DMVPN - Dynamic Multipoint VPN
Components of DMVPN
- mGRE Tunnel interfaces
- Static or Dynamic IPs for spokes
- Any IGP Routing Protocol can be used
- NHRP for spoke discovery
- IPsec profile
Hub needs a fixed IP, spokes will check in with the hub to build tunnels.
Spokes send NHRP Requests to the hub; spokes can then establish tunnels directly with one another to avoid routing traffic through the hub.
Hub configuration
int tunnel 0
tunnel source gi1/0
tunnel mode gre multipoint
tunnel key 1234
ip nhrp network-id 1
ip nhrp authentication Password1
ip nhrp map multicast dynamic
ip nhrp shortcut
ip nhrp redirect
ip address 172.16.0.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
router eigrp 1
no auto-summary
network 10.0.0.0
network 172.16.0.0Spoke configuration
int tunnel 0
tunnel source gi1/0
tunnel mode gre multipoint
tunnel key 1234
ip nhrp network-id 1
ip nhrp authentication Password1
ip nhrp shortcut
ip nhrp nhs 172.16.0.1
ip nhrp map 172.16.0.1 15.0.0.1
ip nhrp map multicast 15.0.0.1
ip address 172.16.0.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
router eigrp 1
no auto-summary
network 10.0.0.0
network 172.16.0.0Verification commands
show ip nhrp
show ip nhrp summary
show dmvpn
Adding security to DMVPN GRE tunnels
crypto isakmp policy 1
hash sha
authentication pre-share
group 14
lifetime 86400
encryption aes 256
crypto isakmp key Password1 address 0.0.0.0
crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile IPSEC_PROFILE
set transform-set TRANSFORM_SET
int tunnel 0
tunnel protection ipsec profile IPSEC_PROFILEIPSEC Verification commands
show dmvpn detail
show crypto isakmp sa detail
Troubleshooting DMVPNs
- Verify basic connectivity (UDP ports 500 and 4500, L4 Protocol 50 ESP)
- keys and IDs match
- Crypto Policies match
