Mundy

IT Knowledge Base

User Tools

Site Tools


pub:cisco_template_-_dmvpn

Cisco Template: DMVPN

! All routers: (do this stuff first otherwise there will be problems that can only 
be resolved by rebooting all 3 routers)
 
! If there is an in-from-world ACL in use, then the following additions will be 
required for the tunnel to be brought up:
ip access-list extended in-from-world
  permit esp any any
  permit gre any any
  permit udp any any eq isakmp
 
! If NAT is in use, then nat-candidates does not need to be modified at all. 
But make sure the ACL only matches the LAN *exactly* eg. 192.168.1.0/24, 
not more widely like 192.168.0.0/16. NB: If you mess up here by specifying 
a wider range, and then fix it, it will still look broken as there may 
still be NAT mappings in place... You can clear this out by removing the 
"overload" line, and re-adding it (you'll be prompted to clear the NAT 
tables). This also means that the last rule of the nat-candidates ACL 
*must* be "deny ip any any"
 
! If you have an out-to-world rule that only blocks local traffic out (ie. 
used in conjunction with nat-candidates to only allow certain ports), this 
rule won't need to be modified

Tunnel network address: <tunnel network eg. 172.31.255.0 0.0.0.255>
Pre shared key: <pre-shared key>
R1 network address: <R1 network eg. 192.168.1.0 0.0.0.255>
R1 tunnel ip address: <R1 tunnel ip address eg. 172.31.255.1>
R1 internet facing interface: <R1 internet facing interface eg. Dialer0>
R1 public IP address: <R1 public IP address eg. 182.239.193.136>
R2 network address: <R2 network eg. 192.168.2.0 0.0.0.255>
R2 tunnel ip address: <R2 tunnel ip address eg. 172.31.255.2>
R2 internet facing interface: <R2 internet facing interface eg. Dialer0>
 
! Hub router:
 
router eigrp 123
  no auto-summary
  network <tunnel network eg. 172.31.255.0 0.0.0.255>
  network <R1 network eg. 192.168.1.0 0.0.0.255>
crypto isakmp policy 1
  encryption aes
  authentication pre-share
  hash sha
  group 2
crypto isakmp key 0 <pre-shared key> address 0.0.0.0 0.0.0.0
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
  mode transport
crypto ipsec profile DMVPN
  set transform-set aes-sha
interface Tunnel0
  ip address <R1 tunnel ip address eg. 172.31.255.1> 255.255.255.0
  no ip redirects
  ip mtu 1500
  ip tcp adjust-mss 1400
  ip nhrp authentication cisco
  ip nhrp map multicast dynamic
  ip nhrp network-id 123
  no ip split-horizon eigrp 123
  no ip next-hop-self eigrp 123
  tunnel source <R1 internet facing interface eg. Dialer0>
  tunnel mode gre multipoint
  tunnel key 123
  tunnel protection ipsec profile DMVPN
 
! Spoke routers:
 
 router eigrp 123
  no auto-summary
  network <tunnel network eg. 172.31.255.0 0.0.0.255>
  network <R2 network eg. 192.168.2.0 0.0.0.255>
  eigrp stub connected
crypto isakmp policy 1
  encryption aes
  authentication pre-share
  hash sha
  group 2
crypto isakmp key 0 <pre-shared key> address 0.0.0.0 0.0.0.0
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
  mode transport
crypto ipsec profile DMVPN
  set transform-set aes-sha
 interface Tunnel0
  ip address <R2 tunnel ip address eg. 172.31.255.2> 255.255.255.0
  ip mtu 1500
  ip tcp adjust-mss 1400
  ip nhrp authentication cisco
  ip nhrp map multicast <R1 public IP address eg. 182.239.193.136>
  ip nhrp map <R1 tunnel ip address eg. 172.31.255.1> <R1 public IP address eg. 182.239.193.136>
  ip nhrp nhs <R1 tunnel ip address eg. 172.31.255.1>
  ip nhrp network-id 123
  ip nhrp registration timeout 30
  ip nhrp holdtime 60
  tunnel source <R2 internet facing interface eg. Dialer0>
  tunnel mode gre multipoint
  tunnel key 123
  tunnel protection ipsec profile DMVPN
pub/cisco_template_-_dmvpn.txt · Last modified: 2019/05/08 12:47 (external edit)