DMVPN - example

 

dmvpn-example-1.png Assumptions:

R1 - Hub vpn

R3 and R4 - Spoke Vpn

R2 - Internet

R5,R6,R7 - Remote end hosts

 CONFIGURATION


R1(HUB)

Encryption

R1-Hub(config)#crypto isakmp policy 10
R1-Hub(config-isakmp)#encryption 3des
R1-Hub(config-isakmp)#authentication pre-share
R1-Hub(config-isakmp)#group 2
R1-Hub(config-isakmp)#exit

Isakmp policy(Phase1)

Encryption - 3des

authentication pre-shared key

Diffie-Hellman group 2

 

R1-Hub(config)#crypto ipsec transform-set dmvpn esp-3des esp-md5-hmac
R1-Hub(cfg-crypto-trans)#exit

Ipsec transform set(Phase2)

Encryption 3des

Hash algorith - md5

 

R1-Hub(config)#crypto ipsec profile dmvpn-profile
R1-Hub(ipsec-profile)#set transform-set dmvpn
R1-Hub(ipsec-profile)#exit

Ipsec profile

 

Dmvpn tunnel


R1-Hub(config)# interface tunnel 0

R1-Hub(config-if)#description DMVPN Hub
R1-Hub(config-if)#ip address 10.10.1.1 255.255.255.0

R1-Hub(config-if)#ip mtu 1440

R1-Hub(config-if)#no ip redirects

R1-Hub(config-if)#ip nhrp authentication password

DMVPN authentication via "passwoord"

R1-Hub(config-if)#ip nhrp map multicast dynamic
R1-Hub(config-if)#ip nhrp network-id 100

Network id for vpn(has to be the same at each site).

R1-Hub(config-if)#tunnel source 91.223.184.146

Source interface for tunnel(here external interface)

R1-Hub(config-if)#tunnel mode gre multipoint

R1-Hub(config-if)#tunnel protection ipsec profile dmvpn-profile

Enabling encryption for dmvpn

R1-Hub(config-if)#exit

Routing

R1-Hub(config)#router eigrp 4
R1-Hub(config-router)#network 10.10.1.0 0.0.0.255
R1-Hub(config-router)#network 10.10.10.0 0.0.0.255

R1-Hub(config-router)#no auto-summary

R1-Hub(config-router)#exit

Remember about "no auto-summary".

Do not advertise EXTERNAL INTERFACES!


R1-Hub(config)interface Tunnel 0

R1-Hub(config)no ip next-hop-self eigrp 4

Disable advertising local ip for routes(if you not do this traffic will go via R1 instead directly)

 - with enabling next-hop-self

dmvpn-example-11.png

 - with disabling next-hop-self

dmvpn-example-12.png

R1-Hub(config-if)#no ip split-horizon eigrp 4

Disable split-horizon on Hub router(very important)

R1-Hub(conf-if)ip hold-time eigrp 4 35

Raise timer for eigrp adjancy(Cisco recommendation) to avoid dropping adjency due to high link utilization

R1-Hub(config-if)#no ip route-cache cef



R3(Spoke)

R3(config)#crypto isakmp policy 10
R3(config-isakmp)#enc 3des
R3(config-isakmp)#auth pre
R3(config-isakmp)#group 2
R3(config-isakmp)#exit

R3(config)#crypto isakmp key 0 password address 0.0.0.0 0.0.0.0

R3(config)#crypto ipsec transform-set dmvpn esp-3des esp-md5-hmac
R3(cfg-crypto-trans)#exit

R3(config)#crypto ipsec profile dmvpn-profile
R3(ipsec-profile)#set transform-set dmvpn
R3(ipsec-profile)#exit

R3(config)#interface tunnel 0
R3(config-if)#ip address 10.10.1.3 255.255.255.0

R3(config-if)#ip mtu 1440

R3(config-if)#ip nhrp authentication password
R3(config-if)#ip nhrp map multicast dynamic
R3(config-if)#ip nhrp map 10.10.1.1 91.223.184.146

R3(config-if)#ip nhrp map multicast  91.223.184.146

R3(config-if)#ip nhrp network-id 100

R3(config-if)#no ip redirects

R3(config-if)#ip nhrp nhs 10.10.1.1
R3(config-if)#tunnel source 87.204.202.3
R3(config-if)#tunnel mode gre multipoint
R3(config-if)#tunnel protection ipsec profile dmvpn-profile

R3(config-if)#exit

Routing

R3(config)#router eigrp 4
R3(config-router)#network 10.10.1.0 0.0.0.255
R3(config-router)#network 10.10.20.0 0.0.0.255

R3(config-router)#no auto-summary
R3(config-router)#exit

R3(config)#interface tunnel 0
R3(config-if)#no ip next-hop-self eigrp 4

R3(config-if)#ip hold-time eigrp 4 35
R3(config-if)#exit



R4(Spoke)

R4(config)#crypto isakmp policy 10
R4(config-isakmp)#enc 3des
R4(config-isakmp)#auth pre
R4(config-isakmp)#group 2
R4(config-isakmp)#exit

R4(config)#crypto isakmp key 0 password address 0.0.0.0 0.0.0.0

R4(config)#crypto ipsec transform-set dmvpn esp-3des esp-md5-hmac
R4(cfg-crypto-trans)#exit

R4(config)#crypto ipsec profile dmvpn-profile
R4(ipsec-profile)#set transform-set dmvpn
R4(ipsec-profile)#exit

R4(config)#interface tunnel 0

R4(config)#ip address 10.10.1.4 255.255.255.0

R4(config-if)#ip mtu 1440

R4(config-if)#ip nhrp map multicast dynamic

R4(config-if)#ip nhrp map 10.10.1.1 91.223.184.146

R4(config-if)#ip nhrp map multicast 91.223.184.146

R4(config-if)#ip nhrp nhs 10.10.1.1

R4(config-if)#ip nhrp authentication password
R4(config-if)#ip nhrp network-id 100

R4(config-if)#no ip redirects

R4(config-if)#tunnel source 195.177.84.46

R4(config-if)#tunnel mode gre multipoint

R4(config-if)#tunnel protection ipsec profile dmvpn-profile
R4(config-if)#exit

 

Routing

R4(config)#router eigrp 4
R4(config-router)#network 10.10.1.0 0.0.0.255
R4(config-router)#network 10.10.30.0 0.0.0.255
R4(config-router)#no auto-summary
R4(config-router)#exit

R4(config)#interface tunnel 0
R4(config-if)#ip next-hop-self eigrp 4
R4(config-if)#ip hold-time eigrp 4 35
R4(config-if)#exit

Tests

  • Check vpn status on routers

R1-Hub

dmvpn-example-2.png

R3

dmvpn-example-3.png

R4

dmvpn-example-4.png

  •  Check connectivity

R1

dmvpn-example-5.png

R3

dmvpn-example-6.png

R4

dmvpn-example-7.png

 

  • Check eigrp neighbourhood(for sure they are up, we are checkin it for test purposes)

R1

dmvpn-example-8.png

R3

dmvpn-example-9.png

R4

dmvpn-example-10.png

 

 

 dzbanek 2013-05-2

 

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.