dmvpn
TRANSCRIPT
DMVPN DYNAMIC MULTIPOINT VIRTUAL PRIVATE NETWORK July 2014
- Tilak Upadhyay
THE PING BOX .NET CCIE Security 4.0
1 | P a g e
DMVPN Phase – I with EIGRP
CONFIGURATION:
ON NHS (ROUTER R4)
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
exit
THE PING BOX .NET CCIE Security 4.0
2 | P a g e
crypto ipsec profile DMVPN
set transform-set tset
exit
router eigrp 10
network 4.0.0.0
network 192.168.1.0
exit
int tunn 0
ip add 192.168.1.4 255.255.255.0
tunn sou fa1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp map multicast dynamic
no ip split-horizon eigrp 10
tunn protection ipsec profile DMVPN
ON ROUTER R1
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
exit
THE PING BOX .NET CCIE Security 4.0
3 | P a g e
crypto ipsec profile DMVPN
set transform-set tset
exit
router eigrp 10
network 1.0.0.0
network 192.168.1.0
exit
int tunn 0
ip add 192.168.1.1 255.255.255.0
tunn sou fa 1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp nhs 192.168.1.4
ip nhrp map 192.168.1.4 40.0.0.4
ip nhrp map multicast 40.0.0.4
tunn protection ipsec profile DMVPN
exit
ON ROUTER R2
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
THE PING BOX .NET CCIE Security 4.0
4 | P a g e
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
exit
crypto ipsec profile DMVPN
set transform-set tset
exit
router eigrp 10
network 2.0.0.0
network 192.168.1.0
exit
int tunn 0
ip add 192.168.1.2 255.255.255.0
tunn sou fa 1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp nhs 192.168.1.4
ip nhrp map 192.168.1.4 40.0.0.4
ip nhrp map multicast 40.0.0.4
tunn protection ipsec profile DMVPN
exit
VERIFIACTION:
# sh ip route
# sh ip nhrp
# sh crypto isakmp sa det
# sh crypto ipsec sa
THE PING BOX .NET CCIE Security 4.0
5 | P a g e
DMVPN Phase – II with EIGRP
CONFIGURATION:
ON NHS (ROUTER R4)
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
exit
THE PING BOX .NET CCIE Security 4.0
6 | P a g e
crypto ipsec profile DMVPN
set transform-set tset
exit
router eigrp 10
network 4.0.0.0
network 192.168.1.0
exit
int tunn 0
ip add 192.168.1.4 255.255.255.0
tunn sou fa1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp map multicast dynamic
no ip split-horizon eigrp 10
no ip next-hop-self eigrp 10
tunn protection ipsec profile DMVPN
ON ROUTER R1
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
THE PING BOX .NET CCIE Security 4.0
7 | P a g e
crypto ipsec profile DMVPN
set transform-set tset
exit
router eigrp 10
network 1.0.0.0
network 192.168.1.0
exit
int tunn 0
ip add 192.168.1.1 255.255.255.0
tunn sou fa 1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp nhs 192.168.1.4
ip nhrp map 192.168.1.4 40.0.0.4
ip nhrp map multicast 40.0.0.4
tunn protection ipsec profile DMVPN
exit
ON ROUTER R2
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
THE PING BOX .NET CCIE Security 4.0
8 | P a g e
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
exit
crypto ipsec profile DMVPN
set transform-set tset
exit
router eigrp 10
network 2.0.0.0
network 192.168.1.0
exit
int tunn 0
ip add 192.168.1.2 255.255.255.0
tunn sou fa 1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp nhs 192.168.1.4
ip nhrp map 192.168.1.4 40.0.0.4
ip nhrp map multicast 40.0.0.4
tunn protection ipsec profile DMVPN
exit
VERIFIACTION:
# sh ip route
# sh ip nhrp
# sh crypto isakmp sa det
# sh crypto ipsec sa
THE PING BOX .NET CCIE Security 4.0
9 | P a g e
DMVPN Phase – III with EIGRP
CONFIGURATION:
ON NHS (ROUTER R4)
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
exit
THE PING BOX .NET CCIE Security 4.0
10 | P a g e
crypto ipsec profile DMVPN
set transform-set tset
exit
router eigrp 10
network 4.0.0.0
network 192.168.1.0
exit
int tunn 0
ip add 192.168.1.4 255.255.255.0
tunn sou fa1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp map multicast dynamic
ip nhrp redirect
no ip split-horizon eigrp 10
tunn protection ipsec profile DMVPN
ON ROUTER R1
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
THE PING BOX .NET CCIE Security 4.0
11 | P a g e
crypto ipsec profile DMVPN
set transform-set tset
exit
router eigrp 10
network 1.0.0.0
network 192.168.1.0
exit
int tunn 0
ip add 192.168.1.1 255.255.255.0
tunn sou fa 1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp nhs 192.168.1.4
ip nhrp map 192.168.1.4 40.0.0.4
ip nhrp map multicast 40.0.0.4
ip nhrp shortcut
tunn protection ipsec profile DMVPN
