Difference between revisions of "DMVPN with IPsec Phase 3"

From Teltonika Networks Wiki
m
(44 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.03.2'''] firmware version. .</p>
 
 
 
==Introduction==
 
==Introduction==
  
Line 9: Line 7:
 
'''DMVPN''' has three phases that route data differently:
 
'''DMVPN''' has three phases that route data differently:
  
Phase 1: All traffic goes from the spoke to and through the hub.
+
Phase 1: All traffic flows from the spoke to and through the hub.
  
Phase 2: Starts with Phase 1 and after it allows spoke-to-spoke tunnels. Phase 2 has different routing, where packet forwarding is being done using the IP routing table. Spokes reach other spokes networks based on the next-hop tunnel IP address of the other spoke for a particular network.
+
Phase 2: Start with Phase 1 then allows spoke-to-spoke tunnels based on demand and triggers. Phase 2 has different routing, where packet forwarding is being done using the IP routing table.
  
Phase 3: Improves the scalability and has fewer restrictions than Phase 2. Phase 3 allows the summarization of routes from hub to spokes. Spokes don’t even need routes, they can use the default gateway toward the hub router.
+
Phase 3: Starts with Phase 1 and improves the scalability and has fewer restrictions than Phase 2. Phase 3 allows the summarization of routes from hub to spokes. So again spokes wouldn’t need specific routes to other spokes networks.
  
  
Line 23: Line 21:
  
 
<ul>
 
<ul>
     <li>2 Teltonika Routers for '''SPOKES'''</li>
+
     <li>2 Teltonika Routers for SPOKES</li>
     <li>1 Teltonika Router for '''HUB''' with a public IP address</li>
+
     <li>1 Teltonika Router for HUB with a public IP address</li>
 
     <li>A PC to configure the routers</li>
 
     <li>A PC to configure the routers</li>
 
</ul>
 
</ul>
 +
==HUB configuration==
  
==Configuration scheme==
+
This section contains information on how to configure DMVPN <b>HUB</b>. Firstly, we'll configure the DMVPN instance to make the connection possible. Then we'll set the <b>Border Gateway Protocol</b> (<b>BGP</b>) parameters as our dynamic routing solution.
[[File:DMVPN phase3 topology.png|border|class=tlt-border|1053x1053px]]
 
  
 +
<b>Note</b>: at the moment, BGP is the only stable dynamic routing solution that can work with DMVPN.
  
==The SETUP==
+
===HUB configuration: DMVPN===
 +
----
 +
Navigate to the <b>Services → VPN → DMVPN</b> page and follow the instructions provided below.
  
The following section contains information on how to configure DMVPN <b>HUB</b>. Firstly, we'll configure the DMVPN instance to make the connection possible. Then we'll set the <b>Border Gateway Protocol</b> (<b>BGP</b>) parameters as our dynamic routing solution.
+
<b>Step 1</b>: create a new DMVPN instance:
  
<b>Notes</b>:
+
- Select your HUB interface in the Tunnel source field
  
- At the moment, BGP is the only stable dynamic routing solution that can work with DMVPN.
+
- Set Local GRE interface IP address (for example, 10.0.0.254)
  
- If you are using non RUTX device, BGP and DMVPN have to be installed manually from the '''Services → Package Manager''' tab before continuing.
+
- Set GRE interface netmask to 255.255.255.0 (for entire subnet or according to how many spokes we expect to connect to this hub)
  
- If you're having trouble finding any page or some of the parameters described here on your device's WebUI, you should turn on "Advanced WebUI" mode. You can do that by clicking the "Basic" button under "Mode," which is located at the top-right corner of the WebUI.
+
- Set GRE MTU value to 1420 (or even slightly lower - 1400 if a mobile interface is used)
[[File:1004px-Basic WebUI Advanced.gif|alt=|border]]
 
  
===HUB configuration: DMVPN===
+
- Outbound/inbound keys are optional, for this example we will leave it at default
 +
 
