Jump to content
  • EN

DMVPN with IPsec Phase 3: Difference between revisions

← Older editNewer edit →
VisualWikitext
mNo edit summary
mNo edit summary
Line 211: Line 211:
<b>Step 1</b>: enable '''BGP''' and configure General section:
<b>Step 1</b>: enable '''BGP''' and configure General section:


- Enable vty
1. Enable vty


- Set AS to 65001
2. Set AS to 65001


- Set Network to 192.168.10.0/24
3. Set Network to 192.168.10.0/24


<br>[[File:Spoke bgp.png|alt=|border]]
<br>[[File:Spoke bgp.png|alt=|border]]
Line 241: Line 241:
2. Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)
2. Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)


3. Add Local GRE interface IP address  (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network)  
3. Add Local GRE interface IP address  (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network)  


4. Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)
4. Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)


5. Set GRE MTU to 1420  (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")
5. Set GRE MTU to 1420  (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")


6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
Line 255: Line 255:
<b>Step 2</b>: configure '''DMVPN Phase 1''' parameters:
<b>Step 2</b>: configure '''DMVPN Phase 1''' parameters:


- Select Encryption algorithm - AES 128
1. Select Encryption algorithm - AES 128


- Select Authentication SHA256
2. Select Authentication SHA256


- Select DH group MODP3072
3. Select DH group MODP3072


<br>[[File:Hub phase1.png|alt=spoke phase1|border]]
<br>[[File:Hub phase1.png|alt=spoke phase1|border]]
Line 265: Line 265:
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:
<b>Step 3</b>: configure '''DMVPN Phase 2''' parameters:


- Select Encryption algorithm AES 128
1. Select Encryption algorithm AES 128


- Select Hash algorithm SHA256
2. Select Hash algorithm SHA256


- Select PFS group MODP3072
3. Select PFS group MODP3072


<br>[[File:Hub phase2 fix.png|alt=spoke phase2|border]]
<br>[[File:Hub phase2 fix.png|alt=spoke phase2|border]]
Line 291: Line 291:
<b>Step 1</b>: enable '''BGP''' and configure General section:
<b>Step 1</b>: enable '''BGP''' and configure General section:


- Enable vty
1.  Enable vty


- Set AS to 65002
2.  Set AS to 65002


- Set Network to 192.168.20.0/24
3.  Set Network to 192.168.20.0/24


<br>[[File:Spoke2 bgp peer.png|alt=|border]]
<br>[[File:Spoke2 bgp peer.png|alt=|border]]
Retrieved from "https://wiki.teltonika-networks.com/view/DMVPN_with_IPsec_Phase_3"