Changes

DMVPN with IPsec Phase 3 (view source)

Revision as of 10:27, 11 January 2023

525 bytes added ,  10:27, 11 January 2023
m
no edit summary
Line 142: Line 142:  
<b>Step 1</b>: create a new DMVPN instance:
 
<b>Step 1</b>: create a new DMVPN instance:
   −
<nowiki>###</nowiki> I recommend to explain each step here in detail, for example:
+
- Add HUB address  (this is the public IP address of the previously configured hub device)
   −
- Add HUB address ### - this is the public IP address of previously configured hub device
+
- Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)
   −
- Select Tunnel source ### - this is the egress interface, which will be able to reach hub device's public IP address over the internet
+
- Add Local GRE interface IP address  (this is the GRE IP address of "Spoke 1". It should be unique in the entire VPN network)
   −
- Add Local GRE interface IP address ### - this is the GRE IP address of "Spoke 1". It should be unique in the entire VPN network
+
- Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)
   −
- Add Remote GRE interface IP address ### - this is the GRE IP address of the previously configured hub device
+
- Set GRE MTU to 1420  (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")
   −
- Set GRE MTU ### - this value should be set to the same value that was configured on the hub device. In our case, it is "1400"
+
- Set Local identifier, Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
   −
- Set Local identifier, Remote identifier as %any and input same Pre-shared key ### brief explanation why this is needed would be nice as well
+
<br>[[File:DMVPN phase3 example4.png|alt=|border]]
 
  −
<br>[[File:DMVPN HUB Phase3 spoke1 example1.png|border|class=tlt-border]]
   
----
 
----
   Line 162: Line 160:  
<b>Step 2</b>: configure DMVPN Phase 1 parameters:
 
<b>Step 2</b>: configure DMVPN Phase 1 parameters:
   −
- Select Encryption algorithm - AES 128
+
- Select the Encryption algorithm - AES 128
 
  −
- Select Authentication SHA1
     −
- Select DH group MODP1024
+
- Select Authentication SHA256
    +
- Select DH group MODP3072
   −
<nowiki>###</nowiki> Same comment from hub section applies, increase security level
+
<br>[[File:DMVPN phase3 example2.png|alt=|border]]
 
  −
<br>[[File:DMVPN HUB Phase3 spoke example2.png|border|class=tlt-border]]
   
----
 
----
   Line 177: Line 172:  
<b>Step 3</b>: configure DMVPN Phase 2 parameters:
 
<b>Step 3</b>: configure DMVPN Phase 2 parameters:
   −
- Select Encryption algorithm 3DES
+
- Select the Encryption algorithm AES 128
   −
- Select Hash algorithm MD5
+
- Select Hash algorithm SHA256
   −
- Select PFS group MODP768
+
- Select PFS group MODP3072
   −
 
+
<br>[[File:DMVPN phase3 example3.png|alt=|border]]
<nowiki>###</nowiki> Same comment from hub section applies, increase security level
  −
 
  −
<br>[[File:DMVPN HUB Phase3 spoke example3.png|border|class=tlt-border]]
   
----
 
----
       
<b>Step 4</b>: configure DMVPN NHRP parameters:
 
<b>Step 4</b>: configure DMVPN NHRP parameters:
 +
 +
- In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration.
    
- Leave everything by default
 
- Leave everything by default
   −
<nowiki>###</nowiki> Once again, highlight importance of "Redirect" option here<br>[[File:DMVPN HUB Phase3 spoke example4.png|border|class=tlt-border]]
+
<br>[[File:DMVPN HUB Phase3 spoke example4.png|border|class=tlt-border]]
 
----
 
----
 
<b>Step 5</b>: save changes
 
<b>Step 5</b>: save changes
Line 218: Line 212:  
- Set Remote AS to 65000
 
- Set Remote AS to 65000
   −
- Set Remote address to 10.0.0.254
+
- Sethe t Remote address to 10.0.0.254
 +
 
 +
- Leave everything else as default value
    
<br>[[File:DMVPN HUB Phase3 spoke example6.png|border|class=tlt-border]]
 
<br>[[File:DMVPN HUB Phase3 spoke example6.png|border|class=tlt-border]]
Line 230: Line 226:  
<b>Step 1</b>: create a new DMVPN instance:
 
<b>Step 1</b>: create a new DMVPN instance:
   −
- Input your HUB address
+
- Add HUB address (this is the public IP address of the previously configured hub device)
 +
 
 +
- Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)
   −
- Select Tunnel source interface
+
- Add Local GRE interface IP address  (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network)
   −
- Set Local GRE interface address to 10.0.0.2
+
- Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)
   −
- Set Remote GRE interface IP address to 10.0.0.254
+
- Set GRE MTU to 1420  (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")
   −
- Set GRE MTU to 1476
+
- Set Local identifier, Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
   −
<br>[[File:DMVPN HUB Phase3 spoke2 example1.png|border|class=tlt-border]]
+
<br>[[File:DMVPN phase3 example5.png|alt=|border]]
 
----
 
----
   Line 248: Line 246:  
- Select Encryption algorithm - AES 128
 
- Select Encryption algorithm - AES 128
   −
- Select Authentication SHA1
+
- Select Authentication SHA256
   −
- Select DH group MODP1024
+
- Select DH group MODP3072
   −
<br>[[File:DMVPN HUB Phase3 spoke2 example2.png|border|class=tlt-border]]
+
<br>[[File:DMVPN phase3 example2.png|alt=|border]]
 
----
 
----
 
<b>Step 3</b>: configure DMVPN Phase 2 parameters:
 
<b>Step 3</b>: configure DMVPN Phase 2 parameters:
   −
- Select Encryption algorithm 3DES
+
- Select Encryption algorithm AES 128
   −
- Select Hash algorithm MD5
+
- Select Hash algorithm SHA256
   −
- Select PFS group MODP768
+
- Select PFS group MODP3072
   −
<br>[[File:DMVPN HUB Phase3 spoke2 example3.png|border|class=tlt-border]]
+
<br>[[File:DMVPN phase3 example3.png|alt=|border]]
 
----
 
----
       
<b>Step 4</b>: configure DMVPN NHRP parameters:
 
<b>Step 4</b>: configure DMVPN NHRP parameters:
 +
 +
- In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration.
 +
 +
- Leave everything by default
    
<br>[[File:DMVPN HUB Phase3 spoke2 example4.png|border|class=tlt-border]]
 
<br>[[File:DMVPN HUB Phase3 spoke2 example4.png|border|class=tlt-border]]
Line 293: Line 295:     
- Set Remote address to 10.0.0.254
 
- Set Remote address to 10.0.0.254
 +
 +
- Leave everything else as default value
    
<br>[[File:DMVPN HUB Phase3 spoke2 example6.png|border|class=tlt-border]]
 
<br>[[File:DMVPN HUB Phase3 spoke2 example6.png|border|class=tlt-border]]
Line 298: Line 302:  
===Important Note===
 
===Important Note===
   −
<nowiki>###</nowiki> Explanation why this is needed is recommended, because naturally a question comes to mind "why" this is needed
+
<nowiki>###</nowiki> Explanation why this is needed is recommended because naturally a question comes to mind "why" this is needed
    
For HUB in Network > Firewall GRE zone change from REJECT to ACCEPT on FORWARD.
 
For HUB in Network > Firewall GRE zone change from REJECT to ACCEPT on FORWARD.
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/101424"

Navigation menu