configuring dynamic multi-point vpn (dmvpn) · pdf filescenario 3 - (configuration is based on...

Notes: ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Configuring Dynamic Multi-Point VPN (DMVPN)

Scenario 3 - (configuration is based on Figure 3) 1.1 Configuring Full Mesh Dynamic Multi-Point VPN (DMVPN) Hub Router Configuration Objective 1: Configuring ISAKMP Policy Step 1 Enabling ISAKMP command (optional) Hub_Router(config)# crypto isakmp enable Step 2 Define the ISAKMP policy number from 1 – 10000 (lower number will have higher priority) Hub_Router(config)# crypto isakmp policy 10 Step 3 Define authentication for pre-shared keys Hub_Router(config-isakmp)# authentication pre-share Step 4 Define encryption type DES, 3DES or AES (AES default value is 128. You may adjust it to AES-192 or AES-256 for higher security but it will affect your router CPU performance. DES encryption is not secure. In this scenario, AES is used for the encryption method. Hub_Router(config-isakmp)# encryption aes Step 5 Define the Diffie-Hellman (DH) group either group 1, 2 or 5. In this scenario, group 2 is used for this isakmp policy. Hub_Router(config-isakmp)# group 2


Step 6 Define a pre-shared key for this isakmp policy. The IP address of all zeros is used as this hub router will learn its remote sites dynamically. Hub_Router(config)# crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0 Objective 2: Configuring IPSEC Policy with Transform-Set Step 1 Define IPSEC with transform set. (You need to create a transform set name for the IPSEC configuration. In this scenario, we will use “MYSET” as the IPSEC transform set name) Hub_Router(config)# crypto ipsec transform-set MYSET esp-aes esp-sha-hmac Step 2 Exit from this mode Hub_Router(cfg-crypto-trans)# exit Step 3 Verifying the transform-set configuration Hub_Router# show crypto ipsec transform-set Transform set MYSET: { esp-aes esp-sha-hmac } will negotiate = { Tunnel, }, * The above output shown that the IPSEC transform-set has been successfully configured.


Objective 3: Configuring IPSEC Profile Step 1 Define a profile for IPSEC. In this scenario, “MYIPSEC” is used as the IPSEC profile name. Hub_Router(config)# crypto ipsec profile MYIPSEC Step 2 Associate the IPSEC transform-set created at Objective 2 with this IPSEC profile. Hub_Router(ipsec-profile)# set transform-set MYSET Step 3 Exit from this mode. Hub_Router(ipsec-profile)# exit Step 4 Verifying the IPSEC profile configuration. Hub_Router# show crypto ipsec profile IPSEC profile MYIPSEC Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N) : N Transform sets={ MYIPSEC, } * The above output shown that the IPSEC profile has been successfully configured.


Objective 4: Configuring Hub Router as DMVPN Server Step 1 Configure the hub router as multi-point GRE tunnel and associate it with IPSEC profile. Hub_Router(config)# interface tunnel 1 Step 2 Assign an IP address for this interface. Hub_Router(config-if)# ip address 192.168.168.1 255.255.255.0 Step 3 Configure the tunnel interface authentication by using NHRP. In this scenario, “cisco” is used as the authentication key. Hub_Router(config-if)# ip nhrp authentication cisco Step 4 Configure nhrp mapping by allowing hub router to learn spoke router dynamically. Hub_Router(config-if)# ip nhrp map multicast dynamic Step 5 Activate the NHRP feature by assigning network ID. The network ID can be any number and it must match the remote sites. In this scenario, network ID of “888” is used. Hub_Router(config-if)# ip nhrp network-id 888 Step 6 Activate the tunnel key by assigning number. The tunnel key can be any number and it must match the remote sites. In this scenario, tunnel key of “100” is used. Hub_Router(config-if)# tunnel key 100


Step 7 Define the encapsulation method to multi-point gre (multi-point generic routing encapsulation). Hub_Router(config-if)# tunnel mode gre multipoint Step 8 Define MTU size for this tunnel interface. In this scenario, MTU size of 1400 is used. (optional) Hub_Router(config-if)# ip mtu 1400 Step 9 Disable split horizon to allow full reach ability. Hub_Router(config-if)# no ip split-horizon Step 10 Define the WAN interface as tunnel source. Hub_Router(config-if)# tunnel source FastEthernet0/0 Step 11 Integrate the tunnel interface with an IPSEC profile created at Objective 3. Hub_Router(config-if)# tunnel protection ipsec profile MYIPSEC Step 12 Exit from this tunnel interface mode and return to global configuration mode. Hub_Router(config-if)# exit


