# Dynamic Multipoint VPN (DMVPN)

Topology

[ROUTER-0]-----[ROUTER-1]
[ROUTER-0]-----[ROUTER-2]
[ROUTER-0]-----[ROUTER-3]

[ROUTER-1] is the NHRP server.
[ROUTER-2] and [ROUTER-3] are the NHRP clients.

[ROUTER-0] fa0/1: 192.168.1.254/24
[ROUTER-0] fa0/2: 192.168.2.254/24
[ROUTER-0] fa0/3: 192.168.3.254/24

[ROUTER-1] fa0/0: 192.168.1.1/24
[ROUTER-2] fa0/0: 192.168.2.2/24
[ROUTER-3] fa0/0: 192.168.3.3/24

ROUTER-1 configuration

Network

ROUTER-1(config)# interface FastEthernet0/0
ROUTER-1(config-if)# ip address 192.168.1.1 255.255.255.0
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.254

Multipoint GRE (mGRE) and Next Hop Resolution Protocol (NHRP)

ROUTER-1(config)# interface Tunnel1
ROUTER-1(config-if)# ip address 1.2.3.1 255.255.255.0
ROUTER-1(config-if)# ip nhrp authentication NHRP_KEY
ROUTER-1(config-if)# ip nhrp map multicast dynamic
ROUTER-1(config-if)# ip nhrp network-id 123
ROUTER-1(config-if)# tunnel source FastEthernet0/0
ROUTER-1(config-if)# tunnel mode gre multipoint
ROUTER-1(config-if)# tunnel key 123

IPsec

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key SECRET_KEY address 192.168.2.2
ROUTER-1(config)# crypto isakmp key SECRET_KEY address 192.168.3.3
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto ipsec profile PROFILE
ROUTER-1(ipsec-profile)# set transform-set TRANSFORM_SET
ROUTER-1(ipsec-profile)# set pfs group2
ROUTER-1(config)# interface Tunnel1
ROUTER-1(config-if)# tunnel protection ipsec profile PROFILE

ROUTER-2 configuration

Network

ROUTER-2(config)# interface FastEthernet0/0
ROUTER-2(config-if)# ip address 192.168.2.2 255.255.255.0
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 192.168.2.254

Multipoint GRE (mGRE) and Next Hop Resolution Protocol (NHRP)

ROUTER-2(config)# interface Tunnel2
ROUTER-2(config-if)# ip address 1.2.3.2 255.255.255.0
ROUTER-2(config-if)# ip nhrp authentication NHRP_KEY
ROUTER-2(config-if)# ip nhrp map 1.2.3.1 192.168.1.1
ROUTER-2(config-if)# ip nhrp network-id 123
ROUTER-2(config-if)# ip nhrp nhs 1.2.3.1
ROUTER-2(config-if)# tunnel source FastEthernet0/0
ROUTER-2(config-if)# tunnel mode gre multipoint
ROUTER-2(config-if)# tunnel key 123

IPsec

ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key SECRET_KEY address 192.168.1.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto ipsec profile PROFILE
ROUTER-2(ipsec-profile)# set transform-set TRANSFORM_SET
ROUTER-2(ipsec-profile)# set pfs group2
ROUTER-2(config)# interface Tunnel2
ROUTER-2(config-if)# tunnel protection ipsec profile PROFILE

ROUTER-3 configuration

Network

ROUTER-3(config)# interface FastEthernet0/0
ROUTER-3(config-if)# ip address 192.168.3.3 255.255.255.0
ROUTER-3(config)# ip route 0.0.0.0 0.0.0.0 192.168.3.254

Multipoint GRE (mGRE) and Next Hop Resolution Protocol (NHRP)

ROUTER-3(config)# interface Tunnel3
ROUTER-3(config-if)# ip address 1.2.3.3 255.255.255.0
ROUTER-3(config-if)# ip nhrp authentication NHRP_KEY
ROUTER-3(config-if)# ip nhrp map 1.2.3.1 192.168.1.1
ROUTER-3(config-if)# ip nhrp network-id 123
ROUTER-3(config-if)# ip nhrp nhs 1.2.3.1
ROUTER-3(config-if)# tunnel source FastEthernet0/0
ROUTER-3(config-if)# tunnel mode gre multipoint
ROUTER-3(config-if)# tunnel key 123

IPsec

ROUTER-3(config)# crypto isakmp policy 1
ROUTER-3(config-isakmp)# authentication pre-share
ROUTER-3(config-isakmp)# encryption aes
ROUTER-3(config-isakmp)# hash sha
ROUTER-3(config-isakmp)# group 2
ROUTER-3(config-isakmp)# lifetime 86400
ROUTER-3(config)# crypto isakmp aggressive-mode disable
ROUTER-3(config)# crypto isakmp key SECRET_KEY address 192.168.1.1
ROUTER-3(config)# crypto isakmp enable
ROUTER-3(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-3(config)# crypto ipsec profile PROFILE
ROUTER-3(ipsec-profile)# set transform-set TRANSFORM_SET
ROUTER-3(ipsec-profile)# set pfs group2
ROUTER-3(config)# interface Tunnel3
ROUTER-3(config-if)# tunnel protection ipsec profile PROFILE

Troubleshooting commands

Router# show ip nhrp
Router# show dmvpn
Router# show crypto isakmp sa
Router# show crypto ipsec sa

2 comments:

Bradley White said...

Nice trick for VPN.Thank a lot for your job.Check this site.
top10-bestvpn.com

Richard B. McCall said...

Thank you.Cool solution for Dynamic Multipoint VPN.
Nice configuration for VPN.It works fine.
10webhostingservice.com