1. Topology
a. Rack is from IOU v5. This lab will use seven routers to complete whole DMVPN configuration and test.
b. network topology. It is drew from gliffy website mentioned in previous post cool networking website and tools collection.
2. Configuration Before IPSec Enabled
R6:
interface Serial2/2
ip address 172.17.6.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 172.17.6.1
R1: HUB
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
no ip redirects
ip mtu 1416
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 1
tunnel source 192.168.1.100
tunnel mode gre multipoin
!
interface Ethernet0/1
ip address 192.168.1.100 255.255.255.0
!
interface Serial2/2
ip address 172.17.6.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0
network 172.17.0.0
network 192.168.0.0
no auto-summary
!
ip route 192.168.0.0 255.255.0.0 192.168.1.1
R2: Cloud
interface Ethernet0/0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/1
ip address 192.168.1.1 255.255.255.0
!
interface Serial2/2
ip address 192.168.3.1 255.255.255.0
R3: Spoke
interface Tunnel0
ip address 10.1.1.2 255.255.255.0
no ip redirects
ip mtu 1416
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp map 10.1.1.1 192.168.1.100
ip nhrp map multicast 192.168.1.100
ip nhrp network-id 1
ip nhrp nhs 10.1.1.1
no ip split-horizon eigrp 1
tunnel source 192.168.2.100
tunnel mode gre multipoint
!
interface Ethernet0/0
ip address 192.168.2.100 255.255.255.0
!
interface Ethernet0/1
ip address 172.17.2.1 255.255.255.0
router eigrp 1
network 10.0.0.0
network 172.17.0.0
network 192.168.0.0
no auto-summary
!
ip route 192.168.1.0 255.255.255.0 192.168.2.1
R4:
interface Ethernet0/1
ip address 172.17.2.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 172.17.2.1
R7: Spoke:
interface Tunnel0
ip address 10.1.1.3 255.255.255.0
no ip redirects
ip mtu 1416
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp map 10.1.1.1 192.168.1.100
ip nhrp map multicast 192.168.1.100
ip nhrp network-id 1
ip nhrp nhs 10.1.1.1
no ip split-horizon eigrp 1
tunnel source 192.168.3.100
tunnel mode gre multipoint
!
interface Ethernet1/1
ip address 172.17.3.1 255.255.255.0
interface Serial2/2
ip address 192.168.3.100 255.255.255.0
!
router eigrp 1
network 10.0.0.0
network 172.17.0.0
network 192.168.0.0
no auto-summary
!
ip route 192.168.1.0 255.255.255.0 192.168.3.1
!
R10:
interface Ethernet1/1
ip address 172.17.3.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 172.17.3.1
3. Configuration to enable IPSec
On R1, R3 and R7, add following IPSec configuration into routes.
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto ipsec transform MINE esp-3des
crypto ipsec profile DMVPN
set transform-set MINE
interface tunnel0
tunnel protection ipsec profile DMVPN
Reference:
- Cisco Support Community – DMVPN Configuration
- CONFIGURING CISCO DYNAMIC MULTIPOINT VPN (DMVPN) – HUB, SPOKES , MGRE PROTECTION AND ROUTING – DMVPN CONFIGURATION
- DMVPN Configuration
Dear learner,
If you don’t know anything about DMVPN, check out these links: DMVPN Configuration
Thx, I put your post as a reference.