Line 23: |
Line 23: |
| | | |
| <ul> | | <ul> |
− | <li>2 Teltonika Routers for SPOKES</li> | + | <li>2 Teltonika Routers for '''SPOKES'''</li> |
− | <li>1 Teltonika Router for HUB with a public IP address</li> | + | <li>1 Teltonika Router for '''HUB''' with a public IP address</li> |
| <li>A PC to configure the routers</li> | | <li>A PC to configure the routers</li> |
| </ul> | | </ul> |
Line 63: |
Line 63: |
| 5. Set IPsec Pre-shared key (we used simple 123456 for this example) | | 5. Set IPsec Pre-shared key (we used simple 123456 for this example) |
| | | |
− | <br>[[File:HUB main.png|alt=|border]] | + | <br>[[File:HUB main.png|border|class=tlt-border]] |
| ---- | | ---- |
− | <b>Step 2</b>: configure DMVPN Phase 1 parameters: | + | <b>Step 2</b>: configure '''DMVPN Phase 1''' parameters: |
| | | |
| 1. Encryption algorithm - AES 128 | | 1. Encryption algorithm - AES 128 |
Line 73: |
Line 73: |
| 3. DH group - MODP3072 | | 3. DH group - MODP3072 |
| | | |
− | <br>[[File:Hub phase1.png|alt=|border]] | + | <br>[[File:Hub phase1.png|border|class=tlt-border]] |
| ---- | | ---- |
− | <b>Step 3</b>: configure DMVPN Phase 2 parameters: | + | <b>Step 3</b>: configure '''DMVPN Phase 2''' parameters: |
| | | |
| 1. Encryption algorithm - AES 128 | | 1. Encryption algorithm - AES 128 |
Line 83: |
Line 83: |
| 3. PFS group -MODP3072 | | 3. PFS group -MODP3072 |
| | | |
− | <br>[[File:Hub phase2 fix.png|alt=|border]] | + | <br>[[File:Hub phase2 fix.png|border|class=tlt-border]] |
| ---- | | ---- |
− | <b>Step 4</b>: configure DMVPN NHRP parameters: | + | <b>Step 4</b>: configure '''DMVPN NHRP''' parameters: |
| | | |
| In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration. | | In the NHRP parameters section, it is important to enable '''REDIRECT''' option, which is essential to our Phase 3 configuration. |
| | | |
− | <br>[[File:Redirect.png|alt=|border]] | + | <br>[[File:Redirect.png|border|class=tlt-border]] |
| ---- | | ---- |
| <b>Step 5</b>: save changes | | <b>Step 5</b>: save changes |
Line 97: |
Line 97: |
| Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below. | | Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below. |
| | | |
− | <b>Step 1</b>: enable BGP and configure General section: | + | <b>Step 1</b>: enable '''BGP''' and configure General section: |
| | | |
| 1. Enable vty | | 1. Enable vty |
Line 109: |
Line 109: |
| 5. "NHRP routes" selection should be applied under the "Redistribution options" section | | 5. "NHRP routes" selection should be applied under the "Redistribution options" section |
| | | |
− | <br>[[File:Hub bgp.png|alt=|border]] | + | <br>[[File:Hub bgp.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
| | | |
− | <b>Step 2</b>: Create BGP Peer Group: | + | <b>Step 2</b>: Create '''BGP''' Peer Group: |
| | | |
| - Add a Neighbor address for SPOKE 1 and SPOKE 2 (We used 10.0.0.1 and 10.0.0.2 which will be in the same subnet as our hub 10.0.0.254) | | - Add a Neighbor address for SPOKE 1 and SPOKE 2 (We used 10.0.0.1 and 10.0.0.2 which will be in the same subnet as our hub 10.0.0.254) |
Line 119: |
Line 119: |
| - Leave other settings as default. | | - Leave other settings as default. |
| | | |
− | <br>[[File:Bgp peer grp.png|alt=|border]] | + | <br>[[File:Bgp peer grp.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
| | | |
− | <b>Step 3</b>: Add two BGP peers for each spoke: | + | <b>Step 3</b>: Add two '''BGP''' peers for each spoke: |
| | | |
| Now let's create BGP peers for Spokes on the same page. Add two new BGP peers with the following parameters: | | Now let's create BGP peers for Spokes on the same page. Add two new BGP peers with the following parameters: |
Line 141: |
Line 141: |
| We will keep other settings as their default values for this configuration example. | | We will keep other settings as their default values for this configuration example. |
| | | |
− | <br>[[File:Bgp peer1.png|alt=|border]] | + | <br>[[File:Bgp peer1.png|border|class=tlt-border]] |
| ---- | | ---- |
− | [[File:Bgp peer2.png|alt=|border]] | + | [[File:Bgp peer2.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
Line 167: |
Line 167: |
| 6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication) | | 6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication) |
| | | |
− | <br>[[File:Spoke dmvpn.png|alt=|border]] | + | <br>[[File:Spoke dmvpn.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
| | | |
− | <b>Step 2</b>: configure DMVPN Phase 1 parameters: | + | <b>Step 2</b>: configure '''DMVPN''' '''Phase 1''' parameters: |