 +
- Set IPsec Pre-shared key (we used simple 123456 for this example)
 +
 
 +
<br>[[File:Dmvpn phase3 example1.png|alt=|border]]
 
----
 
----
Navigate to the <b>Services → VPN → DMVPN</b> page and follow the instructions provided below.
+
<b>Step 2</b>: configure DMVPN Phase 1 parameters:
 +
 
 +
- Encryption algorithm - AES 128
  
<b>Step 1</b>: create a new DMVPN instance:
+
- Authentication SHA1
  
1. Select your HUB interface in the Tunnel source field
+
- DH group - MODP1024
  
2. Set Local GRE interface IP address (for example, 10.0.0.254)
 
  
3. Set GRE interface netmask to 255.255.255.255
+
<nowiki>###</nowiki> I don't recommend these parameters, they are not secure. Anything at or below the following shouldn't be used:
  
4. Set GRE MTU value to 1420 (or even slightly lower - 1400 if a mobile interface is used)
+
<nowiki>###</nowiki> AES-128
  
- Outbound/inbound keys are optional, for this example we will leave it at default
+
<nowiki>###</nowiki> Auth SHA256
  
5. Set IPsec Pre-shared key (we used simple 123456 for this example)
+
<nowiki>###</nowiki> DH group - MODP3072 or ECP256
  
<br>[[File:HUB main.png|border|class=tlt-border]]
+
<br>[[File:DMVP HUB phase3 example2.png|border|class=tlt-border]]
 
----
 
----
<b>Step 2</b>: configure '''DMVPN Phase 1''' parameters:
+
<b>Step 3</b>: configure DMVPN Phase 2 parameters:
 
 
1. Encryption algorithm - AES 128
 
  
2. Authentication SHA256
+
- Encryption algorithm - 3DES
  
3. DH group - MODP3072
+
- Hash algorithm - MD5
  
<br>[[File:Hub phase1.png|border|class=tlt-border]]
+
- PFS group -MODP768
----
 
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
 
  
1. Encryption algorithm - AES 128
 
  
2. Hash algorithm - SHA256
+
<nowiki>###</nowiki> Same story here, try to increase security level here to a more secure solution.  
  
3. PFS group -MODP3072
+
<nowiki>###</nowiki> IPsec Phase 2 settings generally uses slightly lower parameters, because those algorithms are responsible for encrypting actual data traffic that we want to send over the IPsec tunnel
  
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
+
<br>[[File:DMVPN HUB Phase3 example3.png|border|class=tlt-border]]
 
----
 
----
<b>Step 4</b>: configure '''DMVPN NHRP''' parameters:
+
<b>Step 4</b>: configure DMVPN NHRP parameters:
  
In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration.
+
<nowiki>###</nowiki> Highlight the importance of "Redirect option here". This is essentially what makes P3 possible.  
  
<br>[[File:Redirect.png|border|class=tlt-border]]
+
<br>[[File:DMVPN HUB Phase3 example4.png|border|class=tlt-border]]
 
----
 
----
 
<b>Step 5</b>: save changes
 
<b>Step 5</b>: save changes
  
===Hub configuration: BGP ===
+
===Hub configuration: BGP===
  
 
Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below.
 
Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below.
  
<b>Step 1</b>: enable '''BGP''' and configure General section:
+
<b>Step 1</b>: enable BGP and configure General section:
  
1. Enable vty
+
- Enable vty
  
2. Set AS to 65000
+
- Set AS to 65000
  
3. Set BGP router ID for easier management.
+
- Set announcement network(s). Routes to these networks will be shared over BGP. We used 192.168.1.0/24
  
4. Set announcement network(s). Routes to these networks will be shared over BGP. We used 192.168.1.0/24
+
<nowiki>###</nowiki> Highlight the fact that "NHRP routes" selection should exist under "Redistribution options"
  
