In this example there are four routers.One of them simulates an ISP and the others are DMVPN routers at Customer Edge sites.We will test spoke-to-spoke connectivity without traversing through the HUB.
DMVPN Hub Configuration:
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key CISCO123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set SET1 esp-3des esp-sha-hmac
mode transport
crypto ipsec profile DMVPN
set transform-set SET1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp network-id 123
no ip split-horizon eigrp 10
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
interface FastEthernet1/0
ip address 192.168.1.2 255.255.255.0
router eigrp 10
network 10.10.0.0 0.0.255.255
no auto-summary
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 192.168.0.0 0.0.255.255 area 0
DMVPN Spoke-1 Configuration:
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key CISCO123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set SET1 esp-3des esp-sha-hmac
mode transport
crypto ipsec profile DMVPN
set transform-set SET1
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface Loopback10
description *** SIMULATES LAN Network ***
ip address 10.10.3.3 255.255.255.255
interface Tunnel0
ip address 10.10.10.3 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 123
ip nhrp nhs 10.10.10.1
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
interface FastEthernet1/0
ip address 192.168.3.2 255.255.255.0
router eigrp 10
network 10.10.0.0 0.0.255.255
no auto-summary
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 192.168.0.0 0.0.255.255 area 0
DMVPN Spoke-2 Configuration:
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key CISCO123 address 0.0.0.0 0.0.0.0
crypto ipsec transform-set SET1 esp-3des esp-sha-hmac
mode transport
crypto ipsec profile DMVPN
set transform-set SET1
interface Loopback0
ip address 4.4.4.4 255.255.255.255
interface Loopback10
description *** SIMULATES LAN Network ***
ip address 10.10.4.4 255.255.255.255
interface Tunnel0
ip address 10.10.10.4 255.255.255.0
no ip redirects
ip nhrp authentication CISCO
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 123
ip nhrp nhs 10.10.10.1
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
interface FastEthernet1/0
ip address 192.168.4.2 255.255.255.0
router eigrp 10
network 10.10.0.0 0.0.255.255
no auto-summary
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
network 4.4.4.4 0.0.0.0 area 0
network 192.168.0.0 0.0.255.255 area 0
Verify:
- First lets check the routing table of DMVPN Hub:
DMVPN-HUB#show ip route ospf
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/12] via 192.168.1.1, 00:45:38, FastEthernet1/0
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/3] via 192.168.1.1, 00:44:47, FastEthernet1/0
O 192.168.4.0/24 [110/2] via 192.168.1.1, 00:46:39, FastEthernet1/0
O 192.168.3.0/24 [110/11] via 192.168.1.1, 00:46:39, FastEthernet1/0
DMVPN-HUB#show ip route eigrp
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D 10.10.4.4/32 [90/27008000] via 10.10.10.4, 00:16:00, Tunnel0
D 10.10.3.3/32 [90/27008000] via 10.10.10.3, 00:15:34, Tunnel0
We see that HUB router learns NBMA addresses through Ospf, learns IP prefixes that will be encrypted through eigrp.
- Lets go to Spoke-1 and do some tests:
DMVPN-Spoke1#show ip route eigrp
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D 10.10.4.4/32 [90/28288000] via 10.10.10.4, 00:21:27, Tunnel0
DMVPN-Spoke1#show ip nhrp
10.10.10.1/32 via 10.10.10.1
Tunnel0 created 00:48:20, never expire
Type: static, Flags: used
NBMA address: 1.1.1.1
10.10.10.3/32 via 10.10.10.3
Tunnel0 created 00:06:57, expire 01:53:02
Type: dynamic, Flags: router unique local
NBMA address: 3.3.3.3
(no-socket)
DMVPN-Spoke1#debug nhrp
NHRP protocol debugging is on
DMVPN-Spoke1#ping 10.10.4.4 source 10.10.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.4.4, timeout is 2 seconds:
Packet sent with a source address of 10.10.3.3
*Aug 26 12:06:48.295: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel0 netid-out 123
*Aug 26 12:06:48.299: NHRP: Sending packet to NHS 10.10.10.1 on Tunnel0
*Aug 26 12:06:48.299: NHRP: NHRP successfully resolved 10.10.10.1 to NBMA 1.1.1.1
*Aug 26 12:06:48.299: NHRP: Checking for delayed event /10.10.10.4 on list (Tunnel0).
