Changes

no edit summary
Line 41: Line 41:  
- Set Local GRE interface IP address (for example, 10.0.0.254)
 
- Set Local GRE interface IP address (for example, 10.0.0.254)
   −
- Set GRE interface netmask to 255.255.255.0 (for entire subnet or according to how many spokes we expect to connect to this hub)
+
- Set GRE interface netmask to 255.255.255.0 (for the entire subnet or according to how many spokes we expect to connect to this hub)
    
- Set GRE MTU value to 1420 (or even slightly lower - 1400 if a mobile interface is used)
 
- Set GRE MTU value to 1420 (or even slightly lower - 1400 if a mobile interface is used)
Line 55: Line 55:  
- Encryption algorithm - AES 128
 
- Encryption algorithm - AES 128
   −
- Authentication SHA1
+
- Authentication SHA256
   −
- DH group - MODP1024
+
- DH group - MODP3072
   −
 
+
<br>[[File:DMVPN phase3 example2.png|alt=|border]]
<nowiki>###</nowiki> I don't recommend these parameters, they are not secure. Anything at or below the following shouldn't be used:
  −
 
  −
<nowiki>###</nowiki> AES-128
  −
 
  −
<nowiki>###</nowiki> Auth SHA256
  −
 
  −
<nowiki>###</nowiki> DH group - MODP3072 or ECP256
  −
 
  −
<br>[[File:DMVP HUB phase3 example2.png|border|class=tlt-border]]
   
----
 
----
 
<b>Step 3</b>: configure DMVPN Phase 2 parameters:
 
<b>Step 3</b>: configure DMVPN Phase 2 parameters:
   −
- Encryption algorithm - 3DES
+
- Encryption algorithm - AES 128
 
  −
- Hash algorithm - MD5
  −
 
  −
- PFS group -MODP768
  −
 
     −
<nowiki>###</nowiki> Same story here, try to increase security level here to a more secure solution.
+
- Hash algorithm - SHA256
   −
<nowiki>###</nowiki> IPsec Phase 2 settings generally uses slightly lower parameters, because those algorithms are responsible for encrypting actual data traffic that we want to send over the IPsec tunnel
+
- PFS group -MODP3072
   −
<br>[[File:DMVPN HUB Phase3 example3.png|border|class=tlt-border]]
+
<br>[[File:DMVPN phase3 example3.png|alt=|border]]
 
----
 
----
 
<b>Step 4</b>: configure DMVPN NHRP parameters:
 
<b>Step 4</b>: configure DMVPN NHRP parameters:

Navigation menu