| | | |
| 1. Select the Encryption algorithm - AES 128 | | 1. Select the Encryption algorithm - AES 128 |
Line 179: |
Line 179: |
| 3. Select DH group MODP3072 | | 3. Select DH group MODP3072 |
| | | |
− | <br>[[File:Hub phase1.png|alt=spoke phase1|border]] | + | <br>[[File:Hub phase1.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
| | | |
− | <b>Step 3</b>: configure DMVPN Phase 2 parameters: | + | <b>Step 3</b>: configure '''DMVPN Phase 2''' parameters: |
| | | |
| 1. Select the Encryption algorithm AES 128 | | 1. Select the Encryption algorithm AES 128 |
Line 191: |
Line 191: |
| 3. Select PFS group MODP3072 | | 3. Select PFS group MODP3072 |
| | | |
− | <br>[[File:Hub phase2 fix.png|alt=spoke phase2|border]] | + | <br>[[File:Hub phase2 fix.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
| | | |
− | <b>Step 4</b>: configure DMVPN NHRP parameters: | + | <b>Step 4</b>: configure '''DMVPN NHRP''' parameters: |
| | | |
| - In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration. | | - In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration. |
Line 201: |
Line 201: |
| - Leave everything by default | | - Leave everything by default |
| | | |
− | <br>[[File:Redirect.png|alt=Redirect|border]] | + | <br>[[File:Redirect.png|border|class=tlt-border]] |
| ---- | | ---- |
| <b>Step 5</b>: save changes | | <b>Step 5</b>: save changes |
Line 209: |
Line 209: |
| Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below. | | Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below. |
| | | |
− | <b>Step 1</b>: enable BGP and configure General section: | + | <b>Step 1</b>: enable '''BGP''' and configure General section: |
| | | |
− | - Enable vty
| + | 1. Enable vty |
| | | |
− | - Set AS to 65001
| + | 2. Set AS to 65001 |
| | | |
− | - Set Network to 192.168.10.0/24
| + | 3. Set Network to 192.168.10.0/24 |
| | | |
− | <br>[[File:DMVPN HUB Phase3 spoke example5.png|border|class=tlt-border]] | + | <br>[[File:Spoke bgp.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
| | | |
− | <b>Step 2</b>: Create BGP Peer: | + | <b>Step 2</b>: Create '''BGP''' Peer: |
| | | |
| - Set Remote AS to 65000 | | - Set Remote AS to 65000 |
| | | |
− | - Sethe t Remote address to 10.0.0.254 | + | - Set the Remote address to 10.0.0.254 |
| | | |
| - Leave everything else as default value | | - Leave everything else as default value |
| | | |
− | <br>[[File:DMVPN HUB Phase3 spoke example6.png|border|class=tlt-border]] | + | <br>[[File:Spoke bgp peer.png|border|class=tlt-border]] |
| | | |
| ===Spoke 2 configuration: DMVPN=== | | ===Spoke 2 configuration: DMVPN=== |
Line 235: |
Line 235: |
| Navigate to the <b>Services → VPN → DMVPN</b> page and follow the instructions provided below. | | Navigate to the <b>Services → VPN → DMVPN</b> page and follow the instructions provided below. |
| | | |
− | <b>Step 1</b>: create a new DMVPN instance: | + | <b>Step 1</b>: create a new DMVPN instance: |
| | | |
− | - Add HUB address (this is the public IP address of the previously configured hub device)
| + | 1. Add HUB address (this is the public IP address of the previously configured hub device) |
| | | |
− | - Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet)
| + | 2. Select Tunnel source (this is the egress interface, which will be able to reach the hub device's public IP address over the internet) |
| | | |
− | - Add Local GRE interface IP address (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network)
| + | 3. Add Local GRE interface IP address (this is the GRE IP address of "Spoke 2". It should be unique in the entire VPN network) |
| | | |
− | - Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device)
| + | 4. Add Remote GRE interface IP address (this is the GRE IP address of the previously configured hub device) |
| | | |
− | - Set GRE MTU to 1420 (this value should be set to the same value that was configured on the hub device. In our case, it is "1420")
| + | 5. Set GRE MTU to 1420 (this value should be set to the same value that was configured on the hub device. In our case, it is "1420") |
| | | |
− | - Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication)
| + | 6. Set Local identifier (For setups behind NAT), Remote identifier as %any and input the same Pre-shared key (This will determine how other devices will be identified for authentication) |
| | | |
− | <br>[[File:DMVPN phase3 example5.png|alt=|border]] | + | <br>[[File:Spoke2 dmvpn.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
| | | |
