Saturday, April 2, 2011

Dynamic Multipoint VPN (DMVPN) Cisco Router Configuration Example

How to Configure Dynamic Multipoint VPN (DMVPN) on a Cisco Router:

DMVPN uses a hub and spoke configuration to build site-to-site VPNs with a full mesh topology. I often use DMVPN as a backup solution for MPLS.

DMVPN Hub Router Configuration:

ip vrf INET-PUBLIC
rd 65512:1

interface GigabitEthernet0/0/4
ip vrf forwarding INET-PUBLIC
ip address 10.4.32.33 255.255.255.248
no shutdown
!
ip route vrf INET-PUBLIC 0.0.0.0 0.0.0.0 10.4.32.35

crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr aes 256
hash sha
authentication pre-share
group 2
crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
keyring DMVPN-KEYRING
match identity address 0.0.0.0 INET-PUBLIC
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 espsha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC

interface Tunnel10
bandwidth 10000
ip address 10.4.34.1 255.255.254.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 200 35
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 200
tunnel source GigabitEthernet0/0/3
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE

DMVPN Spoke Router Configuration:

ip vrf INET-PUBLIC
rd 65512:1

interface GigabitEthernet0/1
ip vrf forwarding INET-PUBLIC
ip address dhcp
ip access-group ACL-INET-PUBLIC in
no shutdown

ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit icmp any any echo
permit icmp any any echo-reply
permit udp any any eq bootpc

crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
hash sha
authentication pre-share
group 2
!
crypto isakmp keepalive 30 5
!
crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
keyring DMVPN-KEYRING
match identity address 0.0.0.0 INET-PUBLIC
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 espsha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC


interface Tunnel10
bandwidth 1500
ip address 10.4.34.201 255.255.254.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map 10.4.34.1 172.16.130.1
ip nhrp map multicast 172.16.130.1
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 10.4.34.1
ip nhrp registration no-unique
ip nhrp shortcut
ip tcp adjust-mss 1360
ip summary-address eigrp 200 10.5.40.0 255.255.248.0
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE

5 comments:

  1. does the spoke need a setroute command?

    ReplyDelete
  2. Great guide on DMVPN, it really helped me a lot.
    US VPN

    ReplyDelete
  3. I need more information. I'm a little bit confused on configuring multiple point VPN on a full mesh topology.

    data center

    ReplyDelete
  4. Wow really Nice post..i use something like this one. awesome blog.. keep it up..

    Visit my site- Linksys Router Setup

    ReplyDelete
  5. Dear learner,
    If you don’t know anything about DMVPN, check out these links: DMVPN Configuration

    ReplyDelete