Objective 5: Configuring Dynamic Routing Protocol for Hub Router Step 1 Define the dynamic routing protocol to advertise hub router’s internal network. In this scenario, a dynamic routing protocol of RIP Version 2 is used. Hub_Router(config)# router rip Step 2 Define the RIP Version number. Hub_Router(config-router)# version 2 Step 3 Define the network to be advertised. In this scenario, 192.168.168.0 and 172.16.50.0 network must be advertised so that spoke routers will learn hub router’s internal networks. Hub_Router(config-router)# network 192.168.168.0 Hub_Router(config-router)# network 172.16.50.0 Step 4 Disable the auto network summary. Hub_Router(config-router)# no auto-summary


Spoke A Router Configuration Objective 1: Configuring ISAKMP Policy Step 1 Enabling ISAKMP command (optional) Spoke_A(config)# crypto isakmp enable Step 2 Define the ISAKMP policy number from 1 – 10000 (lower number will have higher priority) Spoke_A(config)# crypto isakmp policy 10 Step 3 Define authentication for pre-shared keys Spoke_A(config-isakmp)# authentication pre-share Step 4 Define encryption type DES, 3DES or AES (AES default value is 128. You may adjust it to AES-192 or AES-256 for higher security but it will affect your router CPU performance. DES encryption is not secure. In this scenario, AES is used for the encryption method. Spoke_A(config-isakmp)# encryption aes Step 5 Define the Diffie-Hellman (DH) group either group 1, 2 or 5. In this scenario, group 2 is used for this isakmp policy. Spoke_A(config-isakmp)# group 2 Step 6 Define a pre-shared key for this isakmp policy. The IP address of all zeros is used as this spoke router will learn its remote sites dynamically. Spoke_A(config)# crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0


Objective 2: Configuring IPSEC Policy with Transform-Set Step 1 Define IPSEC with transform set. (You need to create a transform set name for the IPSEC configuration. In this scenario, we will use “MYSET” as the IPSEC transform set name) Spoke_A(config)# crypto ipsec transform-set MYSET esp-aes esp-sha-hmac Step 2 Exit from this mode Spoke_A(cfg-crypto-trans)# exit Step 3 Verifying the transform-set configuration Spoke_A# show crypto ipsec transform-set Transform set MYSET: { esp-aes esp-sha-hmac } will negotiate = { Tunnel, }, * The above output shown that the IPSEC transform-set has been successfully configured.


Objective 3: Configuring IPSEC Profile Step 1 Define a profile for IPSEC. In this scenario, “MYIPSEC” is used as the IPSEC profile name. Spoke_A(config)# crypto ipsec profile MYIPSEC Step 2 Associate the IPSEC transform-set created at Objective 2 with this IPSEC profile. Spoke_A(ipsec-profile)# set transform-set MYSET Step 3 Exit from this mode. Spoke_A(ipsec-profile)# exit Step 4 Verifying the IPSEC profile configuration. Spoke_A# show crypto ipsec profile IPSEC profile MYIPSEC Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N) : N Transform sets={ MYIPSEC, }


Objective 4: Configuring Spoke A as DMVPN Spoke Router Step 1 Configure the spoke router as multi-point GRE tunnel and associate it with IPSEC profile. Spoke_A(config)# interface tunnel 1 Step 2 Assign an IP address for this interface. Spoke_A(config-if)# ip address 192.168.168.2 255.255.255.0 Step 3 Configure the tunnel interface authentication by using NHRP. In this scenario, “cisco” is used as the authentication key. Spoke_A(config-if)# ip nhrp authentication cisco Step 4 Configure nhrp mapping by allowing spoke router to learn hub router via IP address mapping of hub router’s network. Spoke_A(config-if)# ip nhrp map 192.168.168.1 111.111.111.111 Step 5 Enable multicast packets to be send over between hub and spoke router Spoke_A(config-if)# ip nhrp map multicast 111.111.111.111 Step 6 Configure Router A to learn hub router as the next hop server (NHRP) Spoke_A(config-if)# ip nhrp nhs 192.168.168.1


Step 7 Activate the NHRP feature by assigning network ID. The network ID can be any number and it must match the remote sites. In this scenario, network ID of “888” is used. Spoke_A(config-if)# ip nhrp network-id 888 Step 8 Activate the tunnel key by assigning number. The tunnel key can be any number and it must match the remote sites. In this scenario, tunnel key of “100” is used. Spoke_A(config-if)# tunnel key 100 Step 9 Define the encapsulation method to multi-point gre (multi-point generic routing encapsulation). Spoke_A(config-if)# tunnel mode gre multipoint Step 10 Define MTU size for this tunnel interface. In this scenario, MTU size of 1400 is used. (optional) Spoke_A(config-if)# ip mtu 1400 Step 11 Define the WAN interface as tunnel source. Spoke_A(config-if)# tunnel source FastEthernet0/0 Step 12 Integrate the tunnel interface with an IPSEC profile created at Objective 3. Spoke_A(config-if)# tunnel protection ipsec profile MYIPSEC


