryption is used, then IPsec transport mode must be used to enable NHRP.<\/p>\n
\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/blockquote>\n<\/p>\n
Let’s see this behavior.<\/p>\n
1) show ip nhrp output in transport mode DMVPN.<\/p>\n
Router-NHS#sh ip nhrp
\n10.10.10.1\/32 via\u00a010.10.10.2
\nTunnel0 created 00:16:58, expire 01:43:02
\nType: dynamic, Flags: unique registered
\nNBMA address:\u00a01.1.1.1
\n(Claimed NBMA address: 192.168.1.1)<\/p><\/blockquote>\nNHRP realize the IP address is changed by NAT (192.168.1.1 to 1.1.1.1).<\/p>\n
2) show ip nhrp output in\u00a0tunnel mode\u00a0DMVPN.<\/p>\n
Router-NHS#sh ip nhrp
\n10.10.10.1\/32 via\u00a010.10.10.2
\nTunnel0 created 00:00:11, expire 01:59:49
\nType: dynamic, Flags: unique registered used
\nNBMA address: 192.168.1.1<\/p><\/blockquote>\n<\/p>\n
I\uff4e the Case(2), NHRP believes the packet is not NATted since the original IP header is encapsulation and not changed. Therefore, original local(before nat) address is used as the NBMA address.<\/p>\n","protected":false},"excerpt":{"rendered":"
In that case, you have to pay attention on\u00a0IPsec e […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,6,16],"tags":[],"class_list":["post-2487","post","type-post","status-publish","format-standard","hentry","category-ccie","category-6","category-16"],"_links":{"self":[{"href":"http:\/\/uraneko.tcorps.info\/index.php?rest_route=\/wp\/v2\/posts\/2487","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/uraneko.tcorps.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/uraneko.tcorps.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/uraneko.tcorps.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/uraneko.tcorps.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2487"}],"version-history":[{"count":4,"href":"http:\/\/uraneko.tcorps.info\/index.php?rest_route=\/wp\/v2\/posts\/2487\/revisions"}],"predecessor-version":[{"id":2491,"href":"http:\/\/uraneko.tcorps.info\/index.php?rest_route=\/wp\/v2\/posts\/2487\/revisions\/2491"}],"wp:attachment":[{"href":"http:\/\/uraneko.tcorps.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/uraneko.tcorps.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2487"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/uraneko.tcorps.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}