—DMVPN Concepts
show ip nhrp
debug ip nhrp
There are phase 2 DMVPN’s where Spokes can have dynamic IP addresses and register with a HUB and let all traffic flow through the HUB
There are phase 3 DMVPN’s where Spokes can communicate directly with each other after registering with the NextHop Server.
NHRP is a protocol which once all the spokes check into the server, can advertise a next-hop.
When you are using EIGRP with DMVPN’s for Phase 3, you will need to disable Split horizon,
you will also need to turn off the next hop self so that the next hop can be the spoke router.
DMVPN’s do not have IPSEC sec running natively this must be turned on additionally.
95% of deployments will work best with a MTU of 1400 and a tcp-mss of 1360. This is always 40 lower than the MTU.
//Configuration Phase2+3 DMVPN /w IPSEC- EIGRP
——–Headquarters
!!Tunnel/NHRP configuration
int tunnel 0
ip address 172.16.1.1 255.255.255.0 !!All client Tunnel IP’s should be on the same subnet
tunnel source fa0/0 !!Public facing IP address interface
tunnel mode gre multipoint
tunnel key
ip nhrp network-id 1 !!Must be identical ID’s
ip nhrp authentication !!Must be identical on other end.
ip nhrp map multicast dynamic !!Allow dynamically learned NHRP Peer entries for the server to client
ip nhrp shortcut
ip mtu 1400 !!Fragmentation can cause slowness
ip tcp adjust-mss 1360 !!always 40 byts less than the MTU
no ip split-horizon eigrp 1 !Allow updates to go back out the same interface to allow 2 spokes to hear of each other
!!EIGRP Configuration
router eigrp 1
network 10.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
!!Apply the IPSEC Profile
crypto isakmp key 0 cisco address 2.2.2.2 !!For Each Branch create an entry for the PUBLICIP
crypto isakmp key 0 cisco address 3.3.3.2
!
crypto isakmp policy 5
hash md5
group 5
auth pre-share
encyption aes
exit
!
crypto ipsec transform-set IPSEC esp-md5-hmac esp-aes
mode transport !Do not change the IP addresses. we are keeping everthing as the Tunnel IP
exit
!
crypto ipsec profile VPN
set transform-set IPSEC
exit
!
Int tun 0
tunnel protection ipsec profil VPN
///////////////////////////////////////////////////////////////////////////////////////
!!Upgrade to Phase3 DMVPN
int tun 0
ip nhrp redirect !Point other routers asking to the site router, not this router
no ip next-hop-self eigrp 1
——–Branch Office
!!Tunnel/NHRP configuration
int tunnel 0
ip address 172.16.1.2 255.255.255.0 !!All client Tunnel IP’s should be on the same subnet
tunnel source fa0/0 !!Public facing IP address interface
tunnel mode gre multipoint
tunnel key
ip nhrp network-id 1 !!Must be identical ID’s
ip nhrp authentication !!Must be identical on other end.
ip nhrp nhs 172.16.1.1 !!Who is the NHRP Servers tunnel IP
ip nhrp map 172.16.1.1 15.0.0.1 !!What is the Tunnel IP behind the Public IP
ip nhrp map multicast 1.1.1.1 !!Who is the NHRP Servers PUBLIC IP
ip nhrp shortcut
ip mtu 1400 !!
ip tcp adjust-mss 1360 !!always 40 byts less than the MTU
!!EIGRP Configuration
router eigrp 1
network 10.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
!!IPSEC Profile VPN
crypto isakmp policy 5
encr aes
hash md5
authentication pre-share
group 5
crypto isakmp key cisco address 1.1.1.2
crypto isakmp key cisco address 2.2.2.2
!
!
crypto ipsec transform-set IPSEC esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile VPN
set transform-set IPSEC
!
