Jump to content
  • EN

DMVPN with IPsec Phase 3: Difference between revisions

← Older edit
VisualWikitext
mNo edit summary
No edit summary
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
  <p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.03.2'''] firmware version. .</p>  
  <p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.05'''] firmware version. .</p>  


==Introduction==
==Introduction==
Line 63: Line 63:
5. Set IPsec Pre-shared key (we used simple 123456 for this example)
5. Set IPsec Pre-shared key (we used simple 123456 for this example)


<br>[[File:HUB main.png|alt=|border]]
<br>[[File:HUB main.png|border|class=tlt-border]]
----
----
<b>Step 2</b>: configure '''DMVPN Phase 1''' parameters:
<b>Step 2</b>: configure '''DMVPN Phase 1''' parameters:
Line 73: Line 73:
3. DH group - MODP3072
3. DH group - MODP3072


<br>[[File:Hub phase1.png|alt=|border]]
<br>[[File:Hub phase1.png|border|class=tlt-border]]
----
----
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
Line 83: Line 83:
3. PFS group -MODP3072
3. PFS group -MODP3072


<br>[[File:Hub phase2 fix.png|alt=|border]]
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
----
----
<b>Step 4</b>: configure '''DMVPN NHRP''' parameters:
<b>Step 4</b>: configure '''DMVPN NHRP''' parameters:
Line 89: Line 89:
In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration.
In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration.


<br>[[File:Redirect.png|alt=|border]]
<br>[[File:Redirect.png|border|class=tlt-border]]
----
----
<b>Step 5</b>: save changes
<b>Step 5</b>: save changes
Line 109: Line 109:
5. "NHRP routes" selection should be applied under the "Redistribution options" section
5. "NHRP routes" selection should be applied under the "Redistribution options" section


<br>[[File:Hub bgp.png|alt=|border]]
<br>[[File:Hub bgp.png|border|class=tlt-border]]
----
----


Line 119: Line 119:
- Leave other settings as default.
- Leave other settings as default.


<br>[[File:Bgp peer grp.png|alt=|border]]
<br>[[File:Bgp peer grp.png|border|class=tlt-border]]
----
----


Line 141: Line 141:
We will keep other settings as their default values for this configuration example.
We will keep other settings as their default values for this configuration example.


<br>[[File:Bgp peer1.png|alt=|border]]
<br>[[File:Bgp peer1.png|border|class=tlt-border]]
----
----
[[File:Bgp peer2.png|alt=|border]]
[[File:Bgp peer2.png|border|class=tlt-border]]
----
----


Line 167: Line 167:
6.  Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
6.  Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)


<br>[[File:Spoke dmvpn.png|alt=|border]]
<br>[[File:Spoke dmvpn.png|border|class=tlt-border]]
----
----


Line 179: Line 179:
3.  Select DH group MODP3072
3.  Select DH group MODP3072


<br>[[File:Hub phase1.png|alt=spoke phase1|border]]
<br>[[File:Hub phase1.png|border|class=tlt-border]]
----
----


Line 191: Line 191:
3.  Select PFS group MODP3072
3.  Select PFS group MODP3072


<br>[[File:Hub phase2 fix.png|alt=spoke phase2|border]]
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
----
----


Line 201: Line 201:
- Leave everything by default
- Leave everything by default


<br>[[File:Redirect.png|alt=Redirect|border]]
<br>[[File:Redirect.png|border|class=tlt-border]]
----
----
<b>Step 5</b>: save changes
<b>Step 5</b>: save changes
Line 217: Line 217:
3. Set Network to 192.168.10.0/24
3. Set Network to 192.168.10.0/24


<br>[[File:Spoke bgp.png|alt=|border]]
<br>[[File:Spoke bgp.png|border|class=tlt-border]]
----
----


Line 229: Line 229:
- Leave everything else as default value
- Leave everything else as default value


<br>[[File:Spoke bgp peer.png|alt=|border]]
<br>[[File:Spoke bgp peer.png|border|class=tlt-border]]


