This document provides a sample configuration for configuring Dynamic Multipoint spoke router into a full mesh Dynamic Multipoint VPN (DMVPN). DMVPN allows users to scale large and small IPsec VPNs more effectively by combining generic routing encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP). Security Device Manager (SDM) is an embedded security configuration management tool used to configure Cisco IOS® Software routers with variety of security features. This sample configuration relies on SDM version 1.2 that supports hub and spoke DMVPN configurations and shows how to configure dynamic Spoke to Spoke tunnels.
Figure 1. Network Diagram
FULL MESH DMVPN BENEFITS
Automatic IPsec Encryption Initiation
GRE has the peer source and destination address configured or resolved with NHRP. Thus, this feature allows IPsec to be immediately triggered for the point-to-point GRE tunneling or when the GRE peer address is resolved via NHRP for the multipoint GRE tunnel.
Support for Dynamically Addressed Spoke Routers
When using point-to-point GRE and IPsec hub-and-spoke VPN networks, the physical interface IP address of the spoke routers must be known to configure the hub router, because IP address should be configured as the GRE tunnel destination address. This feature allows spoke routers to have dynamic physical interface IP addresses (common for cable and DSL connections). When the spoke router comes online it sends registration packets to the hub router. The current physical interface IP address of this spoke is located within these registration packets.
Dynamic Tunnel Creation for Spoke-to-Spoke Tunnels
This feature eliminates the need for spoke-to-spoke configuration to enable direct tunnels. When a spoke router wants to transmit a packet to another spoke router it can now use NHRP to dynamically determine the required destination address of the target spoke router. (The hub router acts as the NHRP server, handling the request for the source spoke router.) The two spoke routers dynamically create an IPsec tunnel between them, so the data can be directly transferred.
This configuration utilizes SDM version 1.2. The wizard in SDM version 1.2 supports only hub and spoke DMVPN configuration. This configuration guide will first configure the spoke with hub and spoke mode only and then modify the spoke configuration using the advanced mode to enable the full mesh DMVPN configuration to the spoke.
Although the spoke can be configured directly from the advanced mode, configuring the spoke in the wizard mode ensures the creation of policies and additional configuration checks.
PREREQUISITES
The sample configuration is based on the following assumptions:
• Public IP address of the hub, this configuration is using 10.0.38.219.
• IP address of the IPsec tunnel on the hub, this configuration is using 192.168.1.219.
• IP address of the IPsec tunnel on the local spoke, this configuration is using 192.168.1.220.
• Physical IP address assignment and any required DHCP pool for local users.
• The Routing protocol is used with the hub router, this configuration is using Enhanced Interior Gateway Routing Protocol (EIGRP).
• An assigned pre-shared key that will be used on all the dynamic spokes.
LIMITATIONS
This guide configures the spoke router for DMVPN only. It does not cover the following configuration:
• Full security audit on the router. It is recommended to run Security Audit in the wizard mode to lock down and secure the router.
• An initial router configuration step is not shown under the steps section. The full configuration is show in a following section.
• The hub router must propagate a default route to the remote spokes with the IP routing protocol for accessing the internet. It also must handle all the firewall and network address translations requirements.
BEFORE THE BEGINNING OF CONFIGURATIONS
Before the beginning of configurations, make sure of the following:
• The spoke router can reach the DMVPN hub, and the DMVPN hub is configured and operational.
• SDM is loaded on the router flash memory, and the http configuration is enabled on the router. For additional information on configuring and using SDM, please refer to: http://www.cisco.com/go/sdm.
COMPONENTS USED
The sample configuration uses the following Cisco IOS Software releases and hardware:
• Cisco Router and Security Device Manager (SDM) Version 1.2
The network for the sample configuration is illustrated in the Figure 1.
The information presented in this document was obtained from the devices in a specific lab environment. All of the devices started with a cleared (default) configuration. In a live network it is imperative to understand the potential impact of any command before implementing it.
CONFIGURING THE SPOKE ROUTER WITH SDM
Follow the steps in this section to configure the Spoke router with SDM.
Step 1: SDM Window
From the SDM on the spoke router, make the following selections in this order:
1. Wizard Mode
2. VPN icon
3. DMVPN
4. Create a spoke (client) in a DMVPN option
5. Launch the Selected Task button to launch the DMVPN Wizard
The selections in Step 1 are outlined in the following diagram:
Note: The VPN wizard in SDM version 1.2 supports only one IPsec VPN configuration on the router. SDM will attempt to detect any existing VPN configuration. The advanced mode can be used to edit or delete the existing VPN configuration.
Step 3: Configure a DMVPN Spoke Window
Review the provided information and select Next.