exit
ON ROUTER R2
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
THE PING BOX .NET CCIE Security 4.0
12 | P a g e
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
exit
crypto ipsec profile DMVPN
set transform-set tset
exit
router eigrp 10
network 2.0.0.0
network 192.168.1.0
exit
int tunn 0
ip add 192.168.1.2 255.255.255.0
tunn sou fa 1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp nhs 192.168.1.4
ip nhrp map 192.168.1.4 40.0.0.4
ip nhrp map multicast 40.0.0.4
ip nhrp shortcut
tunn protection ipsec profile DMVPN
exit
VERIFIACTION:
# sh ip route
# sh ip nhrp
# sh crypto isakmp sa det
# sh crypto ipsec sa
THE PING BOX .NET CCIE Security 4.0
13 | P a g e
DMVPN Phase – II with OSPF
CONFIGURATION:
ON NHS (ROUTER R4)
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
exit
THE PING BOX .NET CCIE Security 4.0
14 | P a g e
crypto ipsec profile DMVPN
set transform-set tset
exit
router ospf 10
network 4.0.0.0 0.255.255.255 area 0
network 192.168.1.0 0.0.0.255 area 0
exit
int tunn 0
ip add 192.168.1.4 255.255.255.0
tunn sou fa1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp map multicast dynamic
ip ospf priority 255
ip ospf network broadcast
tunn protection ipsec profile DMVPN
ON ROUTER R1
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
THE PING BOX .NET CCIE Security 4.0
15 | P a g e
crypto ipsec profile DMVPN
set transform-set tset
exit
router ospf 10
network 1.0.0.0 0.255.255.255 area 0
network 192.168.1.0 0.0.0.255 area 0
exit
int tunn 0
ip add 192.168.1.1 255.255.255.0
tunn sou fa 1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp nhs 192.168.1.4
ip nhrp map 192.168.1.4 40.0.0.4
ip nhrp map multicast 40.0.0.4
ip ospf priority 0
ip ospf network broadcast
tunn protection ipsec profile DMVPN
exit
ON ROUTER R2
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
THE PING BOX .NET CCIE Security 4.0
16 | P a g e
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
exit
crypto ipsec profile DMVPN
set transform-set tset
exit
router ospf 10
network 2.0.0.0 0.255.255.255 area 0
network 192.168.1.0 0.0.0.255 area 0
exit
int tunn 0
ip add 192.168.1.2 255.255.255.0
tunn sou fa 1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp nhs 192.168.1.4
ip nhrp map 192.168.1.4 40.0.0.4
ip nhrp map multicast 40.0.0.4
ip ospf priority 0
ip ospf network broadcast
tunn protection ipsec profile DMVPN
VERIFIACTION:
# sh ip route
# sh ip nhrp
# sh crypto isakmp sa det
# sh crypto ipsec sa
THE PING BOX .NET CCIE Security 4.0
17 | P a g e
DMVPN Phase – III with OSPF
CONFIGURATION:
ON NHS (ROUTER R4)
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
exit
THE PING BOX .NET CCIE Security 4.0
18 | P a g e
crypto ipsec profile DMVPN
set transform-set tset
exit
router ospf 10
network 4.0.0.0 0.255.255.255 area 0
network 192.168.1.0 0.0.0.255 area 0
exit
int tunn 0
ip add 192.168.1.4 255.255.255.0
tunn sou fa1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp map multicast dynamic
ip nhrp redirect
ip ospf network point-to-multipoint
tunn protection ipsec profile DMVPN
ON ROUTER R1
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
THE PING BOX .NET CCIE Security 4.0
19 | P a g e
crypto ipsec profile DMVPN
set transform-set tset
exit
router ospf 10
network 1.0.0.0 0.255.255.255 area 0
network 192.168.1.0 0.0.0.255 area 0
exit
int tunn 0
ip add 192.168.1.1 255.255.255.0
tunn sou fa 1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp nhs 192.168.1.4
ip nhrp map 192.168.1.4 40.0.0.4
ip nhrp map multicast 40.0.0.4
ip nhrp shortcut
ip ospf network point-to-multipoint
tunn protection ipsec profile DMVPN
exit
ON ROUTER R2
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0
THE PING BOX .NET CCIE Security 4.0
20 | P a g e
crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport
exit
crypto ipsec profile DMVPN
set transform-set tset
exit
router ospf 10
network 2.0.0.0 0.255.255.255 area 0
network 192.168.1.0 0.0.0.255 area 0
exit
int tunn 0
ip add 192.168.1.2 255.255.255.0
tunn sou fa 1/0
tunn mode gre multipoint
ip nhrp network-id 10
ip nhrp auth cisco
ip nhrp nhs 192.168.1.4
ip nhrp map 192.168.1.4 40.0.0.4
ip nhrp map multicast 40.0.0.4
ip nhrp shortcut
ip ospf network point-to-multipoint
tunn protection ipsec profile DMVPN
VERIFIACTION:
# sh ip route
# sh ip nhrp
# sh crypto isakmp sa det
# sh crypto ipsec sa