Line 41: |
Line 41: |
| - Set Local GRE interface IP address (for example, 10.0.0.254) | | - Set Local GRE interface IP address (for example, 10.0.0.254) |
| | | |
− | - Set GRE interface netmask to 255.255.255.0 (for entire subnet or according to how many spokes we expect to connect to this hub) | + | - Set GRE interface netmask to 255.255.255.0 (for the entire subnet or according to how many spokes we expect to connect to this hub) |
| | | |
| - Set GRE MTU value to 1420 (or even slightly lower - 1400 if a mobile interface is used) | | - Set GRE MTU value to 1420 (or even slightly lower - 1400 if a mobile interface is used) |
Line 55: |
Line 55: |
| - Encryption algorithm - AES 128 | | - Encryption algorithm - AES 128 |
| | | |
− | - Authentication SHA1 | + | - Authentication SHA256 |
| | | |
− | - DH group - MODP1024 | + | - DH group - MODP3072 |
| | | |
− | | + | <br>[[File:DMVPN phase3 example2.png|alt=|border]] |
− | <nowiki>###</nowiki> I don't recommend these parameters, they are not secure. Anything at or below the following shouldn't be used:
| |
− | | |
− | <nowiki>###</nowiki> AES-128
| |
− | | |
− | <nowiki>###</nowiki> Auth SHA256
| |
− | | |
− | <nowiki>###</nowiki> DH group - MODP3072 or ECP256
| |
− | | |
− | <br>[[File:DMVP HUB phase3 example2.png|border|class=tlt-border]] | |
| ---- | | ---- |
| <b>Step 3</b>: configure DMVPN Phase 2 parameters: | | <b>Step 3</b>: configure DMVPN Phase 2 parameters: |
| | | |
− | - Encryption algorithm - 3DES | + | - Encryption algorithm - AES 128 |
− | | |
− | - Hash algorithm - MD5
| |
− | | |
− | - PFS group -MODP768
| |
− | | |
| | | |
− | <nowiki>###</nowiki> Same story here, try to increase security level here to a more secure solution.
| + | - Hash algorithm - SHA256 |
| | | |
− | <nowiki>###</nowiki> IPsec Phase 2 settings generally uses slightly lower parameters, because those algorithms are responsible for encrypting actual data traffic that we want to send over the IPsec tunnel
| + | - PFS group -MODP3072 |
| | | |
− | <br>[[File:DMVPN HUB Phase3 example3.png|border|class=tlt-border]] | + | <br>[[File:DMVPN phase3 example3.png|alt=|border]] |
| ---- | | ---- |
| <b>Step 4</b>: configure DMVPN NHRP parameters: | | <b>Step 4</b>: configure DMVPN NHRP parameters: |