Jump to content
  • EN

DMVPN with IPsec Phase 3: Difference between revisions

← Older editNewer edit →
VisualWikitext
mNo edit summary
No edit summary
(9 intermediate revisions by 2 users not shown)
Line 63: Line 63:
5. Set IPsec Pre-shared key (we used simple 123456 for this example)
5. Set IPsec Pre-shared key (we used simple 123456 for this example)


<br>[[File:HUB main.png|alt=|border]]
<br>[[File:HUB main.png|border|class=tlt-border]]
----
----
<b>Step 2</b>: configure '''DMVPN Phase 1''' parameters:
<b>Step 2</b>: configure '''DMVPN Phase 1''' parameters:
Line 73: Line 73:
3. DH group - MODP3072
3. DH group - MODP3072


<br>[[File:Hub phase1.png|alt=|border]]
<br>[[File:Hub phase1.png|border|class=tlt-border]]
----
----
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
Line 83: Line 83:
3. PFS group -MODP3072
3. PFS group -MODP3072


<br>[[File:Hub phase2 fix.png|alt=|border]]
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
----
----
<b>Step 4</b>: configure '''DMVPN NHRP''' parameters:
<b>Step 4</b>: configure '''DMVPN NHRP''' parameters:
Line 89: Line 89:
In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration.
In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration.


<br>[[File:Redirect.png|alt=|border]]
<br>[[File:Redirect.png|border|class=tlt-border]]
----
----
<b>Step 5</b>: save changes
<b>Step 5</b>: save changes
Line 109: Line 109:
5. "NHRP routes" selection should be applied under the "Redistribution options" section
5. "NHRP routes" selection should be applied under the "Redistribution options" section


<br>[[File:Hub bgp.png|alt=|border]]
<br>[[File:Hub bgp.png|border|class=tlt-border]]
----
----


Line 119: Line 119:
- Leave other settings as default.
- Leave other settings as default.


<br>[[File:Bgp peer grp.png|alt=|border]]
<br>[[File:Bgp peer grp.png|border|class=tlt-border]]
----
----


Line 141: Line 141:
We will keep other settings as their default values for this configuration example.
We will keep other settings as their default values for this configuration example.


<br>[[File:Bgp peer1.png|alt=|border]]
<br>[[File:Bgp peer1.png|border|class=tlt-border]]
----
----
[[File:Bgp peer2.png|alt=|border]]
[[File:Bgp peer2.png|border|class=tlt-border]]
----
----


Line 167: Line 167:
6.  Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
6.  Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)


<br>[[File:Spoke dmvpn.png|alt=|border]]
<br>[[File:Spoke dmvpn.png|border|class=tlt-border]]
----
----


Line 179: Line 179:
3.  Select DH group MODP3072
3.  Select DH group MODP3072


<br>[[File:Hub phase1.png|alt=spoke phase1|border]]
<br>[[File:Hub phase1.png|border|class=tlt-border]]
----
----


Line 191: Line 191:
3.  Select PFS group MODP3072
3.  Select PFS group MODP3072


<br>[[File:Hub phase2 fix.png|alt=spoke phase2|border]]
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
----
----


Line 201: Line 201:
- Leave everything by default
- Leave everything by default


<br>[[File:Redirect.png|alt=Redirect|border]]
<br>[[File:Redirect.png|border|class=tlt-border]]
----
----
<b>Step 5</b>: save changes
<b>Step 5</b>: save changes
Line 211: Line 211:
<b>Step 1</b>: enable '''BGP''' and configure General section:
<b>Step 1</b>: enable '''BGP''' and configure General section:


- Enable vty
1. Enable vty


- Set AS to 65001
2. Set AS to 65001


- Set Network to 192.168.10.0/24
3. Set Network to 192.168.10.0/24


<br>[[File:Spoke bgp.png|alt=|border]]
<br>[[File:Spoke bgp.png|border|class=tlt-border]]
----
----


Line 225: Line 225:
- Set Remote AS to 65000
- Set Remote AS to 65000


- Sethe t Remote address to 10.0.0.254
- Set the Remote address to 10.0.0.254


- Leave everything else as default value
- Leave everything else as default value


<br>[[File:Spoke bgp peer.png|alt=|border]]
<br>[[File:Spoke bgp peer.png|border|class=tlt-border]]


