Changes

DMVPN with IPsec Phase 3 (view source)

Revision as of 11:49, 26 January 2023

166 bytes removed , 11:49, 26 January 2023

m

no edit summary

Line 217: Line 217:

- Set Network to 192.168.10.0/24

−

[[File:~~DMVPN HUB Phase3 spoke example5~~.png|~~border~~|~~class=tlt-~~border]]

+

[[File:Spoke bgp.png|alt=|border]]

----

Line 229: Line 229:

- Leave everything else as default value

−

[[File:~~DMVPN HUB Phase3 spoke example6~~.png|~~border~~|~~class=tlt-~~border]]

+

[[File:Spoke bgp peer.png|alt=|border]]

===Spoke 2 configuration: DMVPN===

Line 235: Line 235:

Navigate to the Services → VPN → DMVPN page and follow the instructions provided below.

−

Step 1: create a new DMVPN instance:

+

Step 1: create a new DMVPN instance:

−

- Add HUB address (this is the public IP address of the previously configured hub device)

+

1. Add HUB address (this is the public IP address of the previously configured hub device)

−

- Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)

+

2. Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)

−

- Add Local GRE interface IP address (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network)

+

3. Add Local GRE interface IP address (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network)

−

- Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)

+

4. Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)

−

- Set GRE MTU to 1420 (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")

+

5. Set GRE MTU to 1420 (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")

−

- Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)

+

6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)

−

[[File:~~DMVPN phase3 example5~~.png|alt=|border]]

+

[[File:Spoke2 dmvpn.png|alt=|border]]

----

Line 261: Line 261:

- Select DH group MODP3072

−

[[File:~~DMVPN phase3 example2~~.png|alt=|border]]

+

[[File:Hub phase1.png|alt=spoke phase1|border]]

----

Step 3: configure DMVPN Phase 2 parameters:

Line 271: Line 271:

- Select PFS group MODP3072

−

[[File:~~DMVPN phase3 example3~~.png|alt=|border]]

+

[[File:Hub phase2 fix.png|alt=spoke phase2|border]]

----

Line 281: Line 281:

- Leave everything by default

−

[[File:~~DMVPN HUB Phase3 spoke2 example4~~.png|~~border~~|~~class=tlt-~~border]]

+

[[File:Redirect.png|alt=Redirect|border]]

----

Step 5: save changes

Line 297: Line 297:

- Set Network to 192.168.20.0/24

−

[[File:~~DMVPN HUB Phase3 spoke2 example5~~.png|~~border~~|~~class=tlt-~~border]]

+

[[File:Spoke2 bgp peer.png|alt=|border]]

----

Line 309: Line 309:

- Leave everything else as default value

−

[[File:~~DMVPN HUB Phase3 spoke2 example6~~.png|~~border~~|~~class=tlt-~~border]]

+

[[File:Spoke bgp peer.png|alt=Spoke bgp peer|border]]

----

Line 317: Line 317:

For HUB in Network > Firewall GRE zone change from REJECT to ACCEPT on FORWARD.

−

[[File:~~DMVPN HUB Phase3 example~~ Firewall.png|~~border~~|~~class=tlt-~~border]]

+

[[File:Firewall.png|alt=|border]]

===Testing configuration===

TomasM

Administrators

154

edits

Namespaces

Variants

Views

More

Search

Changes

DMVPN with IPsec Phase 3 (view source)

Revision as of 11:49, 26 January 2023

Navigation menu

Personal tools

NAVIGATION

Tools

Categories