Changes

DMVPN with IPsec Phase 3 (view source)

Revision as of 09:02, 16 December 2022

1,669 bytes added , 09:02, 16 December 2022

m

no edit summary

Line 29: Line 29:

- Set Local GRE interface IP address (for example, 10.0.0.254)

−

- Set GRE MTU value

+

- Set GRE MTU value to 1476

−

- Set Pre-shared key

+

- Set Pre-shared key (we used simple 123456 for this example)

[[File:DMVP_HUB_phase3_example1.png]]

----

−

Step 2: configure DMVPN Phase 1 parameters: [[File:DMVP HUB phase3 example2.png]]

+

Step 2: configure DMVPN Phase 1 parameters:

+

- Encryption algorithm - AES 128

+

- Authentication SHA1

+

- DH group - MODP1024

+

[[File:DMVP HUB phase3 example2.png]]

----

−

Step 3: configure DMVPN Phase 2 parameters: [[File:DMVPN HUB Phase3 example3.png]]

+

Step 3: configure DMVPN Phase 2 parameters:

+

- Encryption algorithm - 3DES

+

- Hash algorithm - MD5

+

- PFS group -MODP768

+

[[File:DMVPN HUB Phase3 example3.png]]

----

−

Step 4: configure DMVPN NHRP parameters: [[File:DMVPN HUB Phase3 example4.png]]

+

Step 4: configure DMVPN NHRP parameters:

+

[[File:DMVPN HUB Phase3 example4.png]]

----

Step 5: save changes

Line 47: Line 65:

Navigate to the Network → Routing → Dynamic Routes → BGP Protocol page and follow the instructions provided below.

−

Step 1: enable BGP and configure General section: [[File:DMVPN HUB Phase3 example5.png]]

+

Step 1: enable BGP and configure General section:

+

- Enable vty

+

- Set AS to 65000

+

- Set announcement network(s). Routes to these networks will be shared over BGP. We used 192.168.1.0/24

+

[[File:DMVPN HUB Phase3 example5.png]]

----

−

Step 2: Create BGP Peer Group: [[File:DMVPN HUB Phase3 example6.png]]

+

Step 2: Create BGP Peer Group:

+

- Add Neighbor address (We used 10.0.0.1 and 10.0.0.2)

+

[[File:DMVPN HUB Phase3 example6.png]]

----

−

Step 3: Add two BGP peers for each spoke: [[File:DMVPN HUB Phase3 example7.png]]

+

Step 3: Add two BGP peers for each spoke:

+

Peer 1.

+

- Set Remote AS to 65001

+

- Set Remote address as 10.0.0.1

+

Peer 2.

+

- Set Remote AS to 65002

+

- Set Remote address as 10.0.0.2

+

[[File:DMVPN HUB Phase3 example7.png]]

----

[[File:DMVPN HUB Phase3 example8.png]]

Line 61: Line 109:

Navigate to the Services → VPN → DMVPN page and follow the instructions provided below.

−

Step 1: create a new DMVPN instance: [[File:DMVPN HUB Phase3 spoke1 example1.png]]

+

Step 1: create a new DMVPN instance:

+

- Add HUB address

+

- Select Tunnel source

+

- Add Local GRE interface IP address

+

- Add Remote GRE interface IP address

+

- Set GRE MTU

+

- Set Local identifier, Remote identifier as %any and input same Pre-shared key

+

[[File:DMVPN HUB Phase3 spoke1 example1.png]]

----

−

Step 2: configure DMVPN Phase 1 parameters: [[File:DMVPN HUB Phase3 spoke example2.png]]

+

Step 2: configure DMVPN Phase 1 parameters:

+

- Select Encryption algorithm - AES 128

+

- Select Authentication SHA1

+

- Select DH group MODP1024

+

[[File:DMVPN HUB Phase3 spoke example2.png]]

----

−

Step 3: configure DMVPN Phase 2 parameters: [[File:DMVPN HUB Phase3 spoke example3.png]]

+

Step 3: configure DMVPN Phase 2 parameters:

+

- Select Encryption algorithm 3DES

+

- Select Hash algorithm MD5

+

- Select PFS group MODP768

+

[[File:DMVPN HUB Phase3 spoke example3.png]]

----

−

Step 4: configure DMVPN NHRP parameters: [[File:DMVPN HUB Phase3 spoke example4.png]]

+

Step 4: configure DMVPN NHRP parameters:

+

- Leave everything by default

+

[[File:DMVPN HUB Phase3 spoke example4.png]]

----

Step 5: save changes

Line 75: Line 163:

Navigate to the Network → Routing → Dynamic Routes → BGP Protocol page and follow the instructions provided below.