Step 13 Exit from this tunnel interface mode and return to global configuration mode. Spoke_A(config-if)# exit Objective 5: Configuring Dynamic Routing Protocol for Spoke A Router Step 1 Define the dynamic routing protocol to advertise hub router’s internal network. In this scenario, a dynamic routing protocol of RIP Version 2 is used. Spoke_A(config)# router rip Step 2 Define the RIP Version number. Spoke_A(config-router)# version 2 Step 3 Define the network to be advertised. In this scenario, 192.168.168.0 and 172.16.50.0 network must be advertised so that hub router will learn spoke router’s internal networks. Spoke_A(config-router)# network 192.168.168.0 Spoke_A(config-router)# network 192.168.1.0 Step 4 Disable the auto network summary. Spoke_A(config-router)# no auto-summary

Spoke B Router Configuration Objective 1: Configuring ISAKMP Policy Step 1 Enabling ISAKMP command (optional) Spoke_B(config)# crypto isakmp enable Step 2 Define the ISAKMP policy number from 1 – 10000 (lower number will have higher priority) Spoke_B(config)# crypto isakmp policy 10 Step 3 Define authentication for pre-shared keys Spoke_B(config-isakmp)# authentication pre-share Step 4 Define encryption type DES, 3DES or AES (AES default value is 128. You may adjust it to AES-192 or AES-256 for higher security but it will affect your router CPU performance. DES encryption is not secure. In this scenario, AES is used for the encryption method. Spoke_B(config-isakmp)# encryption aes Step 5 Define the Diffie-Hellman (DH) group either group 1, 2 or 5. In this scenario, group 2 is used for this isakmp policy. Spoke_B(config-isakmp)# group 2 Step 6 Define a pre-shared key for this isakmp policy. The IP address of all zeros is used as this spoke router will learn its remote sites dynamically. Spoke_B(config)# crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0

Objective 2: Configuring IPSEC Policy with Transform-Set Step 1 Define IPSEC with transform set. (You need to create a transform set name for the IPSEC configuration. In this scenario, we will use “MYSET” as the IPSEC transform set name) Spoke_B(config)# crypto ipsec transform-set MYSET esp-aes esp-sha-hmac Step 2 Exit from this mode Spoke_B(cfg-crypto-trans)# exit Step 3 Verifying the transform-set configuration Spoke_B# show crypto ipsec transform-set Transform set MYSET: { esp-aes esp-sha-hmac } will negotiate = { Tunnel, }, * The above output shown that the IPSEC transform-set has been successfully configured.

Objective 3: Configuring IPSEC Profile Step 1 Define a profile for IPSEC. In this scenario, “MYIPSEC” is used as the IPSEC profile name. Spoke_B(config)# crypto ipsec profile MYIPSEC Step 2 Associate the IPSEC transform-set created at Objective 2 with this IPSEC profile. Spoke_B(ipsec-profile)# set transform-set MYSET Step 3 Exit from this mode. Spoke_B(ipsec-profile)# exit Step 4 Verifying the IPSEC profile configuration. Spoke_B# show crypto ipsec profile IPSEC profile MYIPSEC Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N) : N Transform sets={ MYIPSEC, }

Objective 4: Configuring Spoke B as DMVPN Spoke Router Step 1 Configure the spoke router as multi-point GRE tunnel and associate it with IPSEC profile. Spoke_B(config)# interface tunnel 1 Step 2 Assign an IP address for this interface. Spoke_B(config-if)# ip address 192.168.168.3 255.255.255.0 Step 3 Configure the tunnel interface authentication by using NHRP. In this scenario, “cisco” is used as the authentication key. Spoke_B(config-if)# ip nhrp authentication cisco Step 4 Configure nhrp mapping by allowing spoke router to learn hub router via IP address mapping of hub router’s network. Spoke_B(config-if)# ip nhrp map 192.168.168.1 111.111.111.111 Step 5 Enable multicast packets to be send over between hub and spoke router Spoke_B(config-if)# ip nhrp map multicast 111.111.111.111 Step 6 Configure Router A to learn hub router as the next hop server (NHRP) Spoke_B(config-if)# ip nhrp nhs 192.168.168.1

