DMVPN

Links

  • https://www.cisco.com/c/en/us/support/docs/security-vpn/dynamic-multi-point-vpn-dmvpn/119022-configure-dmvpn-00.html

  • https://networklessons.com/uncategorized/dmvpn-dual-hub-dual-cloud

  • http://www.tcpuniverse.com/cisco/dmvpn-redundancy/

  • https://packetlife.net/blog/2012/jan/9/multiple-dmvpns-single-hub/

  • https://community.cisco.com/t5/security-documents/dmvpn-on-spoke-troubleshooting-order-and-component/ta-p/3143396

  • https://networklessons.com/cisco/ccie-routing-switching-written/group-encrypted-transport-vpn-getvpn

  • https://blog.ine.com/2008/12/23/dmvpn-phase-3 https://blog.ine.com/2008/08/02/dmvpn-explained

  • https://networkdirection.net/articles/routingandswitching/dmvpn/dmvpn-configuration/

Dynamic Multipoint VPN Configuration Guide [DMVPN on Spoke Troubleshooting Order and Component Responsibilities](DMVPN on Spoke Troubleshooting Order and Component Responsibilities) Troubleshoot a DMVPN phase 3 architecture

ip access-list extended GRE_DENY deny esp any any permit ip any any

int gig0/0 ip access-group GRE_DENY in

Terminology

Next Hop Resolution Protocol (NHRP) - rfc2332 Non-Broadcast Multi-Access (NBMA) Next-Hop Servers (NHS) Next-Hop Clients (NHC)

FVRF - Front-Door VRF, The VRF associated to the transport network.

show dmvpn
show ip nhrp 
show ip nhrp nhs redundancy
clear ip nhrp
show crypto map
show crypto socket
debug dmvpn detail crypto
debug crypto condition peer ipv4 <nbma address>
debug dmvpn condition peer nbma_ipv4

DMVPN Tunnel Health Monitoring

if-state nhrp - DMVPN tunnel down if it cannot active registration. Add only to spoke

interface Tunnel11 if-state nhrp track 80 interface Tunnel10 line-protocol

step4 event manager applet DISABLE-IWAN-DIA-DEFAULT description ISP Black hole Detection - Tunnel state event track 80 state down action 1 cli command "enable" action 2 cli command "configure terminal" action 3 cli command "no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 dhcp 10" action 4 cli command "end" action 99 syslog msg "IWAN DIA DEFAULT IP ROUTE via GIG0/0/1 DISABLED"

step5 event manager applet ENABLE-IWAN-DIA-DEFAULT description ISP Black hole Detection - Tunnel state event track 80 state up action 1 cli command "enable" action 2 cli command "configure terminal" action 3 cli command "ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 dhcp 10" action 4 cli command "end" action 99 syslog msg "IWAN DIA DEFAULT IP ROUTE via GIG0/0/1 ENABLED"

Crypto KEY Hub

crypto ikev2 keyring DMVPN_KEY peer ANY address 0.0.0.0 0.0.0.0 pre-shared-key c1sco123

crypto ikev2 proposal IKEV2_PROPOSAL encryption aes-gcm-256 prf sha512 group 19

show crypto ikev2 proposal

crypto ikev2 policy IKEV2_POLICY match fvrf IWAN proposal IKEV2_PROPOSAL

show crypto ikev2 policy

crypto ikev2 profile DMVPN_IKEV2_PROFILE description PSK Profile match fvrf IWAN match identity remote address 0.0.0.0 !identity local address 94.232.31.146 authentication local pre-share authentication remote pre-share keyring local DMVPN_KEY

crypto ipsec transform-set DMVPN_TRANSFORM_SET esp-gcm 256 mode transport

crypto ipsec profile DMVPN_IPSEC_PROFILE set transform-set DMVPN_TRANSFORM_SET set ikev2-profile DMVPN_IKEV2_PROFILE

crypto ipsec security-association replay window-size 1024

Crypto KEY Spoke

crypto ikev2 keyring DMVPN_KEY peer ANY address 0.0.0.0 0.0.0.0 pre-shared-key c1sco123

crypto ikev2 proposal IKEV2_PROPOSAL encryption aes-gcm-256 prf sha512 group 19

show crypto ikev2 proposal

crypto ikev2 policy IKEV2_POLICY proposal IKEV2_PROPOSAL

show crypto ikev2 policy

crypto ikev2 profile DMVPN_IKEV2_PROFILE description PSK Profile match identity remote address 0.0.0.0 !identity local address 94.232.31.145 authentication local pre-share authentication remote pre-share keyring local DMVPN_KEY dpd 40 5 on-demand

crypto ipsec transform-set DMVPN_TRANSFORM_SET esp-gcm 256 mode transport

crypto ipsec profile DMVPN_IPSEC_PROFILE set transform-set DMVPN_TRANSFORM_SET set ikev2-profile DMVPN_IKEV2_PROFILE

crypto ipsec security-association replay window-size 1024 crypto isakmp nat keepalive 20

crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac mode transport

show crypto ikev2 stats

interface GigabitEthernet0/0/3 description MPLS1 bandwidth 500000 vrf forwarding IWAN-TRANSPORT-11 ip address 192.168.6.81 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp negotiation auto no mop enabled no lldp transmit no lldp receive service-policy output TRANSPORT-11-SHAPE-ONLY hold-queue 4096 in hold-queue 4096 out !

crypto ikev2 limit max-sa 10 crypto ikev2 limit max-in-negotation-sa 6 outgoing crypto ikev2 limit max-in-negotation-sa 6 crypto ikev2 cookie-challenge 4

show crypto ikev2 stats

PreviousWiFiNextIPv6

Last updated