Line 1: |
Line 1: |
− | <p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.03.2'''] firmware version. .</p> | + | <p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.05'''] firmware version. .</p> |
| | | |
| ==Introduction== | | ==Introduction== |
Line 63: |
Line 63: |
| 5. Set IPsec Pre-shared key (we used simple 123456 for this example) | | 5. Set IPsec Pre-shared key (we used simple 123456 for this example) |
| | | |
− | <br>[[File:HUB main.png|alt=|border]] | + | <br>[[File:HUB main.png|border|class=tlt-border]] |
| ---- | | ---- |
| <b>Step 2</b>: configure '''DMVPN Phase 1''' parameters: | | <b>Step 2</b>: configure '''DMVPN Phase 1''' parameters: |
Line 73: |
Line 73: |
| 3. DH group - MODP3072 | | 3. DH group - MODP3072 |
| | | |
− | <br>[[File:Hub phase1.png|alt=|border]] | + | <br>[[File:Hub phase1.png|border|class=tlt-border]] |
| ---- | | ---- |
| <b>Step 3</b>: configure '''DMVPN Phase 2''' parameters: | | <b>Step 3</b>: configure '''DMVPN Phase 2''' parameters: |
Line 83: |
Line 83: |
| 3. PFS group -MODP3072 | | 3. PFS group -MODP3072 |
| | | |
− | <br>[[File:Hub phase2 fix.png|alt=|border]] | + | <br>[[File:Hub phase2 fix.png|border|class=tlt-border]] |
| ---- | | ---- |
| <b>Step 4</b>: configure '''DMVPN NHRP''' parameters: | | <b>Step 4</b>: configure '''DMVPN NHRP''' parameters: |
Line 89: |
Line 89: |
| In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration. | | In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration. |
| | | |
− | <br>[[File:Redirect.png|alt=|border]] | + | <br>[[File:Redirect.png|border|class=tlt-border]] |
| ---- | | ---- |
| <b>Step 5</b>: save changes | | <b>Step 5</b>: save changes |
Line 109: |
Line 109: |
| 5. "NHRP routes" selection should be applied under the "Redistribution options" section | | 5. "NHRP routes" selection should be applied under the "Redistribution options" section |
| | | |
− | <br>[[File:Hub bgp.png|alt=|border]] | + | <br>[[File:Hub bgp.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
Line 119: |
Line 119: |
| - Leave other settings as default. | | - Leave other settings as default. |
| | | |
− | <br>[[File:Bgp peer grp.png|alt=|border]] | + | <br>[[File:Bgp peer grp.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
Line 141: |
Line 141: |
| We will keep other settings as their default values for this configuration example. | | We will keep other settings as their default values for this configuration example. |
| | | |
− | <br>[[File:Bgp peer1.png|alt=|border]] | + | <br>[[File:Bgp peer1.png|border|class=tlt-border]] |
| ---- | | ---- |
− | [[File:Bgp peer2.png|alt=|border]] | + | [[File:Bgp peer2.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
Line 167: |
Line 167: |
| 6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication) | | 6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication) |
| | | |
− | <br>[[File:Spoke dmvpn.png|alt=|border]] | + | <br>[[File:Spoke dmvpn.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
Line 179: |
Line 179: |
| 3. Select DH group MODP3072 | | 3. Select DH group MODP3072 |
| | | |
− | <br>[[File:Hub phase1.png|alt=spoke phase1|border]] | + | <br>[[File:Hub phase1.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
Line 191: |
Line 191: |
| 3. Select PFS group MODP3072 | | 3. Select PFS group MODP3072 |
| | | |
− | <br>[[File:Hub phase2 fix.png|alt=spoke phase2|border]] | + | <br>[[File:Hub phase2 fix.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
Line 201: |
Line 201: |
| - Leave everything by default | | - Leave everything by default |
| | | |
− | <br>[[File:Redirect.png|alt=Redirect|border]] | + | <br>[[File:Redirect.png|border|class=tlt-border]] |
| ---- | | ---- |
| <b>Step 5</b>: save changes | | <b>Step 5</b>: save changes |
Line 217: |
Line 217: |
| 3. Set Network to 192.168.10.0/24 | | 3. Set Network to 192.168.10.0/24 |
| | | |
− | <br>[[File:Spoke bgp.png|alt=|border]] | + | <br>[[File:Spoke bgp.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