5. "NHRP routes" selection should be applied under the "Redistribution options" section
+
<nowiki>###</nowiki> Probably a good idea to set BGP router ID here using GRE interface IPs to avoid confusion and make troubleshooting easier
  
<br>[[File:Hub bgp.png|border|class=tlt-border]]
+
<br>[[File:DMVPN HUB Phase3 example5.png|border|class=tlt-border]]
 
----
 
----
  
  
<b>Step 2</b>: Create '''BGP''' Peer Group:
+
<b>Step 2</b>: Create BGP Peer Group:
  
- Add a Neighbor address for SPOKE 1 and SPOKE 2 (We used 10.0.0.1 and 10.0.0.2 which will be in the same subnet as our hub 10.0.0.254)
+
- Add Neighbor address (We used 10.0.0.1 and 10.0.0.2)
  
- Leave other settings as default.
+
<nowiki>###</nowiki> Explanation needed what these IP addresses are - this might not be clear enough for end-users that this is spoke devices GRE IP address
  
<br>[[File:Bgp peer grp.png|border|class=tlt-border]]
+
<nowiki>###</nowiki> Also need to quickly mention about other settings
 +
 
 +
<nowiki>###</nowiki> Remote AS is empty here - I don't remember now, but is this intended?
 +
 
 +
<br>[[File:DMVPN HUB Phase3 example6.png|border|class=tlt-border]]
 
----
 
----
  
  
<b>Step 3</b>: Add two '''BGP''' peers for each spoke:
+
<b>Step 3</b>: Add two BGP peers for each spoke:
  
Now let's create BGP peers for Spokes on the same page. Add two new BGP peers with the following parameters:
+
<nowiki>###</nowiki> Need to mention that "Let's move on to spokes BGP configuration now.", because it looks a bit confusing
  
 
Peer 1.
 
Peer 1.
Line 139: Line 143:
 
- Set Remote address as 10.0.0.2
 
- Set Remote address as 10.0.0.2
  
We will keep other settings as their default values for this configuration example.
+
<nowiki>###</nowiki> Briefly mention that other fields are not mandatory, but changes can be done if needed (aka "we will keep other settings as their default values for this configuration example" statement)
  
<br>[[File:Bgp peer1.png|border|class=tlt-border]]
+
<br>[[File:DMVPN HUB Phase3 example7.png|border|class=tlt-border]]
 
----
 
----
[[File:Bgp peer2.png|border|class=tlt-border]]
+
[[File:DMVPN HUB Phase3 example8.png|border|class=tlt-border]]
 
----
 
----
  
  
=== Spoke 1 configuration: DMVPN===
+
===Spoke 1 configuration: DMVPN===
 
----
 
----
 +
<nowiki>###</nowiki> I think this should be done before dynamic routing configuration on each spoke, just to have IPsec tunnel and GRE IPs set for us
  
  
Line 155: Line 160:
 
<b>Step 1</b>: create a new DMVPN instance:
 
<b>Step 1</b>: create a new DMVPN instance:
  
1. Add HUB address  (this is the public IP address of the previously configured hub device)
+
<nowiki>###</nowiki> I recommend to explain each step here in detail, for example:
  
2. Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)
+
- Add HUB address ### - this is the public IP address of previously configured hub device
  
3.  Add Local GRE interface IP address  (this is the GRE IP address of "Spoke 1". It should be unique in the entire VPN network)
+
- Select Tunnel source ### - this is the egress interface, which will be able to reach hub device's public IP address over the internet
  
4.  Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)
+
- Add Local GRE interface IP address ### - this is the GRE IP address of "Spoke 1". It should be unique in the entire VPN network
  
5.  Set GRE MTU to 1420  (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")
+
- Add Remote GRE interface IP address ### - this is the GRE IP address of the previously configured hub device
  
6.  Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
+
- Set GRE MTU ### - this value should be set to the same value that was configured on the hub device. In our case, it is "1400"
  