*Aug 26 12:06:48.299: NHRP: No node found.
*Aug 26 12:06:48.303: NHRP: Adding Tunnel Endpoints (VPN: 10.10.10.4, NBMA: 1.1.1.1)
*Aug 26 12:06:48.311: NHRP: Enqueued NHRP Resolution Request for destination: 10.10.10.4
*Aug 26 12:06:48.323: NHRP: Checking for delayed event /10.10.10.4 on list (Tunnel0).
*Aug 26 12:06:48.323: NHRP: No node found.!!
*Aug 26 12:06:48.323: NHRP: Sending NHRP Resolution Request for dest: 10.10.10.4 to NHS: 10.10.10.1 using our src: 10.10.10.3
*Aug 26 12:06:48.327: NHRP: Attempting to send packet via DEST 10.10.10.1
*Aug 26 12:06:48.327: NHRP: NHRP successfully resolved 10.10.10.1 to NBMA 1.1.1.1
*Aug 26 12:06:48.331: NHRP: Encapsulation succeeded. Tunnel IP addr 1.1.1.1
*Aug 26 12:06:48.331: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 85
*Aug 26 12:06:48.331: NHRP: 113 bytes out Tunnel0
*Aug 26 12:06:49.051: NHRP: NHRP successfully resolved 10.10.10.4 to NBMA 1.1.1.1
*Aug 26 12:06:49.087: NHRP: Receive Resolution Request via Tunnel0 vrf 0, packet size: 105!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/482/824 ms
*Aug 26 12:06:49.087: NHRP: netid_in = 123, to_us = 1
*Aug 26 12:06:49.091: NHRP: nhrp_rtlookup yielded Tunnel0
*Aug 26 12:06:49.091: NHRP: request was to us, responding with ouraddress
*Aug 26 12:06:49.091: NHRP: Checking for delayed event 10.10.10.4/10.10.10.3 on list (Tunnel0).
*Aug 26 12:06:49.091: NHRP: No node found.
*Aug 26 12:06:49.095: NHRP: Delaying resolution request nbma src:3.3.3.3 nbma dst:4.4.4.4 reason:IPSEC-IFC: need to wait for IPsec SAs.
*Aug 26 12:06:49.895: NHRP: NHRP successfully resolved 10.10.10.4 to NBMA 1.1.1.1
*Aug 26 12:06:50.107: NHRP: Checking for delayed event /10.10.10.4 on list (Tunnel0).
*Aug 26 12:06:50.107: NHRP: No node found.
*Aug 26 12:06:50.107: NHRP: Sending NHRP Resolution Request for dest: 10.10.10.4 to NHS: 10.10.10.1 using our src: 10.10.10.3
*Aug 26 12:06:50.111: NHRP: Attempting to send packet via DEST 10.10.10.1
*Aug 26 12:06:50.111: NHRP: NHRP successfully resolved 10.10.10.1 to NBMA 1.1.1.1
DMVPN-Spoke1#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 3.3.3.3
protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 690, #pkts encrypt: 690, #pkts digest: 690
#pkts decaps: 691, #pkts decrypt: 691, #pkts verify: 691
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 3.3.3.3, remote crypto endpt.: 1.1.1.1
path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0xF100024E(4043309646)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xEDB7CFBC(3988246460)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 3, flow_id: SW:3, sibling_flags 80000006, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4522444/765)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF100024E(4043309646)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 4, flow_id: SW:4, sibling_flags 80000006, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4522444/765)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/47/0)
current_peer 4.4.4.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 3.3.3.3, remote crypto endpt.: 4.4.4.4
path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0x7112FFF0(1897070576)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x6B2FE3F1(1798300657)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 17, flow_id: SW:17, sibling_flags 80000006, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4388446/3567)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7112FFF0(1897070576)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 18, flow_id: SW:18, sibling_flags 80000006, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4388446/3567)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
No comments:
Post a Comment