Select Page

IPsec VPN With DMVPN Example

by | 9-May-2021 | Cisco, Security, VPN

Configuration

!! HUB R1 !! !! Spoke R2 !!

! Routing

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.14.4

ip route 10.0.22.0 255.255.255.0 Tunnel123 172.16.123.2

ip route 10.0.33.0 255.255.255.0 Tunnel123 172.16.123.3

 

! Tunnel Interface

interface Tunnel123

ip address 172.16.123.1 255.255.255.0

ip mtu 1400

ip tcp adjust-mss 1360

ip nhrp authentication NHRP_KEY

ip nhrp map multicast dynamic

ip nhrp network-id 99

ip nhrp holdtime 300

ip nhrp redirect

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 100000

 

! Crypto endpoint authentication

crypto isakmp key ISAKMP_SECRET address 2.2.2.2

crypto isakmp key ISAKMP_SECRET address 3.3.3.3

 

! ISAKMP/IKE Phase 1 security parameters

crypto isakmp policy 10

encryption des

hash md5

authentication pre-share

group 2

 

! ISAKMP/IKE Phase 2 security parameters

crypto ipsec transform-set XF esp-des esp-md5-hmac

mode transport

 

! Crypto profile parameters

crypto ipsec profile IPSEC_DMVPN

set transform-set XF

set pfs group2

 

! Apply crypto profile

interface Tunnel123

tunnel protection ipsec profile IPSEC_DMVPN

 

 

 

! Routing

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.24.4

ip route 10.0.0.0 255.255.0.0 Tunnel123 172.16.123.1

 

! Tunnel Interface

interface Tunnel123

no ip redirects

ip address 172.16.123.2 255.255.255.0

ip mtu 1400

ip tcp adjust-mss 1360

ip nhrp authentication NHRP_KEY

ip nhrp map multicast dynamic

ip nhrp network-id 99

ip nhrp holdtime 300

ip nhrp shortcut

ip nhrp map 172.16.123.1 1.1.1.1

ip nhrp map multicast 1.1.1.1

ip nhrp nhs 172.16.123.1

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 100000

 

! Crypto endpoint authentication

crypto isakmp key ISAKMP_SECRET address 1.1.1.1

crypto isakmp key ISAKMP_SECRET address 3.3.3.3

 

! ISAKMP/IKE Phase 1 security parameters

crypto isakmp policy 10

encryption des

hash md5

authentication pre-share

group 2

 

! ISAKMP/IKE Phase 2 security parameters

crypto ipsec transform-set XF esp-des esp-md5-hmac

mode transport

 

! Crypto profile parameters

crypto ipsec profile IPSEC_DMVPN

set transform-set XF

set pfs group2

 

! Apply crypto profile

interface Tunnel123

tunnel protection ipsec profile IPSEC_DMVPN

Verification

! Reset security association

 

clear crypto sa

clear crypto isakmp

 

! ISAKMP SA

R2#show crypto isakmp sa

 

dst             src             state          conn-id status

1.1.1.1         2.2.2.2         QM_IDLE           1003 ACTIVE

1.1.1.1         3.3.3.3         QM_IDLE           1004 ACTIVE

 

! IPsec SA

R2#show crypto ipsec sa

 

//SA for Hub to Spoke3

interface: Tunnel123

Crypto map tag: Tunnel123-head-0, local addr 1.1.1.1

local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)

current_peer 3.3.3.3 port 500

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

 

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3

plaintext mtu 1482, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0

PFS (Y/N): Y, DH group: group2

 

inbound esp sas:

spi: 0x88E0F00E(2296442894)

in use settings ={Transport, }

Status: ACTIVE(ACTIVE)

spi: 0x6CE04D3A(1826639162)

in use settings ={Transport, }

Status: ACTIVE(ACTIVE)

 

outbound esp sas:

spi: 0xE371AC3F(3815877695)

in use settings ={Transport, }

Status: ACTIVE(ACTIVE)

outbound esp sas:

spi: 0x9E0DD66F(2651706991)

in use settings ={Transport, }

Status: ACTIVE(ACTIVE)

 