===Spoke 2 configuration: DMVPN===
===Spoke 2 configuration: DMVPN===
Line 249: Line 249:
6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)


<br>[[File:Spoke2 dmvpn.png|alt=|border]]
<br>[[File:Spoke2 dmvpn.png|border|class=tlt-border]]
----
----


Line 261: Line 261:
3. Select DH group MODP3072
3. Select DH group MODP3072


<br>[[File:Hub phase1.png|alt=spoke phase1|border]]
<br>[[File:Hub phase1.png|border|class=tlt-border]]
----
----
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
Line 271: Line 271:
3. Select PFS group MODP3072
3. Select PFS group MODP3072


<br>[[File:Hub phase2 fix.png|alt=spoke phase2|border]]
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
----
----


Line 281: Line 281:
- Leave everything by default
- Leave everything by default


<br>[[File:Redirect.png|alt=Redirect|border]]
<br>[[File:Redirect.png|border|class=tlt-border]]
----
----
<b>Step 5</b>: save changes
<b>Step 5</b>: save changes
Line 297: Line 297:
3.  Set Network to 192.168.20.0/24
3.  Set Network to 192.168.20.0/24


<br>[[File:Spoke2 bgp peer.png|alt=|border]]
<br>[[File:Spoke2 bgp peer.png|border|class=tlt-border]]
----
----


Line 309: Line 309:
- Leave everything else as default value
- Leave everything else as default value


<br>[[File:Spoke bgp peer.png|alt=Spoke bgp peer|border]]
<br>[[File:Spoke bgp peer.png|border|class=tlt-border]]


----
----
===Important Note===
===Important Note===
For '''HUB''' in Network <b>→</b> Firewall GRE zone change from '''REJECT''' to '''ACCEPT''' on '''FORWARD.'''


Also, disable '''Masquerading''' on '''HUB''' and '''ALL spokes''' for GRE <b>→</b> LAN zone forwardings


 
[[File:Firewall new.png|alt=|border]]
For '''HUB''' in Network -> Firewall GRE zone change from '''REJECT''' to '''ACCEPT''' on '''FORWARD.'''
 
[[File:Firewall.png|alt=|border]]


===Testing configuration===
===Testing configuration===
Line 330: Line 329:
[[File:Ping2.png|alt=|border]]
[[File:Ping2.png|alt=|border]]


- Check routes in the HUB by executing command '''vtysh -c "show ip nhrp"'''
- Check routes in the HUB by executing *command '''vtysh -c "show ip nhrp"'''
 
<b>Note</b>: Vtysh check is unavailable with RUT200, RUT230, RUT240, RUT241, RUT260 devices.


[[File:Vtysh nhrp2.jpg|alt=|border]]
[[File:Vtysh nhrp2.jpg|alt=|border]]


- If you need to reboot tunnel, execute '''/etc/init.d/ipsec retart'''
- If you need to reboot tunnel, execute '''/etc/init.d/ipsec retart'''
== Summary ==
At this point, the basic DMVPN configuration is complete and phase 3 will now take effect in order to dynamically establish connectivity between spokes. Using this method, additional spokes may be configured and added to the current topology. DMVPN Phase 3 technology will ensure that any newly introduced devices will be included in the final topology.
== References ==
[https://wiki.teltonika-networks.com/view/VPN_Configuration_Examples VPN configuration Examples]
[https://wiki.teltonika-networks.com/view/DMVPN_configuration DMVPN configuration example]
[https://wiki.teltonika-networks.com/view/IPsec_configuration_examples IPsec configuration example]
[https://wiki.teltonika-networks.com/view/Routing#BGP_Protocol BGP routing]
[https://docs.strongswan.org/docs/5.9/index.html strongSwan Documentation]
[[Category:VPN]]
Retrieved from "https://wiki.teltonika-networks.com/view/DMVPN_with_IPsec_Phase_3"