Int tun 0
tunnel protection ipsec profile VPN
//Configuration Phase3 DMVPN /w IPSEC- OSPF
——–Headquarters
int tunnel 0
ip address 172.16.1.1 255.255.255.0 !!All client Tunnel IP’s should be on the same subnet
tunnel source fa0/0 !!Public facing IP address interface
tunnel mode gre multipoint
tunnel key
ip nhrp network-id 1 !!Must be identical ID’s
ip nhrp authentication !!Must be identical on other end.
ip nhrp map multicast dynamic !!Allow dynamically learned NHRP Peer entries for the server to client
ip nhrp redirect !Point the router to use the
ip nhrp shortcut
ip mtu 1400 !!Fragmentation can cause slowness
ip tcp adjust-mss 1360 !!always 40 byts less than the MTU
!!OSPF Configuration
router ospf 1
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
!!Apply the IPSEC Profile
crypto isakmp key 0 cisco address 2.2.2.2 !!For Each Branch create an entry for the PUBLICIP
crypto isakmp key 0 cisco address 3.3.3.2
!
crypto isakmp policy 5
hash md5
group 5
auth pre-share
encyption aes
exit
!
crypto ipsec transform-set IPSEC esp-md5-hmac esp-aes
mode transport !Do not change the IP addresses. we are keeping everthing as the Tunnel IP
exit
!
crypto ipsec profile VPN
set transform-set IPSEC
exit
!
Int tun 0
tunnel protection ipsec profil VPN
——–Branch Office
!!Tunnel/NHRP configuration
int tunnel 0
ip address 172.16.1.2 255.255.255.0 !!All client Tunnel IP’s should be on the same subnet
tunnel source fa0/0 !!Public facing IP address interface
tunnel mode gre multipoint
tunnel key !!GRE Tunnel Key
ip nhrp network-id 1 !!Must be identical ID’s
ip nhrp authentication !!Must be identical on other end.
ip nhrp nhs 172.16.1.1 !!Who is the NHRP Servers tunnel IP
ip nhrp map 172.16.1.1 15.0.0.1 !!What is the Tunnel IP behind the Public IP
ip nhrp map multicast 1.1.1.1 !!Who is the NHRP Servers PUBLIC IP
ip nhrp shortcut
ip mtu 1400 !!
ip tcp adjust-mss 1360 !!always 40 byts less than the MTU
ip ospf network broadcast
ip ospf priority 2
!!EIGRP Configuration
router ospf 1
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
!!IPSEC Profile VPN
crypto isakmp policy 5
encr aes
hash md5
authentication pre-share
group 5
crypto isakmp key cisco address 1.1.1.2
crypto isakmp key cisco address 2.2.2.2
!
!
crypto ipsec transform-set IPSEC esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile VPN
set transform-set IPSEC
!
Int tun 0
tunnel protection ipsec profile VPN
—-CAC (Call Admission Control)
show crypto call admission statistics
You can control the amount of negiocating VPN tunnels and the Max amount of VPN tunnels.
The reason you would want to do this is to conserve resources on your router and stop attackers from negioating 1000 tunnels at the
same time and raping resources.
//Configuration
crypto call admission limit ike in-negotiation-sa !Set the amount of peers that can have a negioation in progress
crypto call admission limit ike sa !Set the max amount of peers that can have a neighbour
—Troubleshooting DMVPN’s
show cryptop engine connections active !What ISAKMP/IPSEC policy am I using to connect to my VPN peer.
- Check that traffic is not getting blocked on the following ports
UDP=500 !ISAKMP Phase1
UDP=4500 !NAT-T
Protocol 50 ! ESP - Check tunnel-keys, nhrp network-id. Compare the configuration.
- Sanity check or malformed. This is different keys on each device for IPSEC.
—Static VTI Tunnels
Virtual Tunnel interfaces can be used to apply different service policies to different types of traffic.
For example, we can have all the IPSEC encypted traffic with one level of TOS and all the unencrypted traffic going out
the public interface marked with another service policy setting a different TOS Marking.
We use a tunnel interface per site connection. so 2 vpns = 2 interface tunnels.