<br>[[File:Spoke dmvpn.png|border|class=tlt-border]]
+
- Set Local identifier, Remote identifier as %any and input same Pre-shared key ### brief explanation why this is needed would be nice as well
 +
 
 +
<br>[[File:DMVPN HUB Phase3 spoke1 example1.png|border|class=tlt-border]]
 
----
 
----
  
  
<b>Step 2</b>: configure '''DMVPN''' '''Phase 1''' parameters:
+
<b>Step 2</b>: configure DMVPN Phase 1 parameters:
  
1.  Select the Encryption algorithm - AES 128
+
- Select Encryption algorithm - AES 128
  
2.  Select Authentication SHA256
+
- Select Authentication SHA1
  
3.  Select DH group MODP3072
+
- Select DH group MODP1024
  
<br>[[File:Hub phase1.png|border|class=tlt-border]]
+
 
 +
<nowiki>###</nowiki> Same comment from hub section applies, increase security level
 +
 
 +
<br>[[File:DMVPN HUB Phase3 spoke example2.png|border|class=tlt-border]]
 
----
 
----
  
  
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
+
<b>Step 3</b>: configure DMVPN Phase 2 parameters:
 +
 
 +
- Select Encryption algorithm 3DES
 +
 
 +
- Select Hash algorithm MD5
  
1. Select the Encryption algorithm AES 128
+
- Select PFS group MODP768
  
2.  Select Hash algorithm SHA256
 
  
3.  Select PFS group MODP3072
+
<nowiki>###</nowiki> Same comment from hub section applies, increase security level
  
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
+
<br>[[File:DMVPN HUB Phase3 spoke example3.png|border|class=tlt-border]]
 
----
 
----
  
  
<b>Step 4</b>: configure '''DMVPN NHRP''' parameters:
+
<b>Step 4</b>: configure DMVPN NHRP parameters:
 
 
- In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration.
 
  
 
- Leave everything by default
 
- Leave everything by default
  
<br>[[File:Redirect.png|border|class=tlt-border]]
+
<nowiki>###</nowiki> Once again, highlight importance of "Redirect" option here<br>[[File:DMVPN HUB Phase3 spoke example4.png|border|class=tlt-border]]
 
----
 
----
 
<b>Step 5</b>: save changes
 
<b>Step 5</b>: save changes
  
===Spoke 1 configuration: BGP ===
+
===Spoke 1 configuration: BGP===
  
 
Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below.
 
Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below.
  
<b>Step 1</b>: enable '''BGP''' and configure General section:
+
<b>Step 1</b>: enable BGP and configure General section:
  
1. Enable vty
+
- Enable vty
  
2. Set AS to 65001
+
- Set AS to 65001
  
3. Set Network to 192.168.10.0/24
+
- Set Network to 192.168.10.0/24
  
<br>[[File:Spoke bgp.png|border|class=tlt-border]]
+
<br>[[File:DMVPN HUB Phase3 spoke example5.png|border|class=tlt-border]]
 
----
 
----
  
  
<b>Step 2</b>: Create '''BGP''' Peer:
+
<b>Step 2</b>: Create BGP Peer:
  
 
- Set Remote AS to 65000
 
- Set Remote AS to 65000
  
- Set the Remote address to 10.0.0.254
+
- Set Remote address to 10.0.0.254
  
- Leave everything else as default value
+
<br>[[File:DMVPN HUB Phase3 spoke example6.png|border|class=tlt-border]]
  
<br>[[File:Spoke bgp peer.png|border|class=tlt-border]]
+
===Spoke 2 configuration: DMVPN===
  
===Spoke 2 configuration: DMVPN===
+
<nowiki>###</nowiki> Same points and comments apply here just as it was in Spoke 1 config section
  
 
Navigate to the <b>Services → VPN → DMVPN</b> page and follow the instructions provided below.
 
Navigate to the <b>Services → VPN → DMVPN</b> page and follow the instructions provided below.
  
