Changes

743 bytes added , 13:08, 14 September 2023

no edit summary

Line 1: Line 1: −

The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.~~03.2~~'''] firmware version. .

+

The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.05'''] firmware version. .

==Introduction==

Line 63: Line 63:

5. Set IPsec Pre-shared key (we used simple 123456 for this example)

−

[[File:HUB main.png|~~alt~~=|border]]

+

[[File:HUB main.png|border|class=tlt-border]]

----

Step 2: configure '''DMVPN Phase 1''' parameters:

Line 73: Line 73:

3. DH group - MODP3072

−

[[File:Hub phase1.png|~~alt~~=|border]]

+

[[File:Hub phase1.png|border|class=tlt-border]]

----

Step 3: configure '''DMVPN Phase 2''' parameters:

Line 83: Line 83:

3. PFS group -MODP3072

−

[[File:Hub phase2 fix.png|~~alt~~=|border]]

+

[[File:Hub phase2 fix.png|border|class=tlt-border]]

----

Step 4: configure '''DMVPN NHRP''' parameters:

Line 89: Line 89:

In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration.

−

[[File:Redirect.png|~~alt~~=|border]]

+

[[File:Redirect.png|border|class=tlt-border]]

----

Step 5: save changes

Line 109: Line 109:

5. "NHRP routes" selection should be applied under the "Redistribution options" section

−

[[File:Hub bgp.png|~~alt~~=|border]]

+

[[File:Hub bgp.png|border|class=tlt-border]]

----

Line 119: Line 119:

- Leave other settings as default.

−

[[File:Bgp peer grp.png|~~alt~~=|border]]

+

[[File:Bgp peer grp.png|border|class=tlt-border]]

----

Line 141: Line 141:

We will keep other settings as their default values for this configuration example.

−

[[File:Bgp peer1.png|~~alt~~=|border]]

+

[[File:Bgp peer1.png|border|class=tlt-border]]

----

−

[[File:Bgp peer2.png|~~alt~~=|border]]

+

[[File:Bgp peer2.png|border|class=tlt-border]]

----

Line 167: Line 167:

6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)

−

[[File:Spoke dmvpn.png|~~alt~~=|border]]

+

[[File:Spoke dmvpn.png|border|class=tlt-border]]

----

Line 179: Line 179:

3. Select DH group MODP3072

−

[[File:Hub phase1.png|~~alt~~=~~spoke phase1|~~border]]

+

[[File:Hub phase1.png|border|class=tlt-border]]

----

Line 191: Line 191:

3. Select PFS group MODP3072

−

[[File:Hub phase2 fix.png|~~alt~~=~~spoke phase2|~~border]]

+

[[File:Hub phase2 fix.png|border|class=tlt-border]]

----

Line 201: Line 201:

- Leave everything by default

−

[[File:Redirect.png|~~alt~~=~~Redirect|~~border]]

+

[[File:Redirect.png|border|class=tlt-border]]

----

Step 5: save changes

Line 217: Line 217:

3. Set Network to 192.168.10.0/24

−

[[File:Spoke bgp.png|~~alt~~=|border]]

+

[[File:Spoke bgp.png|border|class=tlt-border]]

----

Line 229: Line 229:

- Leave everything else as default value

−

[[File:Spoke bgp peer.png|~~alt~~=|border]]

+

[[File:Spoke bgp peer.png|border|class=tlt-border]]

===Spoke 2 configuration: DMVPN===

Line 249: Line 249:

6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)

−

[[File:Spoke2 dmvpn.png|~~alt~~=|border]]

+

[[File:Spoke2 dmvpn.png|border|class=tlt-border]]

----

Line 261: Line 261:

3. Select DH group MODP3072

−

[[File:Hub phase1.png|~~alt~~=~~spoke phase1|~~border]]

+

[[File:Hub phase1.png|border|class=tlt-border]]

----

Step 3: configure '''DMVPN Phase 2''' parameters:

Line 271: Line 271:

3. Select PFS group MODP3072

−

[[File:Hub phase2 fix.png|~~alt~~=~~spoke phase2|~~border]]

+

[[File:Hub phase2 fix.png|border|class=tlt-border]]

----

Line 281: Line 281:

- Leave everything by default

−

[[File:Redirect.png|~~alt~~=~~Redirect|~~border]]

+

[[File:Redirect.png|border|class=tlt-border]]

----

Step 5: save changes

Line 297: Line 297:

3. Set Network to 192.168.20.0/24

−

[[File:Spoke2 bgp peer.png|~~alt~~=|border]]

+

[[File:Spoke2 bgp peer.png|border|class=tlt-border]]

----

Line 309: Line 309:

- Leave everything else as default value

−

[[File:Spoke bgp peer.png|~~alt~~=~~Spoke bgp peer|~~border]]

+

[[File:Spoke bgp peer.png|border|class=tlt-border]]

----

===Important Note===

+

For '''HUB''' in Network → Firewall GRE zone change from '''REJECT''' to '''ACCEPT''' on '''FORWARD.'''

+

Also, disable '''Masquerading''' on '''HUB''' and '''ALL spokes''' for GRE → LAN zone forwardings

−

+

[[File:Firewall new.png|alt=|border]]

−

~~For '''HUB''' in Network -> Firewall GRE zone change from '''REJECT''' to '''ACCEPT''' on '''FORWARD.'''~~

−

[[File:Firewall.png|alt=|border]]

===Testing configuration===

Line 330: Line 329:

[[File:Ping2.png|alt=|border]]

−

- Check routes in the HUB by executing command '''vtysh -c "show ip nhrp"'''

+

- Check routes in the HUB by executing *command '''vtysh -c "show ip nhrp"'''

+

Note: Vtysh check is unavailable with RUT200, RUT230, RUT240, RUT241, RUT260 devices.

[[File:Vtysh nhrp2.jpg|alt=|border]]

Line 338: Line 339:

== Summary ==

−

+

At this point, the basic DMVPN configuration is complete and phase 3 will now take effect in order to dynamically establish connectivity between spokes. Using this method, additional spokes may be configured and added to the current topology. DMVPN Phase 3 technology will ensure that any newly introduced devices will be included in the final topology.

== References ==

[https://wiki.teltonika-networks.com/view/VPN_Configuration_Examples VPN configuration Examples]

Line 349: Line 350:

[https://docs.strongswan.org/docs/5.9/index.html strongSwan Documentation]

+

[[Category:VPN]]

Vainius.l

Administrators

7,851

edits

Changes

DMVPN with IPsec Phase 3 (view source)

Revision as of 13:08, 14 September 2023