Step 4: DMVPN Network Topology
Select Hub and Spoke option and than Next. (Note: this is the only option in SDM version 1.2)
Step 5: Specify Hub Information
Enter the public IP Address of the hub and IP Address of the Hub mGRE tunnel interface, as showed in the following diagram and then select next.
Step 6: GRE Tunnel Interface Configuration
Select the interface that connects to the internet, enter the assigned IP address and mask of the tunnel interface, and Select Advanced button in the Advanced settings section.
Step 7: Advanced Configuration for the Tunnel Interface
Review the defaults Advanced settings of the DMVPN configuration to verify that they match the configuration required by the hub router. Select OK button to return to the GRE Tunnel Interface Configuration, then select next to proceed to the wizard.
Note: The previous diagram shows the default settings of SDM. Use the default configuration if it matches the DMVPN hub router.
Step 8: Configure Pre-Shared Key
Enter and confirm the pre-shared key with the DMVPN hub, then select the Next button.
Note: If the pre-shared key with the hub is already configured, the new pre-shared key can not be entered in this step.
Step 9: Key Exchange Policy
Review Key Exchange Policy to ensure it matches the DMVPN hub configuration and select next. SDM provides the following polices by defaults:
Review the IPsec Transform Set to ensure that it match the DMVPN hub configuration and select next. SDM provides the following polices by defaults:
• IPsec Transform Set: ESP with 3DES encryption, ESP with SHA integrity check.
Step 11: Select Routing Protocol
Review and select the IP routing protocol. This configuration utilized EIGRP. Select next.
Step 12: Routing Information
Select an existing routing process or create a new one. This step enables the routing protocol for the selected interfaces and advertises the private network with the selected routing protocol. In this case the subnet 172.16.20.0/24 is connected to the local private interface. The 192.168.1.0/24 is the DMVPN tunnel interface.
Note: Adding the tunnel interface subnet to the private networks advertised is optional, as SDM automatically adds this subnet to the routing protocol. Also, the wild card mask for this subnet may not show in the previous window.
Step 13: Summary of the Configuration
Review the final configuration and select Finish button to start the delivery process. Following are the configuration created by SDM:
Note: Also by this step, the configuration wizard have created the setup of this spoke into the DMVPN network. This spoke will have access to all the other spokes and the rest of the network. However, all communication by this spoke passed through the hub.
Step 14: Deliver Configuration to the Router
Select the deliver button to send the configuration to the router. When completed, select OK.
Note: When configuration is delivered to the router it is not saved to the startup-configs, unless that option was specified during the configuration delivery process.
Step 15: SDM Window
This step will begin to modify the router configuration to enable direct spoke to spoke tunnel setup. Make the following steps in the same order:
1. Advanced Mode
2. VPN
3. Root VPN item
4. Dynamic Multipoint VPN
5. Tunnel Interface
6. Edit
This sequence of selection will open the DMVPN Tunnel Configuration dialog box.
Step 16: DMVPN Tunnel Configuration-General Tab
Select "This is a multipoint GRE Tunnel" under the General Tab and then select the NHRP tab.
Step 17: DMVPN Tunnel Configuration-NHRP Tab
Under the NHRP tab, select the Add button under the NHRP MAP section. This will open up the following NHRP Map Configuration dialog box.
Step 18: NHRP Map Configuration
Select "Configure NBMA addresses", which is used as destinations for broadcast or multicast packets, then select "IP Address of NBMA address directly reachable" and enter the public address of the hub router. The following diagram shows current selections. Finally, choose OK button.
Step 19: DMVPN Tunnel Configuration
Following is the NHRP tab after enabling the NHRP dynamic spokes. Select "OK" to return to the Advanced Mode.
Step 20: SDM Window
This step will configure a pre-shared Key for dynamic spokes. Make the following steps in the same order:
1. Advanced Mode
2. VPN
3. IKE: Pre-shared Key
4. Add.
This sequence of selection will open the "Add new Pre-Shared Key" Configuration dialog box. Enter the information and select OK.
Step 21: Select Deliver as showed in (*) to update the router configuration and then select deliver again under the pop up window.
The following are the modification generated by steps 15 through 21:
Note: When configuration is delivered to the router it is not saved to the startup configs, unless that option was specified during the configuration delivery process.
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 095F4A04
login
transport preferred all
transport input all
transport output all
!
end
c831-20#
VERIFYING THE RESULTS
This section provides information that can be used to confirm that configuration is working properly.
Use the "show crypto session detail" command to verify that IPsec tunnel is established with the hub router. After installing the configuration, only IPsec session to the hub should become active.
c831-20#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 10.0.38.219/500 fvrf: (none) ivrf: (none)
Phase1_id: 10.0.38.219
Desc: (none)
IKE SA: local 10.0.38.220/500 remote 10.0.38.219/500 Active
