Technology

DMVPN – Dynamic Multipoint Virtual Private Network

How to configure DMVPN – Config example.

Dynamic Multiple Virtual Private Network (DMVPN) is a dynamic virtual private network that provides the capability of creating a dynamic-mesh VPN network without manually configuring all possible tunnel end-point peers. DMVPN uses a hub-and-spoke type network mode. The hub is initially configured and when spokes are added, no additional configuration changes required in the hub.

DMVPN spoke is configured with one or more hub ip address. Hub IP address is static. The spoke IP address can be dynamic. The spokes will dynamically learn routes to other spokes from the hub and then spoke can extablish VPN sessions with other spokes directly without going through the hub.

DMVPN uses the combination of following technologies:

  • Next Hop Resolution Protocol (NHRP)
  • Multiple GRE (mGRE)
  • Dynamic Routing Protocol (EIGRP, OSPF, BGP, RIP)
  • IPSEC Encrytion
  • Cisco Express Forwarding (CEF)

pic1

 Hub Router (sv9-2) Configuration

!— Create an Internet Security Association and Key Management
!— Protocol (ISAKMP) policy for Phase 1 negotiations.
crypto isakmp policy 10
hash md5
authentication pre-share

!— Add dynamic pre-shared keys for all the remote VPN
!— routers.
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!— Create the Phase 2 policy for actual data encryption.
crypto ipsec transform-set strong esp-3des esp-md5-hmac

!— Create an IPSec profile to be applied dynamically to the
!— GRE over IPSec tunnels.
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong

!— Create a GRE tunnel template which will be applied to
!— all the dynamically created GRE tunnels.
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 90
no ip next-hop-self eigrp 90
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco

!— This is the outbound interface.
interface FastEthernet0/0
ip address 209.168.202.225 255.255.255.0
duplex auto
speed auto

!— This is the inbound interface.
interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto

!— Enable a routing protocol to send and receive
!— dynamic updates about the private networks.
router eigrp 90
network 1.1.1.0 0.0.0.255
network 192.168.1.0
no auto-summary

Spoke #1 (sv9-3) Configuration

!— Create an ISAKMP policy for Phase 1 negotiations.
crypto isakmp policy 10
hash md5
authentication pre-share

!— Add dynamic pre-shared keys for all the remote VPN
!— routers and the hub router.
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!— Create the Phase 2 policy for actual data encryption.
crypto ipsec transform-set strong esp-3des esp-md5-hmac

!— Create an IPSec profile to be applied dynamically to
!— the GRE over IPSec tunnels.
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong

!— Create a GRE tunnel template to be applied to
!— all the dynamically created GRE tunnels.
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 209.168.202.225
ip nhrp map multicast 209.168.202.225
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco

!— This is the outbound interface.
interface FastEthernet0/0
ip address 209.168.202.131 255.255.255.0
duplex auto
speed auto

!— This is the inbound interface.
interface FastEthernet0/1
ip address 2.2.2.2 255.255.255.0
duplex auto
speed auto

!— Enable a routing protocol to send and receive
!— dynamic updates about the private networks.
router eigrp 90
network 2.2.2.0 0.0.0.255
network 192.168.1.0
no auto-summary

Spoke #2 (sv9-4) Configuration

!— Create an ISAKMP policy for Phase 1 negotiations.
crypto isakmp policy 10
hash md5
authentication pre-share

!— Add dynamic pre-shared keys for all the remote VPN
!— routers and the hub router.
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!— Create the Phase 2 policy for actual data encryption.
crypto ipsec transform-set strong esp-3des esp-md5-hmac

!— Create an IPSec profile to be applied dynamically to
!— the GRE over IPSec tunnels.
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong

!— Create a GRE tunnel template to be applied to
!— all the dynamically created GRE tunnels.
interface Tunnel0
ip address 192.168.1.3 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 209.168.202.225
ip nhrp map multicast 209.168.202.225
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco

!— This is the outbound interface.
interface FastEthernet0/0
ip address 209.168.202.130 255.255.255.0
duplex auto
speed auto

!— This is the inbound interface.
interface FastEthernet0/1
ip address 3.3.3.3 255.255.255.0
duplex auto
speed auto

Verification Commands:

show ip nhrp
show ip eigrp
show dmvpn
show dmvpn detail
show ip cef
show dmvpn peer network
show crypto engine connection active – displays the total encrypts and decrypts per SA
show crypto ipsec sa – displays the stats on the active tunnels
show crypto isakmp sa – display the state for the isakmp SA

Debug Commands:

debug nhrp
debug nhrp packet
debug crypto isakmp
debug crypto ipsec
devug crypto engine

Source / References:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html