===Spoke 2 configuration: DMVPN===
===Spoke 2 configuration: DMVPN===
Line 241: Line 241:
2. Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)
2. Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)


3. Add Local GRE interface IP address  (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network)  
3. Add Local GRE interface IP address  (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network)  


4. Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)
4. Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)


5. Set GRE MTU to 1420  (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")
5. Set GRE MTU to 1420  (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")


6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)


<br>[[File:Spoke2 dmvpn.png|alt=|border]]
<br>[[File:Spoke2 dmvpn.png|border|class=tlt-border]]
----
----


Line 255: Line 255:
<b>Step 2</b>: configure '''DMVPN Phase 1''' parameters:
<b>Step 2</b>: configure '''DMVPN Phase 1''' parameters:


- Select Encryption algorithm - AES 128
1. Select Encryption algorithm - AES 128


- Select Authentication SHA256
2. Select Authentication SHA256


- Select DH group MODP3072
3. Select DH group MODP3072


<br>[[File:Hub phase1.png|alt=spoke phase1|border]]
<br>[[File:Hub phase1.png|border|class=tlt-border]]
----
----
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:


- Select Encryption algorithm AES 128
1. Select Encryption algorithm AES 128


- Select Hash algorithm SHA256
2. Select Hash algorithm SHA256


- Select PFS group MODP3072
3. Select PFS group MODP3072


<br>[[File:Hub phase2 fix.png|alt=spoke phase2|border]]
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
----
----


Line 281: Line 281:
- Leave everything by default
- Leave everything by default


<br>[[File:Redirect.png|alt=Redirect|border]]
<br>[[File:Redirect.png|border|class=tlt-border]]
----
----
<b>Step 5</b>: save changes
<b>Step 5</b>: save changes
Line 291: Line 291:
<b>Step 1</b>: enable '''BGP''' and configure General section:
<b>Step 1</b>: enable '''BGP''' and configure General section:


- Enable vty
1.  Enable vty


- Set AS to 65002
2.  Set AS to 65002


- Set Network to 192.168.20.0/24
3.  Set Network to 192.168.20.0/24


<br>[[File:Spoke2 bgp peer.png|alt=|border]]
<br>[[File:Spoke2 bgp peer.png|border|class=tlt-border]]
----
----


Line 309: Line 309:
- Leave everything else as default value
- Leave everything else as default value


<br>[[File:Spoke bgp peer.png|alt=Spoke bgp peer|border]]
<br>[[File:Spoke bgp peer.png|border|class=tlt-border]]


----
----
===Important Note===
===Important Note===
For '''HUB''' in Network <b>→</b> Firewall GRE zone change from '''REJECT''' to '''ACCEPT''' on '''FORWARD.'''


Also, disable '''Masquerading''' on '''HUB''' and '''ALL spokes''' for GRE <b>→</b> LAN zone forwardings


 
[[File:Firewall new.png|alt=|border]]
For H'''UB''' in Network -> Firewall GRE zone change from '''REJECT''' to '''ACCEPT''' on '''FORWARD.'''
 
[[File:Firewall.png|alt=|border]]


===Testing configuration===
===Testing configuration===
Line 335: Line 334:


- If you need to reboot tunnel, execute '''/etc/init.d/ipsec retart'''
- If you need to reboot tunnel, execute '''/etc/init.d/ipsec retart'''
== Summary ==
At this point, the basic DMVPN configuration is complete and phase 3 will now take effect in order to dynamically establish connectivity between spokes. Using this method, additional spokes may be configured and added to the current topology. DMVPN Phase 3 technology will ensure that any newly introduced devices will be included in the final topology.
== References ==
[https://wiki.teltonika-networks.com/view/VPN_Configuration_Examples VPN configuration Examples]
[https://wiki.teltonika-networks.com/view/DMVPN_configuration DMVPN configuration example]
[https://wiki.teltonika-networks.com/view/IPsec_configuration_examples IPsec configuration example]
[https://wiki.teltonika-networks.com/view/Routing#BGP_Protocol BGP routing]
[https://docs.strongswan.org/docs/5.9/index.html strongSwan Documentation]
[[Category:VPN]]
Retrieved from "https://wiki.teltonika-networks.com/view/DMVPN_with_IPsec_Phase_3"