<b>Step 1</b>: create a new DMVPN instance:  
+
<b>Step 1</b>: create a new DMVPN instance:
  
1. Add HUB address (this is the public IP address of the previously configured hub device)
+
- Input your HUB address
  
2. Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)
+
- Select Tunnel source interface
  
3. Add Local GRE interface IP address (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network)
+
- Set Local GRE interface address to 10.0.0.2
  
4. Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)
+
- Set Remote GRE interface IP address to 10.0.0.254
  
5. Set GRE MTU to 1420  (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")
+
- Set GRE MTU to 1476
  
6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
+
<br>[[File:DMVPN HUB Phase3 spoke2 example1.png|border|class=tlt-border]]
 
 
<br>[[File:Spoke2 dmvpn.png|border|class=tlt-border]]
 
 
----
 
----
  
  
<b>Step 2</b>: configure '''DMVPN Phase 1''' parameters:
+
<b>Step 2</b>: configure DMVPN Phase 1 parameters:
  
1. Select Encryption algorithm - AES 128
+
- Select Encryption algorithm - AES 128
  
2. Select Authentication SHA256
+
- Select Authentication SHA1
  
3. Select DH group MODP3072
+
- Select DH group MODP1024
  
<br>[[File:Hub phase1.png|border|class=tlt-border]]
+
<br>[[File:DMVPN HUB Phase3 spoke2 example2.png|border|class=tlt-border]]
 
----
 
----
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
+
<b>Step 3</b>: configure DMVPN Phase 2 parameters:
  
1. Select Encryption algorithm AES 128
+
- Select Encryption algorithm 3DES
  
2. Select Hash algorithm SHA256
+
- Select Hash algorithm MD5
  
3. Select PFS group MODP3072
+
- Select PFS group MODP768
  
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
+
<br>[[File:DMVPN HUB Phase3 spoke2 example3.png|border|class=tlt-border]]
 
----
 
----
  
  
<b>Step 4</b>: configure '''DMVPN NHRP''' parameters:
+
<b>Step 4</b>: configure DMVPN NHRP parameters:
  
- In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration.
+
<br>[[File:DMVPN HUB Phase3 spoke2 example4.png|border|class=tlt-border]]
 
 
- Leave everything by default
 
 
 
<br>[[File:Redirect.png|border|class=tlt-border]]
 
 
----
 
----
 
<b>Step 5</b>: save changes
 
<b>Step 5</b>: save changes
  
===Spoke 2 configuration: BGP ===
+
===Spoke 2 configuration: BGP===
  
 
Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below.
 
Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below.
  
<b>Step 1</b>: enable '''BGP''' and configure General section:
+
<b>Step 1</b>: enable BGP and configure General section:
  
1.  Enable vty
+
- Enable vty
  
2.  Set AS to 65002
+
- Set AS to 65002
  
3.  Set Network to 192.168.20.0/24
+
- Set Network to 192.168.20.0/24
  
<br>[[File:Spoke2 bgp peer.png|border|class=tlt-border]]
+
<br>[[File:DMVPN HUB Phase3 spoke2 example5.png|border|class=tlt-border]]
 
----
 
----
  
  
<b>Step 2</b>: Create '''BGP''' Peer:
+
<b>Step 2</b>: Create BGP Peer:
  
 
- Set Remote AS to 65000
 
- Set Remote AS to 65000
Line 307: Line 312:
 
- Set Remote address to 10.0.0.254
 
- Set Remote address to 10.0.0.254
  
- Leave everything else as default value
+
<br>[[File:DMVPN HUB Phase3 spoke2 example6.png|border|class=tlt-border]]
  
<br>[[File:Spoke bgp peer.png|border|class=tlt-border]]
 
 
----
 
 
===Important Note===
 
===Important Note===
For '''HUB''' in Network <b>→</b> Firewall GRE zone change from '''REJECT''' to '''ACCEPT''' on '''FORWARD.'''
 