//EIGRP – Site1
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 5
crypto isakmp key router2 address 2.2.2.2
!
crypto ipsec transform-set IPSEC esp-aes esp-md5-hmac
!
crypto ipsec profile VTI1
set transform-set IPSEC
!
interface Loopback10
ip address 11.11.11.11 255.255.255.0
!
interface Tunnel0
ip unnumbered Loopback10
ip mtu 1400
ip ospf network broadcast
ip ospf priority 2
tunnel source FastEthernet0/0
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI1
!
router eigrp 1
network 10.0.0.0
network 11.11.11.0 0.0.0.255
no auto-summary
!
!///QOS
!
class-map match-all NON-VPN
match any
class-map match-all MATCH_VPN
match any
!
!
policy-map NON_VPN_POLICY
class NON-VPN
set dscp af31
policy-map VPN_POLICY
class MATCH_VPN
set dscp ef
!
Int tun 0
service-policy output VPN_POLICY
!
Int fa0/0
service-policy output NON_VPN_POLICY
//EIGRP – Site2
!
crypto isakmp policy 5
encr aes
hash md5
authentication pre-share
group 5
crypto isakmp key cisco address 3.3.3.2
crypto isakmp key router2 address 1.1.1.2
!
!
crypto ipsec transform-set IPSEC esp-aes esp-md5-hmac
!
crypto ipsec profile VTI1
set transform-set IPSEC
!
interface Loopback10
ip address 22.22.22.22 255.255.255.0
!
interface Tunnel0
ip unnumbered Loopback10
ip mtu 1400
ip ospf network broadcast
tunnel source FastEthernet0/0
tunnel destination 1.1.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI1
!
router eigrp 1
network 10.0.0.0
network 22.22.22.0 0.0.0.255
no auto-summary
//OSPF – Site1
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 5
crypto isakmp key router2 address 2.2.2.2
!
!
crypto ipsec transform-set IPSEC esp-aes esp-md5-hmac
!
crypto ipsec profile VTI1
set transform-set IPSEC
!
interface Loopback10
ip address 11.11.11.11 255.255.255.0
!
interface Tunnel0
ip unnumbered Loopback10
ip mtu 1400
ip ospf network point-to-point
ip ospf priority 2
ip ospf mtu-ignore
tunnel source FastEthernet0/0
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel key 1234
tunnel protection ipsec profile VTI1
!
router ospf 1
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
network 11.11.11.0 0.0.0.255 area 0
!///QOS
!
class-map match-all NON-VPN
match any
class-map match-all MATCH_VPN
match any
!
!
policy-map NON_VPN_POLICY
class NON-VPN
set dscp af31
policy-map VPN_POLICY
class MATCH_VPN
set dscp ef
!
Int tun 0
service-policy output VPN_POLICY
!
Int fa0/0
service-policy output NON_VPN_POLICY
//OSPF – Site2
!
crypto isakmp policy 5
encr aes
hash md5
authentication pre-share
group 5
crypto isakmp key cisco address 3.3.3.2
crypto isakmp key router2 address 1.1.1.2
!
!
crypto ipsec transform-set IPSEC esp-aes esp-md5-hmac
!
crypto ipsec profile VTI1
set transform-set IPSEC
!
interface Loopback10
ip address 22.22.22.22 255.255.255.0
!
interface Tunnel0
ip unnumbered Loopback10
ip mtu 1400
ip ospf network point-to-point
ip ospf mtu-ignore
tunnel source FastEthernet0/0
tunnel destination 1.1.1.2
tunnel mode ipsec ipv4
tunnel key 1234
tunnel protection ipsec profile VTI1
!
router ospf 1
log-adjacency-changes
network 10.1.2.0 0.0.0.255 area 0
network 22.22.22.0 0.0.0.255 area 0
—Dynamic VTI Tunnels
If you have a large number of VPN sites and have a different set of requirements for certain groups, we use dynamic VTI connections.
You can have the following senerio 20 Clients sites must use key xxxxx and AES = 1 Profile
senerio 20 clients sites must use key yyyyy and 3DES = 1 Profile
So it can be a logical group of a set of sites which all have the same requirement. The virutal-template creates dynamic “Access ports”
This means that you do not need to have to create a tunnel interface per VPN connection.
You can use match critieria, like the public IP, Cert information EzyVPN Tunnel name.