OVERVIEW
Figure 1. Network Diagram
PREREQUISITES
• Public IP addresses for the hub routers (10.0.149.221 and 10.0.149.220)
• DMVPN network for tunnel interface on both hubs are 192.168.1.0/24 and 192.168.2.0/24
• Spoke router can use static IP or dynamic IP addresses
• Example uses Enhanced Interior Gateway Routing Protocol (EIGRP) as its dynamic routing protocol
• Example uses pre-shared keys for authentication
• Disabled split tunneling for the spoke router; this allows the Internet traffic to go through the hub only
LIMITATIONS
• Full router security audit: run a Security Device Manager (SDM) security audit in the wizard mode to lock down and secure the router.
• Initial router configuration step: full configuration is shown in the following section.
• This configuration guide uses private addresses only. When using private addresses and connecting to the Internet, an appropriate Network Address Translation (NAT) or Port Address Translation (PAT) configuration is required to provide connectivity over the Internet.
• The ODR provides a default route only to the spoke, the configuration support hub and spoke topology; no split tunneling
PRECAUTIONS
• The spoke router can reach the DMVPN hub directly over the Internet.
• The DMVPN hub is configured and operational.
COMPONENTS
• Cisco IOS Software Release 12.3(11)T3(fc2)
• Cisco 831, 1751, 3725 and 3745 Routers
CONFIGURATION OF THE CISCO 3725 ROUTER
Current configuration:
!
version 12.3
!
hostname c3725-21
!
no aaa new-model
!
ip subnet-zero
ip cef
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
cdp enable
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1
!
interface FastEthernet0/0
ip address 10.0.149.221 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.20.21 255.255.255.0
duplex auto
speed 100
!
router odr
distribute-list 101 in
!
router eigrp 1
redistribute odr metric 2000 100 255 255 1400
network 192.168.1.0
network 192.168.2.0
network 192.168.20.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.149.207
!
!
access-list 101 permit ip any 192.168.0.0 0.0.255.255
!
end
VERIFYING THE CISCO 3725 ROUTER RESULTS
Normal Operation
c3725-21#show ip route
Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP
D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area
N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2
E1-OSPF external type 1, E2-OSPF external type 2
i-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2
ia-IS-IS inter area, *-candidate default, U-per-user static route
o-ODR, P-periodic downloaded static route
Gateway of last resort is 10.0.149.207 to network 0.0.0.0
o 192.168.27.0/24 [160/1] via 192.168.1.11, 00:00:52, Tunnel0
C 192.168.20.0/24 is directly connected, FastEthernet0/1
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.149.0 is directly connected, FastEthernet0/0
o 192.168.16.0/24 [160/1] via 192.168.1.10, 00:00:21, Tunnel0
C 192.168.1.0/24 is directly connected, Tunnel0
D 192.168.2.0/24 [90/2818560] via 192.168.20.20, 06:03:24, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 10.0.149.207
c3725-21#show crypto session detail
Crypto session current status
Code: C-IKE Configuration mode, D-Dead Peer Detection
K-Keepalives, N-NAT-traversal, X-IKE Extended Authentication
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 10.0.150.1 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.0.150.1
Desc: (none)
IKE SA: local 10.0.149.221/500 remote 10.0.150.1/500 Active
Capabilities:D connid:10 lifetime:20:55:47
IPSEC FLOW: permit 47 host 10.0.149.221 host 10.0.150.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 6829 drop 0 life (KB/Sec) 4503324/3143
Outbound: #pkts enc'ed 65167 drop 1 life (KB/Sec) 4503313/3143
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 10.0.150.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.0.150.2
Desc: (none)
IKE SA: local 10.0.149.221/500 remote 10.0.150.2/500 Active
Capabilities:D connid:11 lifetime:20:56:02
IPSEC FLOW: permit 47 host 10.0.149.221 host 10.0.150.2
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 6757 drop 0 life (KB/Sec) 4427309/2860
Outbound: #pkts enc'ed 65162 drop 1 life (KB/Sec) 4427290/2860
c3725-21#show ip protocols
Routing Protocol is "nhrp"
Maximum path: 0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 0)
Routing Protocol is "eigrp 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 1, odr
EIGRP NSF-aware route hold timer is 240s
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
192.168.1.0
192.168.20.0
Routing Information Sources:
Gateway Distance Last Update
Gateway Distance Last Update
192.168.20.20 90 3d03h
Distance: internal 90 external 170
Routing Protocol is "odr"
Sending updates every 60 seconds, next due in 37 seconds
Invalid after 180 seconds, hold down 0, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is 101
Maximum path: 4
Routing Information Sources:
Gateway Distance Last Update
192.168.1.11 160 00:00:27
192.168.1.10 160 00:00:41
Distance: (default is 160)