  
Also, disable '''Masquerading''' on '''HUB''' and '''ALL spokes''' for GRE <b></b> LAN zone forwardings
+
<nowiki>###</nowiki> Explanation why this is needed is recommended, because naturally a question comes to mind "why" this is needed
  
[[File:Firewall new.png|alt=|border]]
+
For HUB in Network > Firewall GRE zone change from REJECT to ACCEPT on FORWARD.
  
===Testing configuration===
+
----
 +
[[File:DMVPN HUB Phase3 example Firewall.png|border|class=tlt-border]]
 +
----
  
'''- ipsec statusall''' command can be used in the CLI/SSH for testing the tunnel. It will return detailed status information either on connection or if the argument is lacking, on all connections. If everything was done correctly, it should display that tunnel has been established.
 
  
'''- ping''' command can be used to check if the HUB and SPOKES can reach each other.
+
For setups behind NAT specify Local identifier in the <b>Services → VPN → DMVPN → IPsec section </b>
  
[[File:Ping.png|alt=|border]]
+
<nowiki>###</nowiki> Didn't we already set this during spoke configuration? It's a good point to mention/explain, but I don't think this should be at the bottom of the article, but instead should be next to IPsec config of each spoke
  
[[File:Ping2.png|alt=|border]]
+
----
 
+
[[File:DMVPN HUB Phase3 example Behind NAT.png|border|class=tlt-border]]
- Check routes in the HUB by executing command '''vtysh -c "show ip nhrp"'''
 
 
 
[[File:Vtysh nhrp2.jpg|alt=|border]]
 
 
 
- If you need to reboot tunnel, execute '''/etc/init.d/ipsec retart'''
 
 
 
== Summary ==
 
 
 
At this point, the basic DMVPN configuration is complete and phase 3 will now take effect in order to dynamically establish connectivity between spokes. Using this method, additional spokes may be configured and added to the current topology. DMVPN Phase 3 technology will ensure that any newly introduced devices will be included in the final topology.
 
== References ==
 
[https://wiki.teltonika-networks.com/view/VPN_Configuration_Examples VPN configuration Examples]
 
 
 
[https://wiki.teltonika-networks.com/view/DMVPN_configuration DMVPN configuration example]
 
 
 
[https://wiki.teltonika-networks.com/view/IPsec_configuration_examples IPsec configuration example]
 
 
 
[https://wiki.teltonika-networks.com/view/Routing#BGP_Protocol BGP routing]
 
  
[https://docs.strongswan.org/docs/5.9/index.html strongSwan Documentation]
 
  
[[Category:VPN]]
+
<nowiki>###</nowiki> Need to show working configuration with pings or something. Also to verify that Phase 3 DMVPN condition is actually working.

Revision as of 09:43, 11 January 2023

Main Page > General Information > Configuration Examples > VPN > DMVPN with IPsec Phase 3

Introduction

DMVPN (Dynamic Multipoint Virtual Private Network) is a dynamic tunneling form of a virtual private network capable of creating a VPN network without having pre-configure all possible tunnel end-point peers. DMVPN is initially configured to build out a HUB and SPOKE network, where each new SPOKE can join the network with minimal effort. The main benefits of DMVPN would be that it simplifies router configuration, has high scalability, good performance with better bandwidth, and secure routing when used in combination with IPsec.


DMVPN has three phases that route data differently:

Phase 1: All traffic flows from the spoke to and through the hub.

Phase 2: Start with Phase 1 then allows spoke-to-spoke tunnels based on demand and triggers. Phase 2 has different routing, where packet forwarding is being done using the IP routing table.

Phase 3: Starts with Phase 1 and improves the scalability and has fewer restrictions than Phase 2. Phase 3 allows the summarization of routes from hub to spokes. So again spokes wouldn’t need specific routes to other spokes networks.


This article contains instructions on how to configure DMVPN Phase 3 between a "Hub" and two "Spokes" using Teltonika devices.

