“I would like to access confidential lab resources and services from any of our remote sites.” That’s the idea I had. DMVPN seemed like the obvious answer as the Cradlepoint routers I had at all the remote sites were capable of DMVPN, even behind their cellular connections with private IPs.
The easy answer here would have been to use a spare router at the lab as the hub, but I didn’t have a spare public IP at the lab, so (obviously) I fired up my free Azure account with credits. I spun up a pre-built Cisco CSR1000v virtual router vm, and configured it as a DMVPN hub. I finished configuring the Cradlepoint as a spoke. The bits refused to flow.
Ok, ok, I’m new to azure. I set up the requisite firewall/vnet rules to allow traffic, setup a load balancer, and made a successful ping. With that done, I moved back to the Cradlepoint, still no tunnels. Time to troublshoot that CSR100v router!
Logging into the router, I started an IPSEC debug and pretty quickly could see the attempted negotiation. Turns out I was using the wrong Diffie Hellman group. Fixed that up and I was able to ssh into all of my spoke routers from the hub. I now had a full mesh topology, with each site only having to use the Azure hub to access the NHRP server. About 2 months later my credit ran out on Azure and I had to shut it all down. Good times though!