Sunday, 28 September 2014

Dynamic Multipoint VPN (DMVPN)

Dynamic Multipoint VPN (DMVPN)

Mechanics of DMVPN
 -mGRE Tunnel Interfaces
 -Static & Dynamic IPs
 -Routing Protocol
 -Next Hop Resolution Protocol(NHRP) for Spoke discovery
 -The Hub needs a static IP but spokes do not
By default, on a tunnel interface, GRE is used.
Tunnel key, nhrp network id,nhrp authentication password,
show ip nhrp, show dmvpn (12.9 or later)
GRE Protocol number = 47

Configuration

Phase 1 - isakmp policy (HAGLE - 5 elements to negotiate with peer)
 -H = Hash (data integrity check)
 -A = Authentication (validate the peer at the other side)
 -G = Deffie Helman Group (algorithm to run between 2 devices to setup a set of shared secret key material)
 -L = Lifetime (how long this tunnel is up)
 -E = Encryption (confidentiality)

Phase 2 - IPsec transform-set

crypto isakmp policy 5
hash sha
authen pre-share
group 5
encryp aes 128
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set OURSET esp-aes esp-sha-hmac
 mode transport
crypto ipsec profile OUR_IPSec_PROFILE
 set transform-set OURSET

//On HUB
interface Tunnel0
 description DMVPN
 ip address 172.16.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 777
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 777
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 6783
 tunnel protection ipsec profile OUR_IPSec_PROFILE
end

//On Spoke
interface Tunnel0
 description DMVPN
 ip address 172.16.0.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco123
 ip nhrp map 172.16.0.1 15.0.0.1
 ip nhrp map multicast 15.0.0.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 6783
 tunnel protection ipsec profile OUR_IPSec_PROFILE
end

DMVPN IKE Call Admission Control (CAC) - Upper limits & Clipping
 CAC Protection
  -In-negotiation limit
  -SA limit
R1#show crypto call admission statistics (look at Max IKE SAs, Max in nego:)
(config)#crypto call admission limit ike sa 2 //to set max number of sa
(config)#crypto call admission limit ike in-negotiation-sa 10 //to set max in nego


Posted by at
Labels: , ,

2 comments:

  1. Douglas Brown30 May 2015 at 04:57

    I've looked at a couple of places to decipher the lingo involved with VPN, but it's pretty complex. Just based on the meaning of the word, would you say that dynamic IP's are more important than static? They both serve their purpose, of course, but I am trying to separate them with more concrete black and white info. Thanks for the post though. http://www.bugattivpn.com

    ReplyDelete
  2. Unknown18 September 2015 at 20:20

    Thank you.These scripts works good.
    Nice post about dynamic VPN.
    10webhostingservice.com

    ReplyDelete

Subscribe to: Post Comments (Atom)