########################################################## Cisco Dynamic Multipoint VPN with PSK Basic Configuration ########################################################## In this section 3 routers will be configured to provide a basic DMVPN. One of the routers will act as a hub, the remaining two as the spokes. Hub Configuration Steps ======================= Step 1: Define the IKE Phase 1 Policy ------------------------------------- .. code-block:: none crypto isakmp policy encryption hashing authentication pre-share group lifetime Step 2: Define the Pre-Shared Key --------------------------------- .. code-block:: none ! Same key used for all spokes regardless of IP Address crypto isakmp key address 0.0.0.0 Step 3: Define the IPSec Proposal --------------------------------- .. code-block:: none crypto ipsec transform-set

mode { tunnel | transport } Step 4: Define the IPsec Profile -------------------------------- .. code-block:: none crypto ipsec profile set transform-set set security-association lifetime seconds Step 5: Create the tunnel interface ----------------------------------- .. code-block:: none interface tunnel ip address

tunnel mode gre multipoint tunnel key tunnel source ip nhrp nhs map multicast dynamic ip nhrp authentication ip nhrp network-id ip nhrp holdtime tunnel protection ipsec profile no shutdown Spoke Configuration Steps ========================= Step 1: Define the IKE Phase 1 Policy ------------------------------------- .. code-block:: none crypto isakmp policy encryption hashing authentication pre-share group lifetime Step 2: Define the Pre-Shared Key --------------------------------- .. code-block:: none ! Same key used for all spokes regardless of IP Address crypto isakmp key address 0.0.0.0 Step 3: Define the IPSec Proposal --------------------------------- .. code-block:: none crypto ipsec transform-set

mode { tunnel | transport } Step 4: Define the IPsec Profile -------------------------------- .. code-block:: none crypto ipsec profile set transform-set set security-association lifetime seconds Step 5: Define the Tunnel Interface ----------------------------------- .. code-block:: none inteface tunnel ip address

tunnel mode gre multipoint tunnel key ip nhrp map

ip nhrp nhs ip nhrp map multicast ip nhrp authentication ip nhrp network-id ip nhrp holdtime Routing Protocol Considerations =============================== DMVPN can work with either Link State or Distance Vector protocols. However considerations need to be made for each. Distance Vector Protocols ------------------------- In order to use routing protocols such as EIGRP and RIP, it necessary to disable split horizon so that routing advertisements from the spokes can be readvertised out of the single hubs interface. In addition the routing updates should still contain the original peer that advertised them, not the hops. To achieve this Next Hop Self should be disabled. In the case of EIGRP these can be configured on the tunnel interface as follows: .. code-block:: none interface tunnel no split-horizon eigrp no next-hop-self eigrp Link State Protocols -------------------- Routing protocols such as OSPF will automatically ensure all peers receiving the routing updates because this is the Designated Routers (DR) responsibility. It however important to ensure that none of the spokes can become the DR. It is also vital that the tunnel interface is set to us the network type of "broadcast" to ensure that the DR/BDR election occurs. If this is not set and more than two router Ids are seen on the same subnet, this could result in flapping neighbour relationships. The above can be achieved by setting the priority of the spokes to 0 and manually setting the network type on the tunnel as shown below: .. code-block:: none interface tunnel ip ospf network broadcast ip ospf priority 0 When using dual-hub, its important that the priority of the primary hub is higher than that of the secondary. In the case of a primary hub failure, the spokes will notice for themselves when the hold time has expired and automatically start queying the secondary NHS.