Changes

DMVPN with IPsec Phase 3 (view source)

Revision as of 09:49, 11 January 2023

578 bytes removed , 09:49, 11 January 2023

no edit summary

Line 41: Line 41:

- Set Local GRE interface IP address (for example, 10.0.0.254)

−

- Set GRE interface netmask to 255.255.255.0 (for entire subnet or according to how many spokes we expect to connect to this hub)

+

- Set GRE interface netmask to 255.255.255.0 (for the entire subnet or according to how many spokes we expect to connect to this hub)

- Set GRE MTU value to 1420 (or even slightly lower - 1400 if a mobile interface is used)

Line 55: Line 55:

- Encryption algorithm - AES 128

−

- Authentication ~~SHA1~~

+

- Authentication SHA256

−

- DH group - ~~MODP1024~~

+

- DH group - MODP3072

−

+

[[File:DMVPN phase3 example2.png|alt=|border]]

−

~~<nowiki>###</nowiki> I don't recommend these parameters, they are not secure. Anything at or below the following shouldn't be used:~~

−

~~<nowiki>###</nowiki> AES-128~~

−

~~<nowiki>###</nowiki> Auth SHA256~~

−

~~<nowiki>###</nowiki> DH group - MODP3072 or ECP256~~

−

[[File:~~DMVP HUB~~ phase3 example2.png|~~border~~|~~class=tlt-~~border]]

----

Step 3: configure DMVPN Phase 2 parameters:

−

- Encryption algorithm - ~~3DES~~

+

- Encryption algorithm - AES 128

−

~~- Hash algorithm - MD5~~

−

~~- PFS group -MODP768~~

−

~~<nowiki>###</nowiki> Same story here, try to increase security level here to a more secure solution.~~

+

- Hash algorithm - SHA256

−

<nowiki>###</nowiki> IPsec Phase 2 settings generally uses slightly lower parameters, because those algorithms are responsible for encrypting actual data traffic that we want to send over the IPsec tunnel

+

- PFS group -MODP3072

−

[[File:DMVPN ~~HUB Phase3~~ example3.png|~~border~~|~~class=tlt-~~border]]

+

[[File:DMVPN phase3 example3.png|alt=|border]]

----

Step 4: configure DMVPN NHRP parameters:

TomasM

Administrators

154

edits