Implementing full mesh DMVPN with Ipsec

Implementing full mesh dmvpn with Ipsec allows network engineers to securely connect remote sites to the HQ while at the same time establishing direct secure connections between branch offices.

Where multiple sites need to be securely connected over the internet in such a way that allows the advertisement of connected networks with a dynamic routing protocol, then full mesh dmvpn with Ipsec is what you need. You can check out here for how to implement a partial mesh dmvpn without ipsec.

DMVPN with IPsec sits in between MPLS and IPSEC. While MPLS is the way to go if you can afford it, IPsec vpn on its part does not allow multicast packets. This means that dynamic routing protocols such as RIP, EIGRP, and OSPF can not be successfully implemented on the network to advertise connected network. For this reason, a full mesh solution that provides redundancy can not be achieved with IPSEC VPN. So, if you are concerned about cost but desire a fully redundant secured solution then dmvpn with IPSEC is what you need.

Network Topology

dmvpn with ipsec

LAB Implementation plan.

For this lab, the following will be done:

  • Configure IP address on routers 1, 2, and 3.
  • Configure default routes on routers 1, 2, and 3 for reachability.
  • Configure tunnel interfaces for DMVPN.
  • Configure RIP for full network convergence.
  • Configure IPSEC for end-to-end encryption

IP address and default route Configuration on Router 1

R1#config t
R1(config)#int loopback 0
R1(config-if)#ip add 192.168.1.1 255.255.255.0
R1(config-if)#desc LAN
R1(config-if)#int f0/0
R1(config-if)#ip add 172.17.17.2 255.255.255.252
R1(config-if)#desc WAN
R1(config-if)#no shut
R1(config-if)#int tun 0
R1(config-if)#ip add 10.0.0.1 255.255.255.0
R1(config-if)#desc DMVPN
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 172.17.17.1

IP address and default route configuration on Router 2

R2#config t
R2(config)#int loopback 0
R2(config-if)#ip add 192.168.2.1 255.255.255.0
R2(config-if)#desc LAN
R2(config-if)#int f0/0
R2(config-if)#ip add 172.17.17.6 255.255.255.252
R2(config-if)#desc WAN
R2(config-if)#no shut
R2(config-if)#int tun 0
R2(config-if)#ip add 10.0.0.2 255.255.255.0
R2(config-if)#desc DMVPN
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 172.17.17.5

IP address and default route configuration on Router 3

R3#config t
R3(config)#int loopback 0
R3(config-if)#ip add 192.168.3.1 255.255.255.0
R3(config-if)#desc LAN
R3(config-if)#int f0/0
R3(config-if)#ip add 172.17.17.10 255.255.255.252
R3(config-if)#desc WAN
R3(config-if)#no shut
R3(config-if)#int tun 0
R3(config-if)#ip add 10.0.0.3 255.255.255.0
R3(config-if)#desc DMVPN
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 172.17.17.9

AT this stage, all WAN IPs are reachable from all three routers. We can proceed with dmvpn configuration. Configure ip addresses ONLY on all three connected interfaces on router. I have omitted router4’s configuration because it is straight forward.

DMVPN and RIP setup on router 1 (Hub)

R1(config)#int tun 0
R1(config-if)#interface Tunnel0
R1(config-if)#ip mtu 1400
R1(config-if)#ip nhrp authentication cisco123
R1(config-if)#ip nhrp map multicast dynamic
R1(config-if)#ip nhrp network-id 10
R1(config-if)#ip tcp adjust-mss 1360
R1(config-if)#no ip split-horizon
R1(config-if)#tunnel source FastEthernet0/0
R1(config-if)#tunnel mode gre multipoint
R1(config-if)#tunnel key 12345
R1(config-if)#exit
R1(config)#router rip
R(config-router)#ver 2
R(config-router)#no auto
R(config-router)#netw 10.0.0.0
R(config-router)#netw 192.168.1.0

DMVPN setup on router 2 (Spoke)

R2(config)#interface Tunnel0
R2(config-if)#ip mtu 1400
R2(config-if)#ip nhrp authentication cisco123
R2(config-if)#ip nhrp map multicast dynamic
R2(config-if)#ip nhrp map 10.0.0.1 172.17.17.2
R2(config-if)#ip nhrp map multicast 172.17.17.2
R2(config-if)#ip nhrp network-id 10
R2(config-if)#ip nhrp nhs 10.0.0.1
R2(config-if)#ip tcp adjust-mss 1360
R2(config-if)#tunnel source FastEthernet0/0
R2(config-if)#tunnel mode gre multipoint
R2(config-if)#tunnel key 12345
R2(config-if)#exit
R2(config)#router rip
R2config-router)#ver 2
R2(config-router)#no auto
R2(config-router)#netw 10.0.0.0
R2(config-router)#netw 192.168.2.0

DMVPN Setup on router 3 (Spoke)

R3(config)#interface Tunnel0
R3(config-if)#ip mtu 1400
R3(config-if)#ip nhrp authentication cisco123
R3(config-if)#ip nhrp map multicast dynamic
R3(config-if)#ip nhrp map 10.0.0.1 172.17.17.2
R3(config-if)#ip nhrp map multicast 172.17.17.2
R3(config-if)#ip nhrp network-id 10
R3(config-if)#ip nhrp nhs 10.0.0.1
R3(config-if)#ip tcp adjust-mss 1360
R3(config-if)#tunnel source FastEthernet0/0
R3(config-if)#tunnel mode gre multipoint
R3(config-if)#tunnel key 12345
R3(config-if)#exit
R3(config)#router rip
R3config-router)#ver 2
R3(config-router)#no auto
R3(config-router)#netw 10.0.0.0
R3(config-router)#netw 192.168.3.0

At this stage, the networks have fully converged via RIP. The loopback interfaces which represent the LAN, are reachable from networks. See Router1’s router table in the image below.

Verify dmvpn setup

dmvpn with ipsec

Verify RIP convergence

dmvpn with ipsec

IPSEC Confinguration

R1(config)#crypo isakmp policy 20
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes 128
R1(config-isakmp)#group 5
R1(config-isakmp)#hash sha
R1(config-isakmp)#life 86400
R1(config-isakmp)#exit
R1(config)#cyrpto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
R1(config-isakmp)#exit
R1(config)#crypto ipsec transform-set abc esp-aes esp-sha-mac
R1(config-ipsec)#crypto ipsec profile gre_protection
R1(config-ipsec)#set security-association lifetime second 86400
R1(config-ipsec)#set transform-set abc
R1(config-ipsec)#int tunnel 0
R1(config-if)tunnel protection ipsec profile gre_protection

You may also like: How to implement Cisco L3 MPLS to connect four customer branches

The above ipsec configuration must be entered on all spoke routers ( routers 2 and 3 ) for end-to-end ipsec encryption to be established.

Testing and verification

Ping using Router1’s loopback IP address as the source to routers 2 and 3 loopback ip addresses.

dmvpn with ipsec

Verify Ipsec operations using the following commands: show crypto isakmp sa, show crypto isakm peers, show crypto ipsec sa, and show crypto isakmp sa. See output in the image below.

dmvpn with ipsec

This LAB was performed on GNS3 using four Cisco 7200 series routers. To get the LAB, kindly drop your email address in the comment box on this blog and it will be mailed to you free of charge.
Click here to read Cisco’s documentation on DMVPN and learn about features and supported protocols

If you enjoyed this tutorial, please subscribe to this blog to receive my posts via email. Also subscibe to my YouTube channel, like my Facebook page and follow me on Twitter

Spread the love

4 thoughts on “Implementing full mesh DMVPN with Ipsec”

Leave a Comment