summaryrefslogtreecommitdiff
path: root/docs/appendix/examples/dmvpn.rst
blob: 74dc169d0d66b25771bd3f12cdaf9c26024ea0e8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
.. _examples-dmvpn:

#########
DMVPN Hub
#########

********
Overview
********

General information can be found in the :ref:`vpn-dmvpn` chapter.

This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) as multiple
spokes. The lab was build using :abbr:`EVE-NG (Emulated Virtual Environment NG)`.

.. figure:: /_static/images/blueprint-dmvpn.png
   :alt: DMVPN network

Each node (Hub and Spoke) uses an IP address from the network 172.16.253.128/29.

The below referenced IP address `192.0.2.1` is used as example address
representing a global unicast address under which the HUB can be contacted by
each and every individual spoke.

*************
Configuration
*************

Hub
===

.. code-block:: none

  set interfaces ethernet eth0 address 192.0.2.1/24

  set interfaces tunnel tun100 address '172.16.253.134/29'
  set interfaces tunnel tun100 encapsulation 'gre'
  set interfaces tunnel tun100 local-ip '192.0.2.1'
  set interfaces tunnel tun100 multicast 'enable'
  set interfaces tunnel tun100 parameters ip key '1'

  set protocols nhrp tunnel tun100 cisco-authentication 'secret'
  set protocols nhrp tunnel tun100 holding-time '300'
  set protocols nhrp tunnel tun100 multicast 'dynamic'
  set protocols nhrp tunnel tun100 redirect
  set protocols nhrp tunnel tun100 shortcut

  set system host-name 'HUB'
  set system time-zone 'UTC'

  set vpn ipsec esp-group ESP-HUB compression 'disable'
  set vpn ipsec esp-group ESP-HUB lifetime '1800'
  set vpn ipsec esp-group ESP-HUB mode 'tunnel'
  set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
  set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
  set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
  set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
  set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
  set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
  set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
  set vpn ipsec ike-group IKE-HUB lifetime '3600'
  set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
  set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
  set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
  set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
  set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
  set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'

  set vpn ipsec ipsec-interfaces interface 'eth0'

  set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
  set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
  set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
  set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
  set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'

Spoke
=====

The individual spoke configurations only differ in the local IP address on the
``tun10`` interface. See the above diagram for the individual IP addresses.

spoke01
-------

.. code-block:: none

  Current configuration : 1773 bytes
  !
  ! Last configuration change at 14:46:27 UTC Sun Nov 15 2020
  upgrade fpd auto
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  !
  hostname spoke01
  !
  boot-start-marker
  boot-end-marker
  !
  !
  !
  no aaa new-model
  !
  ip source-route
  ip cef
  !
  !
  !
  !
  !
  no ipv6 cef
  !
  multilink bundle-name authenticated
  !
  !
  !
  !
  !
  !
  !
  crypto pki token default removal timeout 0
  !
  !
  !
  redundancy
  !
  !
  !
  crypto keyring DMVPN
    pre-shared-key address 192.0.2.1 key secret
  !
  crypto isakmp policy 10
   encr aes 256
   authentication pre-share
   group 2
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 30 30 periodic
  crypto isakmp profile DMVPN
     keyring DMVPN
     match identity address 192.0.2.1 255.255.255.255
  !
  !
  crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac
   mode transport
  !
  crypto ipsec profile DMVPN
   set security-association idle-time 720
   set transform-set DMVPN-AES256
   set isakmp-profile DMVPN
  !
  !
  !
  !
  !
  !
  interface Tunnel10
   description Tunnel to DMVPN HUB
   ip address 172.16.253.129 255.255.255.248
   no ip redirects
   ip nhrp authentication secret
   ip nhrp map 172.16.253.134 192.0.2.1
   ip nhrp map multicast 192.0.2.1
   ip nhrp network-id 1
   ip nhrp holdtime 600
   ip nhrp nhs 172.16.253.134
   ip nhrp registration timeout 75
   tunnel source FastEthernet0/0
   tunnel mode gre multipoint
   tunnel key 1
  !
  interface FastEthernet0/0
   ip address dhcp
   duplex half
  !
  interface FastEthernet1/0
   no ip address
   shutdown
   duplex half
  !
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  !
  !
  !
  !
  !
  !
  !
  !
  !
  control-plane
  !
  !
  !
  mgcp profile default
  !
  !
  !
  gatekeeper
   shutdown
  !
  !
  line con 0
   stopbits 1
  line aux 0
   stopbits 1
  line vty 0 4
   login
   transport input all
  !
  end