Line 142: |
Line 142: |
| <b>Step 1</b>: create a new DMVPN instance: | | <b>Step 1</b>: create a new DMVPN instance: |
| | | |
− | <nowiki>###</nowiki> I recommend to explain each step here in detail, for example:
| + | - Add HUB address (this is the public IP address of the previously configured hub device) |
| | | |
− | - Add HUB address ### - this is the public IP address of previously configured hub device | + | - Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet) |
| | | |
− | - Select Tunnel source ### - this is the egress interface, which will be able to reach hub device's public IP address over the internet | + | - Add Local GRE interface IP address (this is the GRE IP address of "Spoke 1". It should be unique in the entire VPN network) |
| | | |
− | - Add Local GRE interface IP address ### - this is the GRE IP address of "Spoke 1". It should be unique in the entire VPN network | + | - Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device) |
| | | |
− | - Add Remote GRE interface IP address ### - this is the GRE IP address of the previously configured hub device | + | - Set GRE MTU to 1420 (this value should be set to the same value that was configured on the hub device. In our case, it is "1420") |
| | | |
− | - Set GRE MTU ### - this value should be set to the same value that was configured on the hub device. In our case, it is "1400" | + | - Set Local identifier, Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication) |
| | | |
− | - Set Local identifier, Remote identifier as %any and input same Pre-shared key ### brief explanation why this is needed would be nice as well
| + | <br>[[File:DMVPN phase3 example4.png|alt=|border]] |
− | | |
− | <br>[[File:DMVPN HUB Phase3 spoke1 example1.png|border|class=tlt-border]] | |
| ---- | | ---- |
| | | |
Line 162: |
Line 160: |
| <b>Step 2</b>: configure DMVPN Phase 1 parameters: | | <b>Step 2</b>: configure DMVPN Phase 1 parameters: |
| | | |
− | - Select Encryption algorithm - AES 128 | + | - Select the Encryption algorithm - AES 128 |
− | | |
− | - Select Authentication SHA1
| |
| | | |
− | - Select DH group MODP1024 | + | - Select Authentication SHA256 |
| | | |
| + | - Select DH group MODP3072 |
| | | |
− | <nowiki>###</nowiki> Same comment from hub section applies, increase security level
| + | <br>[[File:DMVPN phase3 example2.png|alt=|border]] |
− | | |
− | <br>[[File:DMVPN HUB Phase3 spoke example2.png|border|class=tlt-border]] | |
| ---- | | ---- |
| | | |
Line 177: |
Line 172: |
| <b>Step 3</b>: configure DMVPN Phase 2 parameters: | | <b>Step 3</b>: configure DMVPN Phase 2 parameters: |
| | | |
− | - Select Encryption algorithm 3DES | + | - Select the Encryption algorithm AES 128 |
| | | |
− | - Select Hash algorithm MD5 | + | - Select Hash algorithm SHA256 |
| | | |
− | - Select PFS group MODP768 | + | - Select PFS group MODP3072 |
| | | |
− | | + | <br>[[File:DMVPN phase3 example3.png|alt=|border]] |
− | <nowiki>###</nowiki> Same comment from hub section applies, increase security level
| |
− | | |
− | <br>[[File:DMVPN HUB Phase3 spoke example3.png|border|class=tlt-border]] | |
| ---- | | ---- |
| | | |
| | | |
| <b>Step 4</b>: configure DMVPN NHRP parameters: | | <b>Step 4</b>: configure DMVPN NHRP parameters: |
| + | |
| + | - In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration. |
| | | |
| - Leave everything by default | | - Leave everything by default |
| | | |
− | <nowiki>###</nowiki> Once again, highlight importance of "Redirect" option here<br>[[File:DMVPN HUB Phase3 spoke example4.png|border|class=tlt-border]]
| + | <br>[[File:DMVPN HUB Phase3 spoke example4.png|border|class=tlt-border]] |
| ---- | | ---- |
| <b>Step 5</b>: save changes | | <b>Step 5</b>: save changes |