c3725-21#show interface tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.1.1/24
MTU 1514 bytes, BW 1000 Kbit, DLY 10000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.0.149.221 (FastEthernet0/0), destination UNKNOWN
Tunnel protocol/transport multi-GRE/IP
Key 0x186A0, sequencing disabled
Checksumming of packets disabled
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "SDM_Profile1")
Last input 00:00:12, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queuing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 0 packets/sec
24158 packets input, 5290429 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
217102 packets output, 55341094 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
c3725-21#sh cdp nei
Capability Codes: R-Router, T-Trans Bridge, B-Source Route Bridge
S-Switch, H-Host, I-IGMP, r-Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
c2950-xl Fas 0/1 160 S I WS-C2950G-Fas 0/37
c1751-16.cisco.com
Tunnel0 132 R S 1751-V Tunnel0
c831-27 Tunnel0 146 R C831 Tunnel0
c2924.cisco.com Fas 0/0 123 T S WS-C2924-XFas 0/19
CONFIGURATION OF THE CISCO 1751 SPOKE ROUTER
Current configuration :
!
version 12.3
!
hostname c1751-16
!
no aaa new-model
ip subnet-zero
!
ip cef
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA1
!
crypto ipsec profile SDM_Profile2
set transform-set ESP-3DES-SHA
!
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.1.10 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 192.168.1.1 10.0.149.221
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 192.168.1.1
ip nhrp server-only
ip tcp adjust-mss 1360
delay 1000
cdp enable
tunnel source FastEthernet0/0
tunnel destination 10.0.149.221
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1
!
interface Tunnel1
bandwidth 1000
ip address 192.168.2.10 255.255.255.0
ip mtu 1400
ip nhrp authentication DMPVN_BU
ip nhrp map 192.168.2.1 10.0.149.220
ip nhrp network-id 100001
ip nhrp holdtime 360
ip nhrp nhs 192.168.2.1
ip nhrp server-only
ip tcp adjust-mss 1360
delay 1000
cdp enable
tunnel source FastEthernet0/0
tunnel destination 10.0.149.220
tunnel key 100001
tunnel protection ipsec profile SDM_Profile2
!
interface Ethernet0/0
ip address 192.168.16.1 255.255.255.0
half-duplex
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$
ip address dhcp
speed 100
full-duplex
!
ip classless
ip route 10.0.149.0 255.255.255.0 dhcp
!
end
Verifying the Cisco 1751 Spoke Router Results
c1751-16#show ip route
Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP
D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area
N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2
E1-OSPF external type 1, E2-OSPF external type 2
i-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2
ia-IS-IS inter area, *-candidate default, U-per-user static route
o-ODR, P-periodic downloaded static route
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
10.0.0.0/24 is subnetted, 2 subnets
C 10.0.150.0 is directly connected, FastEthernet0/0
S 10.0.149.0 [1/0] via 10.0.150.207
C 192.168.16.0/24 is directly connected, Ethernet0/0
C 192.168.1.0/24 is directly connected, Tunnel0
C 192.168.2.0/24 is directly connected, Tunnel1
o* 0.0.0.0/0 [160/1] via 192.168.2.1, 00:00:25, Tunnel1
[160/1] via 192.168.1.1, 00:00:56, Tunnel0
c1751-16#show crypto session detail
Crypto session current status
Code: C-IKE Configuration mode, D-Dead Peer Detection
K-Keepalives, N-NAT-traversal, X-IKE Extended Authentication
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 10.0.149.221 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.0.149.221
Desc: (none)
IKE SA: local 10.0.150.1/500 remote 10.0.149.221/500 Active
Capabilities:D connid:268435501 lifetime:20:51:40
IPSEC FLOW: permit 47 host 10.0.150.1 host 10.0.149.221
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 7179 drop 0 life (KB/Sec) 4607231/2896
Outbound: #pkts enc'ed 65223 drop 1 life (KB/Sec) 4607249/2896
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 10.0.149.220 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.0.149.220
Desc: (none)
IKE SA: local 10.0.150.1/500 remote 10.0.149.220/500 Active
Capabilities:D connid:268435500 lifetime:17:04:05
IPSEC FLOW: permit 47 host 10.0.150.1 host 10.0.149.220
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 6767 drop 0 life (KB/Sec) 4541812/2908
Outbound: #pkts enc'ed 65226 drop 4 life (KB/Sec) 4541830/2908
c1751-16#show ip protocols
Routing Protocol is "nhrp"
Maximum path: 0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 0)
c1751-16#show cdp neighbor
Capability Codes: R-Router, T-Trans Bridge, B-Source Route Bridge
S-Switch, H-Host, I-IGMP, r-Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
c2950-xl Eth 0/0 165 S I WS-C2950G-Fas 0/6
c2950-xl Fas 0/0 165 S I WS-C2950G-Fas 0/9
c3725-21.cisco.com
Tunnel0 152 R S I 3725 Tunnel0
c3745-20.cisco.com
Tunnel1 124 R S I 3745 Tunnel0
c1751-16#
Verifying the network connectivity during a failure:
The following results shows the status on the Cisco 1751 router when the path to the first hub
fails.
