Menu Close

Dynamic Multipoint VPN - 1

Thanks to these references, below. I followed the same steps to setup my lab. If you are looking for DMVPN, you should read them first. I also came across this information from 9tut.com which summaries DMVPN concept.

It is the combination of the following technologies:

+ Multipoint GRE (mGRE)
+ Next-Hop Resolution Protocol (NHRP)
+ Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP…) (optional)
+ Dynamic IPsec encryption (optional)
+ Cisco Express Forwarding (CEF)

That is the lab which I used. One client on the right side, namely docker, is able to access to the server side. I do not post all explanation of command, since references, below, have more details. We need to know some basic encryption algorithm, HMAC, symmetric/asymmetric encryption, 3DES (Data Encryption Standard), Authentication Method( pre-shared key), Hash Algorithm(MD5)

!!HUB Configuration
hostname HUB
interface e0/1
  ip address 192.168.1.100 255.255.255.0
  no shut

ip route 192.168.2.0 255.255.255.0 192.168.1.1
ip route 192.168.3.0 255.255.255.0 192.168.1.1
ip route 192.168.4.0 255.255.255.0 192.168.1.1

=======================================
!!R1 configuration
hostname R1
interface e0/0
    ip address 192.168.1.1 255.255.255.0
    duplex full
    no shut

interface e0/1
    ip address 192.168.2.1 255.255.255.0
    duplex full
    no shut

interface e0/2
    ip address 192.168.3.1 255.255.255.0
    duplex full
    no shut

interface e0/3
    ip address 192.168.4.1 255.255.255.0
    duplex full
    no shut

=======================================
!!R2 configuration
hostname R2
interface e0/1
    ip address 192.168.2.2 255.255.255.0
    duplex full
    no shut

interface loopback 0
    ip address 172.16.2.1 255.255.255.0
    duplex full
    no shut

ip route 192.168.1.100 255.255.255.255 192.168.2.1

=======================================
!!R3 configuration
hostname R3
interface e0/1
    ip address 192.168.3.3 255.255.255.0
    duplex full
    no shut

interface loopback 0
    ip address 172.16.3.1 255.255.255.0
    duplex full
    no shut

ip route 192.168.1.100 255.255.255.255 192.168.3.1

=======================================
!!R4 configuration
hostname R4
interface e0/1
  ip address 192.168.4.4 255.255.255.0
  duplex full
  no shut

interface loopback 0
    ip address 172.16.4.1 255.255.255.0
    no shut

ip route 192.168.1.100 255.255.255.255 192.168.4.1

!!HUB Configuration
interface Tunnel0
 ip address 10.1.1.1 255.255.255.0
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source 192.168.1.100
 tunnel mode gre multipoint
 ip mtu 1416

 =======================================
!!R2 configuration
interface Tunnel0
 ip address 10.1.1.2 255.255.255.0
 ip nhrp map 10.1.1.1 192.168.1.100
 ip nhrp map multicast 192.168.1.100
 ip nhrp network-id 1
 ip nhrp nhs 10.1.1.1
 tunnel source 192.168.2.2
 tunnel mode gre multipoint
 ip mtu 1416
=======================================
!!R3 configuration
interface Tunnel0
 ip address 10.1.1.3 255.255.255.0
 ip nhrp map 10.1.1.1 192.168.1.100
 ip nhrp map multicast 192.168.1.100
 ip nhrp network-id 1
 ip nhrp nhs 10.1.1.1
 tunnel source 192.168.3.3
 tunnel mode gre multipoint
 ip mtu 1416

 =======================================
!!R4 configuration
interface Tunnel0
 ip address 10.1.1.4 255.255.255.0
 ip nhrp map 10.1.1.1 192.168.1.100
 ip nhrp map multicast 192.168.1.100
 ip nhrp network-id 1
 ip nhrp nhs 10.1.1.1
 tunnel source 192.168.4.4
 tunnel mode gre multipoint
 ip mtu 1416

=======================================
!!IPSEC configuration
crypto isakmp policy 10
hash md5
encryption 3des
authentication pre-share

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform MINE esp-3des

crypto ipsec profile DMVPN
set transform-set MINE

interface tunnel0
tunnel protection ipsec  profile DMVPN

=======================================
!!Dynamic Route configuration, except R1
interface tunnel0
    ip hold-time eigrp 1 35
    no ip next-hop-self eigrp 1
    no ip split-horizon eigrp 1

 router eigrp 1
     network 192.168.0.0
     network 172.16.0.0
     network 10.0.0.0
     no auto-summary

=======================================

debug nhrp
debug nhrp packet

show dmvpn
show ip route

If we look at the packets on Wireshark, it is encrypted. IPsec configuration, including pre-shared key, above, supports encryption of all data.

Ping from client side to server. This is phase 2, so only HUB IP address is seen as a source.