− | <b>Step 2</b>: configure DMVPN Phase 1 parameters: | + | <b>Step 2</b>: configure '''DMVPN Phase 1''' parameters: |
| | | |
− | - Select Encryption algorithm - AES 128
| + | 1. Select Encryption algorithm - AES 128 |
| | | |
− | - Select Authentication SHA256
| + | 2. Select Authentication SHA256 |
| | | |
− | - Select DH group MODP3072
| + | 3. Select DH group MODP3072 |
| | | |
− | <br>[[File:DMVPN phase3 example2.png|alt=|border]] | + | <br>[[File:Hub phase1.png|border|class=tlt-border]] |
| ---- | | ---- |
− | <b>Step 3</b>: configure DMVPN Phase 2 parameters: | + | <b>Step 3</b>: configure '''DMVPN Phase 2''' parameters: |
| | | |
− | - Select Encryption algorithm AES 128
| + | 1. Select Encryption algorithm AES 128 |
| | | |
− | - Select Hash algorithm SHA256
| + | 2. Select Hash algorithm SHA256 |
| | | |
− | - Select PFS group MODP3072
| + | 3. Select PFS group MODP3072 |
| | | |
− | <br>[[File:DMVPN phase3 example3.png|alt=|border]] | + | <br>[[File:Hub phase2 fix.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
| | | |
− | <b>Step 4</b>: configure DMVPN NHRP parameters: | + | <b>Step 4</b>: configure '''DMVPN NHRP''' parameters: |
| | | |
| - In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration. | | - In the NHRP parameters section, it is important to enable REDIRECT option, which is essential to our Phase 3 configuration. |
Line 281: |
Line 281: |
| - Leave everything by default | | - Leave everything by default |
| | | |
− | <br>[[File:DMVPN HUB Phase3 spoke2 example4.png|border|class=tlt-border]] | + | <br>[[File:Redirect.png|border|class=tlt-border]] |
| ---- | | ---- |
| <b>Step 5</b>: save changes | | <b>Step 5</b>: save changes |
Line 289: |
Line 289: |
| Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below. | | Navigate to the <b>Network → Routing → Dynamic Routes → BGP Protocol</b> page and follow the instructions provided below. |
| | | |
− | <b>Step 1</b>: enable BGP and configure General section: | + | <b>Step 1</b>: enable '''BGP''' and configure General section: |
| | | |
− | - Enable vty
| + | 1. Enable vty |
| | | |
− | - Set AS to 65002
| + | 2. Set AS to 65002 |
| | | |
− | - Set Network to 192.168.20.0/24
| + | 3. Set Network to 192.168.20.0/24 |
| | | |
− | <br>[[File:DMVPN HUB Phase3 spoke2 example5.png|border|class=tlt-border]] | + | <br>[[File:Spoke2 bgp peer.png|border|class=tlt-border]] |
| ---- | | ---- |
| | | |
| | | |
− | <b>Step 2</b>: Create BGP Peer: | + | <b>Step 2</b>: Create '''BGP''' Peer: |
| | | |
| - Set Remote AS to 65000 | | - Set Remote AS to 65000 |
Line 309: |
Line 309: |
| - Leave everything else as default value | | - Leave everything else as default value |
| | | |
− | <br>[[File:DMVPN HUB Phase3 spoke2 example6.png|border|class=tlt-border]] | + | <br>[[File:Spoke bgp peer.png|border|class=tlt-border]] |
| | | |
| ---- | | ---- |
| ===Important Note=== | | ===Important Note=== |
| + | For '''HUB''' in Network <b>→</b> Firewall GRE zone change from '''REJECT''' to '''ACCEPT''' on '''FORWARD.''' |
| | | |
| + | Also, disable '''Masquerading''' on '''HUB''' and '''ALL spokes''' for GRE <b>→</b> LAN zone forwardings |
| | | |
− | For HUB in Network > Firewall GRE zone change from REJECT to ACCEPT on FORWARD.
| + | [[File:Firewall new.png|alt=|border]] |
− | | |
− | [[File:DMVPN HUB Phase3 example Firewall.png|border|class=tlt-border]] | |
| | | |
| ===Testing configuration=== | | ===Testing configuration=== |
Line 334: |
Line 334: |
| | | |
| - If you need to reboot tunnel, execute '''/etc/init.d/ipsec retart''' | | - If you need to reboot tunnel, execute '''/etc/init.d/ipsec retart''' |
| + | |
| + | == Summary == |
| + | |
| + | At this point, the basic DMVPN configuration is complete and phase 3 will now take effect in order to dynamically establish connectivity between spokes. Using this method, additional spokes may be configured and added to the current topology. DMVPN Phase 3 technology will ensure that any newly introduced devices will be included in the final topology. |
| + | == References == |
| + | [https://wiki.teltonika-networks.com/view/VPN_Configuration_Examples VPN configuration Examples] |
| + | |
| + | [https://wiki.teltonika-networks.com/view/DMVPN_configuration DMVPN configuration example] |
| + | |
| + | [https://wiki.teltonika-networks.com/view/IPsec_configuration_examples IPsec configuration example] |
| + | |
| + | [https://wiki.teltonika-networks.com/view/Routing#BGP_Protocol BGP routing] |
| + | |
| + | [https://docs.strongswan.org/docs/5.9/index.html strongSwan Documentation] |
| + | |
| + | [[Category:VPN]] |