Configuring DMVPN
===== Config on R1 (ISP router) =====
! Has only interface ip addresses; no other config needed.
R1#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
GigabitEthernet1/0 192.168.2.1 YES manual up up
GigabitEthernet2/0 192.168.3.1 YES manual up up
GigabitEthernet3/0 192.168.4.1 YES manual up up
GigabitEthernet4/0 192.168.1.1 YES manual up up
R1#
R1#sh run | in ip route
R1# no routes
=== Config on HUB ===
HUB#sh run | in ip route
ip route 192.168.2.0 255.255.255.0 192.168.1.1
ip route 192.168.3.0 255.255.255.0 192.168.1.1
ip route 192.168.4.0 255.255.255.0 192.168.1.1
HUB#sh run int tunnel 0
interface Tunnel0
ip address 10.1.1.100 255.255.255.0
tunnel source 192.168.1.100
tunnel mode gre multipoint
ip mtu 1416
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip redirects
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
tunnel protection ipsec profile DMVPN
end
HUB#sh run int g4/0
interface GigabitEthernet4/0
ip address 192.168.1.100 255.255.255.0
negotiation auto
end
=== Config on R2 ===
R2#sh run int tunnel 0
interface Tunnel0
ip address 10.1.1.2 255.255.255.0
no ip redirects
ip mtu 1416
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp map 10.1.1.100 192.168.1.100
ip nhrp map multicast 192.168.1.100
ip nhrp network-id 1
ip nhrp nhs 10.1.1.100
no ip split-horizon eigrp 1
tunnel source 192.168.2.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
end
R2#sh run int loopback 0
interface Loopback0
ip address 172.16.2.1 255.255.255.0
end
R2#sh run int g1/0
interface GigabitEthernet1/0
ip address 192.168.2.2 255.255.255.0
negotiation auto
end
R2#sh run | in ip route
ip route 192.168.1.100 255.255.255.255 192.168.2.1
R2#
=====================================
=== Config on R3 ===
R3#sh run int tunnel 0
interface Tunnel0
ip address 10.1.1.3 255.255.255.0
no ip redirects
ip mtu 1416
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp map 10.1.1.100 192.168.1.100
ip nhrp map multicast 192.168.1.100
ip nhrp network-id 1
ip nhrp nhs 10.1.1.100
no ip split-horizon eigrp 1
tunnel source 192.168.3.3
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
end
R3#sh run int loopback 0
interface Loopback0
ip address 172.16.3.1 255.255.255.0
end
R3#sh run int g2/0
interface GigabitEthernet2/0
ip address 192.168.3.3 255.255.255.0
negotiation auto
end
R3#sh run | in ip route
ip route 192.168.1.100 255.255.255.255 192.168.3.1
R3#
=====================================
=== Config on R4 ===
R4#sh run int lo0
interface Loopback0
ip address 172.16.4.1 255.255.255.0
end
R4#sh run int tunnel 0
interface Tunnel0
ip address 10.1.1.4 255.255.255.0
ip nhrp map 10.1.1.100 192.168.1.100
ip nhrp map multicast 192.168.1.100
ip nhrp network-id 1
ip nhrp nhs 10.1.1.100
tunnel source 192.168.4.4
tunnel mode gre multipoint
ip mtu 1416
no ip redirects
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
tunnel protection ipsec profile DMVPN
end
R4#sh run int g3/0
interface GigabitEthernet3/0
ip address 192.168.4.4 255.255.255.0
negotiation auto
end
R4#sh run | in ip route
ip route 192.168.1.100 255.255.255.255 192.168.4.1
==== IPSec commands entered on all rotuers except ISP =====
!— Create an Internet Security Association and Key Management Protocol (ISAKMP) policy for phase 1 negotiations .
crypto isakmp policy 10
hash md5
encryption 3des
authentication pre-share
!— Add dynamic preshared key for all the remote VPN routers.
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!— Create Phase 2 policy for actual data encryption
crypto ipsec transform MINE esp-3des
!— Create an IPSec profile to be applied dynamically to the GRE over IPSec tunnels.
crypto ipsec profile DMVPN
set transform-set MINE
interface tunnel0
tunnel protection ipsec profile DMVPN
!— Enable a routing protocol to send and receive
!— dynamic updates about the private networks.
router eigrp 1
network 192.168.0.0
network 172.16.0.0
network 10.0.0.0
no auto-summary
interface tunnel0
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
===== testing =====
From R3 ping R4′ dmvpn ip 10.1.1.4
R3#ping 10.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/96/168 ms
R3#
R3#sh dmvpn
Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
N – NATed, L – Local, X – No Socket
# Ent –> Number of NHRP entries with same NBMA peer
NHS Status: E –> Expecting Replies, R –> Responding
UpDn Time –> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
—– ————— ————— —– ——– —–
2 192.168.1.100 10.1.1.4 UP 00:00:05 D
10.1.1.100 UP 02:57:23 S
R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.4.4 192.168.3.3 MM_NO_STATE 0 ACTIVE
192.168.1.100 192.168.3.3 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R3#
From HUB:
HUB#sh dmvpn
Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
N – NATed, L – Local, X – No Socket
# Ent –> Number of NHRP entries with same NBMA peer
NHS Status: E –> Expecting Replies, R –> Responding
UpDn Time –> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
—– ————— ————— —– ——– —–
1 192.168.2.2 10.1.1.2 UP 00:36:11 D
1 192.168.3.3 10.1.1.3 UP 00:36:22 D
1 192.168.4.4 10.1.1.4 UP 02:56:43 D
HUB#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.1.100 192.168.4.4 QM_IDLE 1001 ACTIVE
192.168.1.100 192.168.3.3 QM_IDLE 1002 ACTIVE
192.168.1.100 192.168.2.2 QM_IDLE 1003 ACTIVE
IPv6 Crypto ISAKMP SA
!— Displays the total encrypts and decrypts per SA.
R2#sh crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt IP-Address
1 IPsec 3DES 0 588 192.168.2.2
2 IPsec 3DES 595 0 192.168.2.2
1001 IKE MD5+3DES 0 0 192.168.2.2
!— Displays the stats on the active tunnels.
R2#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 192.168.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.1.100/255.255.255.255/47/0)
current_peer 192.168.1.100 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 597, #pkts encrypt: 597, #pkts digest: 597
#pkts decaps: 589, #pkts decrypt: 589, #pkts verify: 589
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.2.2, remote crypto endpt.: 192.168.1.100
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1/0
current outbound spi: 0x60F99A2E(1626970670)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x8375BA38(2205530680)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4485121/1000)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x60F99A2E(1626970670)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4485120/1000)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
!— Displays the state for the the ISAKMP SA.
R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.1.100 192.168.2.2 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
CCIE Security Blog 