######################################### Dynamic Multipoint VPN Hub Configuration ######################################### Single Hub with Pre-Shared Key Authentication ============================================= .. rubric:: Summary of Steps 1. Pre-requisites 2. Define Phase 1 Policy 3. Define Phase 2 Policy 4. Define Authentication Credentials 5. Define IPSec Profile 6. Configure Multipoint GRE interface 7. Configure Dynamic Routing .. rubric:: Step 1: Pre-requisites * Ensure WAN/LAN intefaces are configured * Ensure Routing is in place * Verify initial connectivity is in place .. rubric:: Step 2: Define Phase 1 Policy :: crypto isakmp policy authentication pre-share encryption group hash lifetime .. rubric:: Step 3: Define Authentication Credentials :: crypto isakmp key address .. rubric:: Step 3: Define Phase 2 Policy :: crypto ipsec transform-set

mode transport .. rubric:: Step 4: Define IPSec Profile :: crypto ipsec profile set transform-set .. rubric:: Step 5a: Configure Dynamic Routing (EIGRP) :: router eigrp no auto-summary network

network

.. rubric:: Step 5b: Configure Multipoint GRE Interface :: interface tunnel ip address

tunnel source tunnel mode gre multipoint tunnel key ! automatically create NHRP mapping for spokes ip nhrp map multicast dynamic ! Define the network password ip nhrp authentication ! Set a unique network-id per DMVPN network ip nhrp network-id ! Define how long to keep mapping if no updates are receives ip nhrp holdtime tunnel protection ipsec profile shiva ! If using EIGRP Routing ! Ensure that the real advertising router is shown in routing table no ip next-hop-self eigrp ! Allow routing updates to be sent out of the same interface as it ! received on. no ip split-horizon eigrp ! Enable DMVPN Phase 3 ip nhrp redirect .. rubric:: Step 5b: Configure Dynamic Routing (OSPF) ! If using OSPF routing ! Define the DMVPN network as a broadcast network type ip ospf network broadcast ! Set the Primary Hub to have the highest OSPF Priority ip ospf priority ! All the GRE tunnel interface to participate in OSPF ip ospf area .. todo:: Complete example configuration for OSPF router ospf Dual Hub with Pre-Shared Key Authentication =========================================== Additional Steps ---------------- .. rubric:: Configure Secondary Hub #. Same Configuration as Primary Hub #. Define static mapping to primary hub (make the secondery hub an client to the primary hub) #. Define NHS server of primary hub Using DMVPN with Key Ring and DMVPN Profile =========================================== Complete steps as per the previous configuration with the following differences: .. rubric:: Step 1: Define the PSKs :: crypto keyring pre-shared-key addresss key .. rubric:: Step 2: Define the ISAKMP Profile :: crypto isakmp profile match identity address keyring .. rubric:: Step 3: Define the IPSEC Profile :: crypto ipsec profile set transform-set set isakmp-profile Single Hub with RSA Authentication ================================== .. rubric:: Step 1: Configure the trusted CA :: crypto ca trustpoint enrollment url .. rubric:: Step 2: Authenticate the CA Server :: crypto ca authenticate .. rubric:: Step 3: Enroll with the CA Server :: crypto ca enroll .. rubric:: Step 3: Define the Phase 1 Policy :: crypto isakmp policy authentication rsa-sig encryption hash group lifetime Remaining steps are the same as with Pre-Shared Key Authentication