−

Step 1: enable BGP and configure General section: [[File:DMVPN HUB Phase3 spoke example5.png]]

+

Step 1: enable BGP and configure General section:

+

- Enable vty

+

- Set AS to 65001

+

- Set Network to 192.168.10.0/24

+

[[File:DMVPN HUB Phase3 spoke example5.png]]

----

−

Step 2: Create BGP Peer: [[File:DMVPN HUB Phase3 spoke example6.png]]

+

Step 2: Create BGP Peer:

+

- Set Remote AS to 65000

+

- Set Remote address to 10.0.0.254

+

[[File:DMVPN HUB Phase3 spoke example6.png]]

===Spoke 2 configuration: DMVPN===

Line 83: Line 187:

Navigate to the Services → VPN → DMVPN page and follow the instructions provided below.

−

Step 1: create a new DMVPN instance: [[File:DMVPN HUB Phase3 spoke2 example1.png]]

+

Step 1: create a new DMVPN instance:

+

- Input your HUB address

+

- Select Tunnel source interface

+

- Set Local GRE interface address to 10.0.0.2

+

- Set Remote GRE interface IP address to 10.0.0.254

+

- Set GRE MTU to 1476

+

[[File:DMVPN HUB Phase3 spoke2 example1.png]]

----

−

Step 2: configure DMVPN Phase 1 parameters: [[File:DMVPN HUB Phase3 spoke2 example2.png]]

+

Step 2: configure DMVPN Phase 1 parameters:

+

- Select Encryption algorithm - AES 128

+

- Select Authentication SHA1

+

- Select DH group MODP1024

+

[[File:DMVPN HUB Phase3 spoke2 example2.png]]

----

−

Step 3: configure DMVPN Phase 2 parameters: [[File:DMVPN HUB Phase3 spoke2 example3.png]]

+

Step 3: configure DMVPN Phase 2 parameters:

+

- Select Encryption algorithm 3DES

+

- Select Hash algorithm MD5

+

- Select PFS group MODP768

+

[[File:DMVPN HUB Phase3 spoke2 example3.png]]

----

−

Step 4: configure DMVPN NHRP parameters: [[File:DMVPN HUB Phase3 spoke2 example4.png]]

+

Step 4: configure DMVPN NHRP parameters:

+

[[File:DMVPN HUB Phase3 spoke2 example4.png]]

----

Step 5: save changes

Line 97: Line 235:

Navigate to the Network → Routing → Dynamic Routes → BGP Protocol page and follow the instructions provided below.

−

Step 1: enable BGP and configure General section: [[File:DMVPN HUB Phase3 spoke2 example5.png]]

+

Step 1: enable BGP and configure General section:

+

- Enable vty

+

- Set AS to 65002

+

- Set Network to 192.168.20.0/24

+

[[File:DMVPN HUB Phase3 spoke2 example5.png]]

----

−

Step 2: Create BGP Peer: [[File:DMVPN HUB Phase3 spoke2 example6.png]]

+

Step 2: Create BGP Peer:

+

- Set Remote AS to 65000

+

- Set Remote address to 10.0.0.254

+

[[File:DMVPN HUB Phase3 spoke2 example6.png]]

===Important Note===

For HUB in Network > Firewall GRE zone change from REJECT to ACCEPT on FORWARD.

+

----

[[File:DMVPN HUB Phase3 example Firewall.png]]

----

+

For setups behind NAT specify Local identifier in the Services → VPN → DMVPN → IPsec section

+

----

[[File:DMVPN HUB Phase3 example Behind NAT.png]]

TomasM

Administrators

154

edits