Prerequisites and overview

You will need:

  • 2 Teltonika Routers for SPOKES
  • 1 Teltonika Router for HUB with a public IP address
  • A PC to configure the routers

HUB configuration

This section contains information on how to configure DMVPN HUB. Firstly, we'll configure the DMVPN instance to make the connection possible. Then we'll set the Border Gateway Protocol (BGP) parameters as our dynamic routing solution.

Note: at the moment, BGP is the only stable dynamic routing solution that can work with DMVPN.

HUB configuration: DMVPN


Navigate to the Services → VPN → DMVPN page and follow the instructions provided below.

Step 1: create a new DMVPN instance:

- Select your HUB interface in the Tunnel source field

- Set Local GRE interface IP address (for example, 10.0.0.254)

- Set GRE interface netmask to 255.255.255.0 (for entire subnet or according to how many spokes we expect to connect to this hub)

- Set GRE MTU value to 1420 (or even slightly lower - 1400 if a mobile interface is used)

- Outbound/inbound keys are optional, for this example we will leave it at default

- Set IPsec Pre-shared key (we used simple 123456 for this example)



Step 2: configure DMVPN Phase 1 parameters:

- Encryption algorithm - AES 128

- Authentication SHA1

- DH group - MODP1024


### I don't recommend these parameters, they are not secure. Anything at or below the following shouldn't be used:

### AES-128

### Auth SHA256

### DH group - MODP3072 or ECP256


DMVP HUB phase3 example2.png


Step 3: configure DMVPN Phase 2 parameters:

- Encryption algorithm - 3DES

- Hash algorithm - MD5

- PFS group -MODP768


### Same story here, try to increase security level here to a more secure solution.

### IPsec Phase 2 settings generally uses slightly lower parameters, because those algorithms are responsible for encrypting actual data traffic that we want to send over the IPsec tunnel


DMVPN HUB Phase3 example3.png


Step 4: configure DMVPN NHRP parameters:

### Highlight the importance of "Redirect option here". This is essentially what makes P3 possible.


DMVPN HUB Phase3 example4.png


Step 5: save changes

Hub configuration: BGP

Navigate to the Network → Routing → Dynamic Routes → BGP Protocol page and follow the instructions provided below.

Step 1: enable BGP and configure General section:

- Enable vty

- Set AS to 65000

- Set announcement network(s). Routes to these networks will be shared over BGP. We used 192.168.1.0/24

### Highlight the fact that "NHRP routes" selection should exist under "Redistribution options"

### Probably a good idea to set BGP router ID here using GRE interface IPs to avoid confusion and make troubleshooting easier


DMVPN HUB Phase3 example5.png



Step 2: Create BGP Peer Group:

- Add Neighbor address (We used 10.0.0.1 and 10.0.0.2)

### Explanation needed what these IP addresses are - this might not be clear enough for end-users that this is spoke devices GRE IP address

### Also need to quickly mention about other settings

### Remote AS is empty here - I don't remember now, but is this intended?


DMVPN HUB Phase3 example6.png



Step 3: Add two BGP peers for each spoke:

### Need to mention that "Let's move on to spokes BGP configuration now.", because it looks a bit confusing

Peer 1.

- Set Remote AS to 65001

- Set Remote address as 10.0.0.1

Peer 2.

- Set Remote AS to 65002

- Set Remote address as 10.0.0.2

### Briefly mention that other fields are not mandatory, but changes can be done if needed (aka "we will keep other settings as their default values for this configuration example" statement)


DMVPN HUB Phase3 example7.png


DMVPN HUB Phase3 example8.png



Spoke 1 configuration: DMVPN


### I think this should be done before dynamic routing configuration on each spoke, just to have IPsec tunnel and GRE IPs set for us


Navigate to the Services → VPN → DMVPN page and follow the instructions provided below.

