blob: 74dc169d0d66b25771bd3f12cdaf9c26024ea0e8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
.. _examples-dmvpn:
#########
DMVPN Hub
#########
********
Overview
********
General information can be found in the :ref:`vpn-dmvpn` chapter.
This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) as multiple
spokes. The lab was build using :abbr:`EVE-NG (Emulated Virtual Environment NG)`.
.. figure:: /_static/images/blueprint-dmvpn.png
:alt: DMVPN network
Each node (Hub and Spoke) uses an IP address from the network 172.16.253.128/29.
The below referenced IP address `192.0.2.1` is used as example address
representing a global unicast address under which the HUB can be contacted by
each and every individual spoke.
*************
Configuration
*************
Hub
===
.. code-block:: none
set interfaces ethernet eth0 address 192.0.2.1/24
set interfaces tunnel tun100 address '172.16.253.134/29'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 local-ip '192.0.2.1'
set interfaces tunnel tun100 multicast 'enable'
set interfaces tunnel tun100 parameters ip key '1'
set protocols nhrp tunnel tun100 cisco-authentication 'secret'
set protocols nhrp tunnel tun100 holding-time '300'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut
set system host-name 'HUB'
set system time-zone 'UTC'
set vpn ipsec esp-group ESP-HUB compression 'disable'
set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'tunnel'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
Spoke
=====
The individual spoke configurations only differ in the local IP address on the
``tun10`` interface. See the above diagram for the individual IP addresses.
spoke01
-------
.. code-block:: none
Current configuration : 1773 bytes
!
! Last configuration change at 14:46:27 UTC Sun Nov 15 2020
upgrade fpd auto
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname spoke01
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip source-route
ip cef
!
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
!
redundancy
!
!
!
crypto keyring DMVPN
pre-shared-key address 192.0.2.1 key secret
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 30 periodic
crypto isakmp profile DMVPN
keyring DMVPN
match identity address 192.0.2.1 255.255.255.255
!
!
crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set security-association idle-time 720
set transform-set DMVPN-AES256
set isakmp-profile DMVPN
!
!
!
!
!
!
interface Tunnel10
description Tunnel to DMVPN HUB
ip address 172.16.253.129 255.255.255.248
no ip redirects
ip nhrp authentication secret
ip nhrp map 172.16.253.134 192.0.2.1
ip nhrp map multicast 192.0.2.1
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 172.16.253.134
ip nhrp registration timeout 75
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
!
interface FastEthernet0/0
ip address dhcp
duplex half
!
interface FastEthernet1/0
no ip address
shutdown
duplex half
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
transport input all
!
end
|