Wednesday, September 14, 2011

Configuring DMVPN with OSPF (mGRE and IPSEC)

"I can build you any network you want -- fast/cheap/reliable. Just pick any 2" -- Not sure who said that however  it is true on many levels.

In this blogtorial we are going to take a quick tour on how to configure DMVPN (Dynamic Multipoint Virtual Private Network). So what is DMVPN? DMVPN gives you the ability to create VPN tunnels dynamically as needed between spokes in a hub-to-spoke topology. It can also scale very well to support a large number of remote endpoints. Please keep in mind that DMVPN is Cisco proprietary, however there are ways to implement it using Linux (OpenNHRP).

So here is the topology and let's get started.


Relevant configurations are posted below.



First let's get all the interfaces / OSPF configured.

R1 and R2 -- Simple interface IP, description and OSPF.
R3 and R4 -- Simple interface IP, description and OSPF.


Let's verify ip connectivity and OSPF neighbor relationships.

OSPF is good to go. IP connectivity between all routers is successful.


Now let's move to IPsec/Crypto configurations.

Crypto isakmp/policy/phase1 and phase 2. You could do some advanced tricks here but we will keep it simple.


The last part is getting the tunnels and NHRP configured properly.

Tunnel configuration for all 4 routers.


Time to sit back, relax and verify with a few show commands / pings.

Notice that all routers are able to ping all loopbacks. So we have full connectivity between the routers. 

Notice dynamic tunnels created between all neighbors. 


Troubleshooting/debug/show commands.
  • show crypto ipsec sa detail 
  • show ip nhrp
  • show crypto engine connections active
  • show crypto isakmp sa detail
  • debug crypto ipsec
  • debug crypto isakmp
  • debug crypto engine
Many more articles to come so stay tuned. "Join this site" on the right ------> 

No comments:

Post a Comment