Line 229: |
Line 229: |
| - Leave everything else as default value | | - Leave everything else as default value |
| | | |
− | <br>[[File:Spoke bgp peer.png|alt=|border]] | + | <br>[[File:Spoke bgp peer.png|border|class=tlt-border]] |
| | | |
| ===Spoke 2 configuration: DMVPN=== | | ===Spoke 2 configuration: DMVPN=== |
Line 249: |
Line 249: |
| 6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication) | | 6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication) |
| | | |
− | <br>[[File:Spoke2 dmvpn.png|alt=|border]] | + | <br>[[File:Spoke2 dmvpn.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
Line 261: |
Line 261: |
| 3. Select DH group MODP3072 | | 3. Select DH group MODP3072 |
| | | |
− | <br>[[File:Hub phase1.png|alt=spoke phase1|border]] | + | <br>[[File:Hub phase1.png|border|class=tlt-border]] |
| ---- | | ---- |
| <b>Step 3</b>: configure '''DMVPN Phase 2''' parameters: | | <b>Step 3</b>: configure '''DMVPN Phase 2''' parameters: |
Line 271: |
Line 271: |
| 3. Select PFS group MODP3072 | | 3. Select PFS group MODP3072 |
| | | |
− | <br>[[File:Hub phase2 fix.png|alt=spoke phase2|border]] | + | <br>[[File:Hub phase2 fix.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
Line 281: |
Line 281: |
| - Leave everything by default | | - Leave everything by default |
| | | |
− | <br>[[File:Redirect.png|alt=Redirect|border]] | + | <br>[[File:Redirect.png|border|class=tlt-border]] |
| ---- | | ---- |
| <b>Step 5</b>: save changes | | <b>Step 5</b>: save changes |
Line 297: |
Line 297: |
| 3. Set Network to 192.168.20.0/24 | | 3. Set Network to 192.168.20.0/24 |
| | | |
− | <br>[[File:Spoke2 bgp peer.png|alt=|border]] | + | <br>[[File:Spoke2 bgp peer.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
Line 309: |
Line 309: |
| - Leave everything else as default value | | - Leave everything else as default value |
| | | |
− | <br>[[File:Spoke bgp peer.png|alt=Spoke bgp peer|border]] | + | <br>[[File:Spoke bgp peer.png|border|class=tlt-border]] |
| | | |
| ---- | | ---- |
| ===Important Note=== | | ===Important Note=== |
| + | For '''HUB''' in Network <b>→</b> Firewall GRE zone change from '''REJECT''' to '''ACCEPT''' on '''FORWARD.''' |
| | | |
| + | Also, disable '''Masquerading''' on '''HUB''' and '''ALL spokes''' for GRE <b>→</b> LAN zone forwardings |
| | | |
− | | + | [[File:Firewall new.png|alt=|border]] |
− | For '''HUB''' in Network -> Firewall GRE zone change from '''REJECT''' to '''ACCEPT''' on '''FORWARD.'''
| |
− | | |
− | [[File:Firewall.png|alt=|border]] | |
| | | |
| ===Testing configuration=== | | ===Testing configuration=== |
Line 330: |
Line 329: |
| [[File:Ping2.png|alt=|border]] | | [[File:Ping2.png|alt=|border]] |
| | | |
− | - Check routes in the HUB by executing command '''vtysh -c "show ip nhrp"''' | + | - Check routes in the HUB by executing *command '''vtysh -c "show ip nhrp"''' |
| + | |
| + | <b>Note</b>: Vtysh check is unavailable with RUT200, RUT230, RUT240, RUT241, RUT260 devices. |
| | | |
| [[File:Vtysh nhrp2.jpg|alt=|border]] | | [[File:Vtysh nhrp2.jpg|alt=|border]] |
Line 338: |
Line 339: |
| == Summary == | | == Summary == |
| | | |
− | | + | At this point, the basic DMVPN configuration is complete and phase 3 will now take effect in order to dynamically establish connectivity between spokes. Using this method, additional spokes may be configured and added to the current topology. DMVPN Phase 3 technology will ensure that any newly introduced devices will be included in the final topology. |
| == References == | | == References == |
| [https://wiki.teltonika-networks.com/view/VPN_Configuration_Examples VPN configuration Examples] | | [https://wiki.teltonika-networks.com/view/VPN_Configuration_Examples VPN configuration Examples] |
Line 349: |
Line 350: |
| | | |
| [https://docs.strongswan.org/docs/5.9/index.html strongSwan Documentation] | | [https://docs.strongswan.org/docs/5.9/index.html strongSwan Documentation] |
| + | |
| + | [[Category:VPN]] |