Step 1: create a new DMVPN instance:

### I recommend to explain each step here in detail, for example:

- Add HUB address ### - this is the public IP address of previously configured hub device

- Select Tunnel source ### - this is the egress interface, which will be able to reach hub device's public IP address over the internet

- Add Local GRE interface IP address ### - this is the GRE IP address of "Spoke 1". It should be unique in the entire VPN network

- Add Remote GRE interface IP address ### - this is the GRE IP address of the previously configured hub device

- Set GRE MTU ### - this value should be set to the same value that was configured on the hub device. In our case, it is "1400"

- Set Local identifier, Remote identifier as %any and input same Pre-shared key ### brief explanation why this is needed would be nice as well


DMVPN HUB Phase3 spoke1 example1.png



Step 2: configure DMVPN Phase 1 parameters:

- Select Encryption algorithm - AES 128

- Select Authentication SHA1

- Select DH group MODP1024


### Same comment from hub section applies, increase security level


DMVPN HUB Phase3 spoke example2.png



Step 3: configure DMVPN Phase 2 parameters:

- Select Encryption algorithm 3DES

- Select Hash algorithm MD5

- Select PFS group MODP768


### Same comment from hub section applies, increase security level


DMVPN HUB Phase3 spoke example3.png



Step 4: configure DMVPN NHRP parameters:

- Leave everything by default

### Once again, highlight importance of "Redirect" option here
DMVPN HUB Phase3 spoke example4.png


Step 5: save changes

Spoke 1 configuration: BGP

Navigate to the Network → Routing → Dynamic Routes → BGP Protocol page and follow the instructions provided below.

Step 1: enable BGP and configure General section:

- Enable vty

- Set AS to 65001

- Set Network to 192.168.10.0/24


DMVPN HUB Phase3 spoke example5.png



Step 2: Create BGP Peer:

- Set Remote AS to 65000

- Set Remote address to 10.0.0.254


DMVPN HUB Phase3 spoke example6.png

Spoke 2 configuration: DMVPN

### Same points and comments apply here just as it was in Spoke 1 config section

Navigate to the Services → VPN → DMVPN page and follow the instructions provided below.

Step 1: create a new DMVPN instance:

- Input your HUB address

- Select Tunnel source interface

- Set Local GRE interface address to 10.0.0.2

- Set Remote GRE interface IP address to 10.0.0.254

- Set GRE MTU to 1476


DMVPN HUB Phase3 spoke2 example1.png



Step 2: configure DMVPN Phase 1 parameters:

- Select Encryption algorithm - AES 128

- Select Authentication SHA1

- Select DH group MODP1024


DMVPN HUB Phase3 spoke2 example2.png


Step 3: configure DMVPN Phase 2 parameters:

- Select Encryption algorithm 3DES

- Select Hash algorithm MD5

- Select PFS group MODP768


DMVPN HUB Phase3 spoke2 example3.png



Step 4: configure DMVPN NHRP parameters:


DMVPN HUB Phase3 spoke2 example4.png


Step 5: save changes

Spoke 2 configuration: BGP

Navigate to the Network → Routing → Dynamic Routes → BGP Protocol page and follow the instructions provided below.

Step 1: enable BGP and configure General section:

- Enable vty

- Set AS to 65002

- Set Network to 192.168.20.0/24


DMVPN HUB Phase3 spoke2 example5.png



Step 2: Create BGP Peer:

- Set Remote AS to 65000

- Set Remote address to 10.0.0.254


DMVPN HUB Phase3 spoke2 example6.png

Important Note

### Explanation why this is needed is recommended, because naturally a question comes to mind "why" this is needed

For HUB in Network > Firewall GRE zone change from REJECT to ACCEPT on FORWARD.


DMVPN HUB Phase3 example Firewall.png



For setups behind NAT specify Local identifier in the Services → VPN → DMVPN → IPsec section

### Didn't we already set this during spoke configuration? It's a good point to mention/explain, but I don't think this should be at the bottom of the article, but instead should be next to IPsec config of each spoke


DMVPN HUB Phase3 example Behind NAT.png


### Need to show working configuration with pings or something. Also to verify that Phase 3 DMVPN condition is actually working.