Register now or log in to join your professional community.
Rack1DMVPN#conf tEnter configuration commands, one per line. End with CNTL/Z.Rack1DMVPN(config)# crypto isakmp policy 10Rack1DMVPN(config-isakmp)# authentication pre-shareRack1DMVPN(config-isakmp)#exit
! Now we can add the dynamic pre-shared key ( Labbing )for all the remote VPN routers. In this lab network they are all on the 150.1.0.0/16 network. In production you can make this 0.0.0.00.0.0.0
Rack1DMVPN(config)#crypto isakmp key Labbing address 150.1.0.0255.255.0.0
! Now we create a Phase 2 policy for the data encryptionRack1DMVPN(config)#crypto ipsec transform-set Labbing esp-aes esp-sha-hmac
! And finally create the IPSec profile to be applied to the GRE over IPSEC tunnels.Rack1DMVPN(config)#crypto ipsec profile LabbingRack1DMVPN(ipsec-profile)# set transform-set Labbing
! And now we can create the Tunnel interface on the DMVPN Hub, we will use a 192.168.11.x/24 network for all the Tunnel interfaces.! Notice, they are all on the same subnet, not /31 or /30, but a /24 network.Rack1DMVPN(config)# interface Tunnel0Rack1DMVPN(config-if)# ip address 192.168.11.1255.255.255.0Rack1DMVPN(config-if)# no ip redirects
! You should bump the MTU down a bit as this is a tunnel. Depending on your upstream routers and such, your values might be different.Rack1DMVPN(config-if)# ip mtu 1400
! Now we start to configure the NHRP portion of DMVPN. First a Network-id that is unique to this DMVPN configuration as well as the timers.Rack1DMVPN(config-if)# ip nhrp network-id 1Rack1DMVPN(config-if)# ip nhrp holdtime 600
! Now just like any tunnel we need to tell it the source, here I am using G0/1. Rack1DMVPN(config-if)# tunnel source GigabitEthernet0/1
! Now we tell it the tunnel mode type, gre multipointRack1DMVPN(config-if)# tunnel mode gre multipoint
! And now apply the IPSec configuration to the interface to encrypt traffic.Rack1DMVPN(config-if)# tunnel protection ipsec profile Labbing
Now, lets configure the hubs. I will do a full configuration on R4 with explanation and then just note the differences when it comes to R5 and R5. You will see many commands that are the same as the hub (crypto, gre, etc), but I will display them with explanation anyways.
Rack1R4#conf tEnter configuration commands, one per line. End with CNTL/Z.Rack1R4(config)# crypto isakmp policy 10Rack1R4(config-isakmp)# authentication pre-shareRack1R4(config-isakmp)#exit
! Now we can add the dynamic pre-shared key ( Labbing )for all the remote VPN routers. In this lab network they are all on the 150.1.0.0/16 network. In production you can make this 0.0.0.00.0.0.0Rack1R4(config)#crypto isakmp key Labbing address 150.1.0.0255.255.0.0
! Now we create a Phase 2 policy for the data encryptionRack1R4(config)#crypto ipsec transform-set Labbing esp-aes esp-sha-hmac
! And finally create the IPSec profile to be applied to the GRE over IPSEC tunnels.Rack1R4(config)#crypto ipsec profile LabbingRack1R4(ipsec-profile)# set transform-set Labbing
! And now we can create the Tunnel interface on the DMVPN Hub, we will use a 192.168.11.x/24 network for all the Tunnel interfaces.Rack1R4(config)# interface Tunnel0Rack1R4(config-if)# ip address 192.168.11.4255.255.255.0Rack1R4(config-if)# no ip redirects
! You should bump the MTU down a bit as this is a tunnel. Depending on your upstream routers and such, your values might be different.Rack1R4(config-if)# ip mtu 1400
! Now we start to configure the NHRP portion of DMVPN. First things we tell the router is the NHRP of the hub (tunnel IP and outside IP), then a Network-id that is unique to this DMVPN configuration, the NHS Resolver (192.168.11.1) as well as the timers.Rack1R4(config-if)# ip nhrp map 192.168.11.1150.1.254.254Rack1R4(config-if)# ip nhrp network-id 1Rack1R4(config-if)# ip nhrp nhs 192.168.11.1Rack1R4(config-if)# ip nhrp holdtime 600
! Now just like any tunnel we need to tell it the source, here I am using G0/1. This is a great idea if you have a dynamic outside IP address, only the HUB needs a static IP. Rack1R4(config-if)# tunnel source GigabitEthernet0/1
! Now we tell it the tunnel mode type, gre multipointRack1R4(config-if)# tunnel mode gre multipoint
! And now apply the IPSec configuration to the interface to encrypt traffic.Rack1R4(config-if)# tunnel protection ipsec profile Labbing