DMVPN behind NAT

Hi all,

Since a few days i’m trying to get DMVPN working in VyOS. Before i did a test lab with VirtualBox and all was working fine…

And then i tried to apply this in the “real” world (public IP and NAT). (

Here a simple diagram:

But the DMVPN won’t come up!

HUB-01 Error Message:
no matching CHILD_SA config found for[gre] ===[gre]

SPOKE-01 Error Message:
parsed INFORMATIONAL_V1 request 2545666525 [ HASH N(INVAL_ID) ]
received INVALID_ID_INFORMATION error notify

And then i found a topic for VyOS with the same problem and some others in the forum but with no solution except of this:

If i change /etc/swanctl/swanctl.conf on the HUB side from:
remote_ts = dynamic[gre] to remote_ts =[gre]

It works!

But i think that can not be the solution and any time i reboot the Hub or the configuration is regenerated it well be set back to dynamic[gre]

And my question now is, do you maybe have a solution for this scenario :)?

Kind regards

Hello @kevinhaag. Can you check, in this case, is other Spokes can establish IPSec connection between Spoke behind NAT, or all traffic will passed through HUB?

Hi @Dmitry

Thank you for your reply!
For my test scenario i only had one spoke…
And now i setup my tunnels with wireguard (just point to point) from my spoke to my hub.
So its up an running but i will test these on my virtualbox lab an will setup my spokes with dynamic IP’s. And then i will reply back to you if this would work…

I really wan’t to get DMVPN working with vyos :slight_smile:
That would be a great alternative to a expensive CISCO Setup…