Jump to content
  • EN

DMVPN with IPsec Phase 3: Difference between revisions

← Older editNewer edit →
VisualWikitext
No edit summary
mNo edit summary
Line 63: Line 63:
5. Set IPsec Pre-shared key (we used simple 123456 for this example)
5. Set IPsec Pre-shared key (we used simple 123456 for this example)


<br>[[File:HUB main.png|alt=|border]]
<br>[[File:HUB main.png|border|class=tlt-border]]
----
----
<b>Step 2</b>: configure '''DMVPN Phase 1''' parameters:
<b>Step 2</b>: configure '''DMVPN Phase 1''' parameters:
Line 73: Line 73:
3. DH group - MODP3072
3. DH group - MODP3072


<br>[[File:Hub phase1.png|alt=|border]]
<br>[[File:Hub phase1.png|border|class=tlt-border]]
----
----
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
Line 83: Line 83:
3. PFS group -MODP3072
3. PFS group -MODP3072


<br>[[File:Hub phase2 fix.png|alt=|border]]
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
----
----
<b>Step 4</b>: configure '''DMVPN NHRP''' parameters:
<b>Step 4</b>: configure '''DMVPN NHRP''' parameters:
Line 89: Line 89:
In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration.
In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration.


<br>[[File:Redirect.png|alt=|border]]
<br>[[File:Redirect.png|border|class=tlt-border]]
----
----
<b>Step 5</b>: save changes
<b>Step 5</b>: save changes
Line 109: Line 109:
5. "NHRP routes" selection should be applied under the "Redistribution options" section
5. "NHRP routes" selection should be applied under the "Redistribution options" section


<br>[[File:Hub bgp.png|alt=|border]]
<br>[[File:Hub bgp.png|border|class=tlt-border]]
----
----


Line 119: Line 119:
- Leave other settings as default.
- Leave other settings as default.


<br>[[File:Bgp peer grp.png|alt=|border]]
<br>[[File:Bgp peer grp.png|border|class=tlt-border]]
----
----


Line 141: Line 141:
We will keep other settings as their default values for this configuration example.
We will keep other settings as their default values for this configuration example.


<br>[[File:Bgp peer1.png|alt=|border]]
<br>[[File:Bgp peer1.png|border|class=tlt-border]]
----
----
[[File:Bgp peer2.png|alt=|border]]
[[File:Bgp peer2.png|border|class=tlt-border]]
----
----


Line 167: Line 167:
6.  Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
6.  Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)


<br>[[File:Spoke dmvpn.png|alt=|border]]
<br>[[File:Spoke dmvpn.png|border|class=tlt-border]]
----
----


Line 179: Line 179:
3.  Select DH group MODP3072
3.  Select DH group MODP3072


<br>[[File:Hub phase1.png|alt=spoke phase1|border]]
<br>[[File:Hub phase1.png|border|class=tlt-border]]
----
----


Line 191: Line 191:
3.  Select PFS group MODP3072
3.  Select PFS group MODP3072


<br>[[File:Hub phase2 fix.png|alt=spoke phase2|border]]
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
----
----


Line 201: Line 201:
- Leave everything by default
- Leave everything by default


<br>[[File:Redirect.png|alt=Redirect|border]]
<br>[[File:Redirect.png|border|class=tlt-border]]
----
----
<b>Step 5</b>: save changes
<b>Step 5</b>: save changes
Line 217: Line 217:
3. Set Network to 192.168.10.0/24
3. Set Network to 192.168.10.0/24


<br>[[File:Spoke bgp.png|alt=|border]]
<br>[[File:Spoke bgp.png|border|class=tlt-border]]
----
----


Line 229: Line 229:
- Leave everything else as default value
- Leave everything else as default value


<br>[[File:Spoke bgp peer.png|alt=|border]]
<br>[[File:Spoke bgp peer.png|border|class=tlt-border]]


===Spoke 2 configuration: DMVPN===
===Spoke 2 configuration: DMVPN===
Line 249: Line 249:
6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)


<br>[[File:Spoke2 dmvpn.png|alt=|border]]
<br>[[File:Spoke2 dmvpn.png|border|class=tlt-border]]
----
----


Line 261: Line 261:
3. Select DH group MODP3072
3. Select DH group MODP3072


<br>[[File:Hub phase1.png|alt=spoke phase1|border]]
<br>[[File:Hub phase1.png|border|class=tlt-border]]
----
----
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
Line 271: Line 271:
3. Select PFS group MODP3072
3. Select PFS group MODP3072


<br>[[File:Hub phase2 fix.png|alt=spoke phase2|border]]
<br>[[File:Hub phase2 fix.png|border|class=tlt-border]]
----
----


Line 281: Line 281:
- Leave everything by default
- Leave everything by default


<br>[[File:Redirect.png|alt=Redirect|border]]
<br>[[File:Redirect.png|border|class=tlt-border]]
----
----
<b>Step 5</b>: save changes
<b>Step 5</b>: save changes
Line 297: Line 297:
3.  Set Network to 192.168.20.0/24
3.  Set Network to 192.168.20.0/24


<br>[[File:Spoke2 bgp peer.png|alt=|border]]
<br>[[File:Spoke2 bgp peer.png|border|class=tlt-border]]
----
----


Line 309: Line 309:
- Leave everything else as default value
- Leave everything else as default value


<br>[[File:Spoke bgp peer.png|alt=Spoke bgp peer|border]]
<br>[[File:Spoke bgp peer.png|border|class=tlt-border]]


----
----
Line 318: Line 318:
For '''HUB''' in Network -> Firewall GRE zone change from '''REJECT''' to '''ACCEPT''' on '''FORWARD.'''
For '''HUB''' in Network -> Firewall GRE zone change from '''REJECT''' to '''ACCEPT''' on '''FORWARD.'''


[[File:Firewall.png|alt=|border]]
[[File:Firewall.png|border|class=tlt-border]]


===Testing configuration===
===Testing configuration===
Retrieved from "https://wiki.teltonika-networks.com/view/DMVPN_with_IPsec_Phase_3"