Step 7 Activate the NHRP feature by assigning network ID. The network ID can be any number and it must match the remote sites. In this scenario, network ID of “888” is used. Spoke_B(config-if)# ip nhrp network-id 888 Step 8 Activate the tunnel key by assigning number. The tunnel key can be any number and it must match the remote sites. In this scenario, tunnel key of “100” is used. Spoke_B(config-if)# tunnel key 100 Step 9 Define the encapsulation method to multi-point gre (multi-point generic routing encapsulation). Spoke_B(config-if)# tunnel mode gre multipoint Step 10 Define MTU size for this tunnel interface. In this scenario, MTU size of 1400 is used. (optional) Spoke_B(config-if)# ip mtu 1400 Step 11 Define the WAN interface as tunnel source. Spoke_B(config-if)# tunnel source FastEthernet0/0 Step 12 Integrate the tunnel interface with an IPSEC profile created at Objective 3. Spoke_B(config-if)# tunnel protection ipsec profile MYIPSEC

Step 13 Exit from this tunnel interface mode and return to global configuration mode. Spoke_B(config-if)# exit Objective 5: Configuring Dynamic Routing Protocol for Spoke B Router Step 1 Define the dynamic routing protocol to advertise hub router’s internal network. In this scenario, a dynamic routing protocol of RIP Version 2 is used. Spoke_B(config)# router rip Step 2 Define the RIP Version number. Spoke_B(config-router)# version 2 Step 3 Define the network to be advertised. In this scenario, 192.168.168.0 and 10.10.10.0 network must be advertised so that hub router will learn spoke router’s internal networks. Spoke_B(config-router)# network 192.168.168.0 Spoke_B (config-router)# network 10.10.10.0 Step 4 Disable the auto network summary. Spoke_A(config-router)# no auto-summary

Objective 5: Verifying DMVPN Connections Verifying Hub Router DMVPN Connections Step 1 Verifying DMVPN connections from hub router Hub_Router# show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer Tunnel1, Type:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 222.222.222.222 172.16.50.2 UP 4d00h D 1 333.333.333.333 172.16.50.3 UP 1w1d D Step 2 Verifying ISAKMP status. The below result shown that the VPN status is active Hub_Router# show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 111.111.111.111 222.222.222.222 QM_IDLE 0 0 ACTIVE 111.111.111.111 333.333.333.333 QM_IDLE 0 0 ACTIVE

Step 3 Verifying IPSEC status. The below result shown that traffic from both spokes to hub router were encrypted successfully. Hub_Router# show crypto ipsec sa interface: Tunnel1 Crypto map tag: Tunnel1-head-0, local addr 111.111.111.111 protected vrf: (none) local ident (addr/mask/prot/port): (111.111.111.111/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (222.222.222.222/255.255.255.255/47/0) current_peer 222.222.222.222 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 56451, #pkts encrypt: 56451, #pkts digest: 56451 #pkts decaps: 61320, #pkts decrypt: 61320, #pkts verify: 61320 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 111.111.111.111, remote crypto endpt.: 222.222.222.222 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x314CA0D2(827105490) inbound esp sas: spi: 0xC9746C80(3379850368) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2241, flow_id: FPGA:241, crypto map: Tunnel1-head-0 sa timing: remaining key lifetime (k/sec): (4587859/77) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x314CA0D2(827105490) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2198, flow_id: FPGA:198, crypto map: Tunnel1-head-0 sa timing: remaining key lifetime (k/sec): (4587858/77)

IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (111.111.111.111/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (333.333.333.333/255.255.255.255/47/0) current_peer 333.333.333.333 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 172949, #pkts encrypt: 172949, #pkts digest: 172949 #pkts decaps: 137940, #pkts decrypt: 137940, #pkts verify: 137940 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 111.111.111.111, remote crypto endpt.: 333.333.333.333 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x6066C161(1617346913) Step 4 Verifying NHRP status from the hub router. Hub_Router# show ip nhrp 192.168.168.2/32 via 192.168.168.2, Tunnel1 created 4d01h, expire 00:04:21 Type: dynamic, Flags: unique nat registered NBMA address: 203.123.21.106 192.168.168.3/32 via 192.168.168.3, Tunnel1 created 1w1d, expire 00:04:27 Type: dynamic, Flags: unique nat registered Step 5 Verifying brief details of hub router’s nhrp status. Hub_Router# show ip nhrp brief Target Via NBMA Mode Intfc Claimed 192.168.168.2/32 192.168.168.2 222.222.222.222 dynamic Tu1 < > 192.168.168.3/32 192.168.168.3 333.333.333.333 dynamic Tu1 < >

All product names used herein, are trade names, service marks, trademarks, or registered trademarks of their respective owners. www.network-insider.net and “Cisco VPN Reference Guide for Field Engineers” are not associated with any product or vendor mentioned,

including Cisco Systems. Cisco Routers are registered trademarks of Cisco Systems, Inc.

Copyright © network-insider.net 2010, All Rights Reserved

configuring dynamic multi-point vpn (dmvpn) · pdf filescenario 3 - (configuration is based on...

Documents