//SA for Hub to Spoke2

interface: Tunnel123

Crypto map tag: Tunnel123-head-0, local addr 1.1.1.1

local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)

current_peer 3.3.3.3 port 500

<…>

inbound esp sas:

spi: 0xA9432831(2839750705)

spi: 0x7D3E4557(2101232983)

outbound esp sas:

spi: 0x57E60028(1474691112)

spi: 0x5205E2BC(1376117436)

<…>

 

! Crypto Engine Connections

R2#show crypto engine connection active

 

ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address

33  IPsec   DES+MD5                   0        1        1 1.1.1.1

34  IPsec   DES+MD5                   0        0        0 1.1.1.1

35  IPsec   DES+MD5                   0        1        1 1.1.1.1

36  IPsec   DES+MD5                   0        0        0 1.1.1.1

37  IPsec   DES+MD5                   0        1        1 1.1.1.1

38  IPsec   DES+MD5                   1        0        0 1.1.1.1

39  IPsec   DES+MD5                   0        1        1 1.1.1.1

40  IPsec   DES+MD5                   1        0        0 1.1.1.1

1003  IKE     MD5+DES                   0        0        0 1.1.1.1

1004  IKE     MD5+DES                   0        0        0 1.1.1.1

! Reset security association

 

clear crypto sa

clear crypto isakmp

 

! ISAKMP SA

R4#show crypto isakmp sa

 

dst             src             state          conn-id status

1.1.1.1         2.2.2.2         QM_IDLE           1005 ACTIVE

 

//Spoke2 to Spoke3 (on-demand)

2.2.2.2         3.3.3.3         QM_IDLE           1006 ACTIVE

3.3.3.3         2.2.2.2         QM_IDLE           1007 ACTIVE

 

! IPsec SA

R4#show crypto ipsec sa

 

//SA for Spoke2 to Hub

interface: Tunnel123

Crypto map tag: MAP1, local addr 2.2.2.2

local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)

current_peer 1.1.1.1 port 500

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

 

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1

plaintext mtu 1482, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0

PFS (Y/N): Y, DH group: group2

 

inbound esp sas:

spi: 0x57E60028(1474691112)

in use settings ={Transport, }

Status: ACTIVE(ACTIVE)

spi: 0x5205E2BC(1376117436)

in use settings ={Transport, }

Status: ACTIVE(ACTIVE)

 

outbound esp sas:

spi: 0xA9432831(2839750705)

in use settings ={Transport, }

Status: ACTIVE(ACTIVE)

outbound esp sas:

spi: 0x7D3E4557(2101232983)

in use settings ={Transport, }

Status: ACTIVE(ACTIVE)

 

//Spoke2 to Spoke3 (on-demand)

interface: Tunnel123

Crypto map tag: Tunnel123-head-0, local addr 2.2.2.2

local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)

current_peer 3.3.3.3 port 500

<…>

inbound esp sas:

spi: 0xEE78CBEA(4000893930)

spi: 0xC6B7FEC4(3333947076)

outbound esp sas:

spi: 0x873E8895(2269022357)

spi: 0x3BF7D78E(1006098318)

<…>

 

! Crypto Engine Connections

R4#show crypto engine connection active

 

ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address

21  IPsec   DES+MD5                   0        0        0 2.2.2.2

22  IPsec   DES+MD5                   1        0        0 2.2.2.2

23  IPsec   DES+MD5                   0        1        1 2.2.2.2

24  IPsec   DES+MD5                   1        0        0 2.2.2.2

1005  IKE     MD5+DES                   0        0        0 2.2.2.2

 

 

Configuration Example – To Add More Spokes

!! Spoke R3 !!

//most config is the same with Spoke R2

! Routing

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.34.4

ip route 10.0.0.0 255.255.0.0 Tunnel123 172.16.123.1

 

! Tunnel Interface

interface Tunnel123

ip address 172.16.123.3 255.255.255.0

tunnel source Loopback0

 

! Crypto endpoint authentication

crypto isakmp key ISAKMP_SECRET address 1.1.1.1

crypto isakmp key ISAKMP_SECRET address 2.2.2.2

Recent Comments

    0 Comments

    Submit a Comment

    Your email address will not be published. Required fields are marked *