c1751-16#sh ip route
Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP
D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area
N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2
E1-OSPF external type 1, E2-OSPF external type 2
i-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2
ia-IS-IS inter area, *-candidate default, U-per-user static route
o-ODR, P-periodic downloaded static route
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
10.0.0.0/24 is subnetted, 2 subnets
C 10.0.150.0 is directly connected, FastEthernet0/0
S 10.0.149.0 [1/0] via 10.0.150.207
C 192.168.16.0/24 is directly connected, Ethernet0/0
C 192.168.1.0/24 is directly connected, Tunnel0
C 192.168.2.0/24 is directly connected, Tunnel1
o* 0.0.0.0/0 [160/1] via 192.168.2.1, 00:00:25, Tunnel1\
CONFIGURATION OF THE OTHER ROUTERS
Cisco 3745 Router Configuration
Current configuration :
!
version 12.3
!
hostname c3745-20
!
no aaa new-model
!
resource manager
!
ip subnet-zero
ip cef
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.2.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMPVN_BU
ip nhrp map multicast dynamic
ip nhrp network-id 100001
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
cdp enable
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100001
tunnel protection ipsec profile SDM_Profile1 shared
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address 10.0.149.220 255.255.255.0
speed 100
full-duplex
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.20.20 255.255.255.0
speed 100
full-duplex
!
router odr
distribute-list 101 in
!
router eigrp 1
redistribute odr
network 192.168.2.0
network 192.168.20.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.149.207
!
access-list 101 permit ip any 192.168.0.0 0.0.255.255
!
end
CISCO 831 ROUTER CONFIGURATION
Current configuration :
!
version 12.3
!
hostname c831-27
!
no aaa new-model
ip subnet-zero
!
ip cef
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA1
!
crypto ipsec profile SDM_Profile2
set transform-set ESP-3DES-SHA
!
!
interface Tunnel0
bandwidth 1000
ip address 192.168.1.11 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 192.168.1.1 10.0.149.221
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 192.168.1.1
ip nhrp server-only
ip tcp adjust-mss 1360
delay 1000
cdp enable
tunnel source Ethernet1
tunnel destination 10.0.149.221
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1
!
interface Tunnel1
bandwidth 1000
ip address 192.168.2.11 255.255.255.0
ip mtu 1400
ip nhrp authentication DMPVN_BU
ip nhrp map 192.168.2.1 10.0.149.220
ip nhrp network-id 100001 ip nhrp holdtime 360
ip nhrp nhs 192.168.2.1
ip nhrp server-only
ip tcp adjust-mss 1360
delay 1000
cdp enable
tunnel source Ethernet1
tunnel destination 10.0.149.220
tunnel key 100001
tunnel protection ipsec profile SDM_Profile2
!
interface Ethernet0
ip address 192.168.27.1 255.255.255.0
!
interface Ethernet1
ip address dhcp
duplex auto
!
ip classless
ip route 10.0.149.0 255.255.255.0 dhcp
!
end
RELATED INFORMATION
• An Introduction to IPsec Encryption
• Configuring On-Demand Routing, Release 12.2 Configuration Guide
• Designing Large-Scale Stub Networks with ODR, Document ID: 13710
• Configuring IPsec Network Security
• Configuring Internet Key Exchange Security ProtocolTechnical Support-Cisco Systems
• Technical Support-Cisco Systems