Line 218: |
Line 212: |
| - Set Remote AS to 65000 | | - Set Remote AS to 65000 |
| | | |
− | - Set Remote address to 10.0.0.254 | + | - Sethe t Remote address to 10.0.0.254 |
| + | |
| + | - Leave everything else as default value |
| | | |
| <br>[[File:DMVPN HUB Phase3 spoke example6.png|border|class=tlt-border]] | | <br>[[File:DMVPN HUB Phase3 spoke example6.png|border|class=tlt-border]] |
Line 230: |
Line 226: |
| <b>Step 1</b>: create a new DMVPN instance: | | <b>Step 1</b>: create a new DMVPN instance: |
| | | |
− | - Input your HUB address | + | - Add HUB address (this is the public IP address of the previously configured hub device) |
| + | |
| + | - Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet) |
| | | |
− | - Select Tunnel source interface | + | - Add Local GRE interface IP address (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network) |
| | | |
− | - Set Local GRE interface address to 10.0.0.2 | + | - Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device) |
| | | |
− | - Set Remote GRE interface IP address to 10.0.0.254 | + | - Set GRE MTU to 1420 (this value should be set to the same value that was configured on the hub device. In our case, it is "1420") |
| | | |
− | - Set GRE MTU to 1476 | + | - Set Local identifier, Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication) |
| | | |
− | <br>[[File:DMVPN HUB Phase3 spoke2 example1.png|border|class=tlt-border]] | + | <br>[[File:DMVPN phase3 example5.png|alt=|border]] |
| ---- | | ---- |
| | | |
Line 248: |
Line 246: |
| - Select Encryption algorithm - AES 128 | | - Select Encryption algorithm - AES 128 |
| | | |
− | - Select Authentication SHA1 | + | - Select Authentication SHA256 |
| | | |
− | - Select DH group MODP1024 | + | - Select DH group MODP3072 |
| | | |
− | <br>[[File:DMVPN HUB Phase3 spoke2 example2.png|border|class=tlt-border]] | + | <br>[[File:DMVPN phase3 example2.png|alt=|border]] |
| ---- | | ---- |
| <b>Step 3</b>: configure DMVPN Phase 2 parameters: | | <b>Step 3</b>: configure DMVPN Phase 2 parameters: |
| | | |
− | - Select Encryption algorithm 3DES | + | - Select Encryption algorithm AES 128 |
| | | |
− | - Select Hash algorithm MD5 | + | - Select Hash algorithm SHA256 |
| | | |
− | - Select PFS group MODP768 | + | - Select PFS group MODP3072 |
| | | |
− | <br>[[File:DMVPN HUB Phase3 spoke2 example3.png|border|class=tlt-border]] | + | <br>[[File:DMVPN phase3 example3.png|alt=|border]] |
| ---- | | ---- |
| | | |
| | | |
| <b>Step 4</b>: configure DMVPN NHRP parameters: | | <b>Step 4</b>: configure DMVPN NHRP parameters: |
| + | |
| + | - In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration. |
| + | |
| + | - Leave everything by default |
| | | |
| <br>[[File:DMVPN HUB Phase3 spoke2 example4.png|border|class=tlt-border]] | | <br>[[File:DMVPN HUB Phase3 spoke2 example4.png|border|class=tlt-border]] |
Line 293: |
Line 295: |
| | | |
| - Set Remote address to 10.0.0.254 | | - Set Remote address to 10.0.0.254 |
| + | |
| + | - Leave everything else as default value |
| | | |
| <br>[[File:DMVPN HUB Phase3 spoke2 example6.png|border|class=tlt-border]] | | <br>[[File:DMVPN HUB Phase3 spoke2 example6.png|border|class=tlt-border]] |
Line 298: |
Line 302: |
| ===Important Note=== | | ===Important Note=== |
| | | |
− | <nowiki>###</nowiki> Explanation why this is needed is recommended, because naturally a question comes to mind "why" this is needed | + | <nowiki>###</nowiki> Explanation why this is needed is recommended because naturally a question comes to mind "why" this is needed |
| | | |
| For HUB in Network > Firewall GRE zone change from REJECT to ACCEPT on FORWARD. | | For HUB in Network > Firewall GRE zone change from REJECT to ACCEPT on FORWARD. |