DMVPN over IPsec (2024)

In our first DMVPN lesson we talked about the basics of DMVPN and its different phases. DMVPN is a “routing technique” that relies on multipoint GRE and NHRP and IPsec is not mandatory.

However since you probably use DMVPN with the Internet as the underlay network, it might be wise to encrypt your tunnels. In this lesson I’ll show you how to configure IPsec to encrypt your multipoint GRE tunnels. Here’s the topology we will use:

Above we have a hub and spoke topology which I used in all of my previous DMVPN examples. We’ll use a DMVPN phase 2 network with RIP as the routing protocol to test IPsec.

Configuration

Tunnel Interfaces

Let’s start with the tunnel interfaces on all routers. This is a basic DMVPN phase 2 configuration:

Hub(config)#interface Tunnel 0Hub(config-if)#ip address 172.16.123.1 255.255.255.0Hub(config-if)#ip nhrp authentication DMVPNHub(config-if)#ip nhrp map multicast dynamicHub(config-if)#ip nhrp network-id 1Hub(config-if)#tunnel source GigabitEthernet0/1Hub(config-if)#tunnel mode gre multipoint

Here are the spoke routers:

Spoke1(config)#interface Tunnel 0Spoke1(config-if)#ip address 172.16.123.2 255.255.255.0Spoke1(config-if)#ip nhrp authentication DMVPNSpoke1(config-if)#ip nhrp map 172.16.123.1 192.168.123.1Spoke1(config-if)#ip nhrp map multicast 192.168.123.1Spoke1(config-if)#ip nhrp network-id 1Spoke1(config-if)#ip nhrp nhs 172.16.123.1Spoke1(config-if)#tunnel source GigabitEthernet0/1Spoke1(config-if)#tunnel mode gre multipoint

Spoke2(config)#interface Tunnel 0Spoke2(config-if)#ip address 172.16.123.3 255.255.255.0Spoke2(config-if)#ip nhrp authentication DMVPNSpoke2(config-if)#ip nhrp map 172.16.123.1 192.168.123.1Spoke2(config-if)#ip nhrp map multicast 192.168.123.1Spoke2(config-if)#ip nhrp network-id 1Spoke2(config-if)#ip nhrp nhs 172.16.123.1Spoke2(config-if)#tunnel source GigabitEthernet0/1Spoke2(config-if)#tunnel mode gre multipoint

Now we can configure RIP…

RIP

We will advertise all interfaces in RIP, here’s the hub router:

Hub(config)#router ripHub(config-router)#version 2Hub(config-router)#network 1.0.0.0Hub(config-router)#network 172.16.0.0Hub(config-router)#no auto-summary

Hub(config)#interface Tunnel 0Hub(config-if)#no ip split-horizon

Don’t forget to disable split horizon. Here are the spoke routers:

Spoke2(config)#router ripSpoke2(config-router)#version 2Spoke2(config-router)#network 3.0.0.0Spoke2(config-router)#network 172.16.0.0Spoke2(config-router)#no auto-summary

Spoke1(config)#router ripSpoke1(config-router)#version 2Spoke1(config-router)#network 2.0.0.0Spoke1(config-router)#network 172.16.0.0Spoke1(config-router)#no auto-summary

That should do it. Now before we start messing around with IPsec, we should check if everything is working without encryption. Let’s check if the hub router has two NHRP registrations:

Hub#show dmvpn | begin PeerType:Hub, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 192.168.123.2 172.16.123.2 UP 00:06:15 D 1 192.168.123.3 172.16.123.3 UP 00:06:22 D

That’s looking good. Do we have some RIP routes?

Hub#show ip route rip 2.0.0.0/32 is subnetted, 1 subnetsR 2.2.2.2 [120/1] via 172.16.123.2, 00:00:02, Tunnel0 3.0.0.0/32 is subnetted, 1 subnetsR 3.3.3.3 [120/1] via 172.16.123.3, 00:00:11, Tunnel0

Spoke1#show ip route rip 1.0.0.0/32 is subnetted, 1 subnetsR 1.1.1.1 [120/1] via 172.16.123.1, 00:00:07, Tunnel0 3.0.0.0/32 is subnetted, 1 subnetsR 3.3.3.3 [120/2] via 172.16.123.3, 00:00:07, Tunnel0

Spoke2#show ip route rip 1.0.0.0/32 is subnetted, 1 subnetsR 1.1.1.1 [120/1] via 172.16.123.1, 00:00:28, Tunnel0 2.0.0.0/32 is subnetted, 1 subnetsR 2.2.2.2 [120/2] via 172.16.123.2, 00:00:28, Tunnel0

Yes we do! Everything is looking good so now we can focus on encryption.

IPsec

IPsec has two phases, phase 1 and 2 (don’t confuse them with the DMVPN phases).

Phase 1

We need an ISAKMP policy that matches on all our routers. Let’s pick something:

Hub, Spoke1 & Spoke 2(config)#crypto isakmp policy 10(config-isakmp)#authentication pre-share (config-isakmp)#encryption aes 128(config-isakmp)#group 5(config-isakmp)#hash sha256

When it comes to encryption we can choose between pre-shared keys or PKI. To keep it simple, I’ll go for the pre-shared keys:

Hub(config)#crypto isakmp key DMVPN_KEY address ? A.B.C.D Peer IP address ipv6 define shared key with IPv6 address

When you configure the pre-shared key you have to enter the NBMA address. Keep in mind that encryption occurs before multipoint GRE / NHRP. We also have to specify a peer address, we have two options here:

• Configure a pre-shared key for each “router pair” you have: this means we use a unique key for hub-spoke1, hub-spoke2 and spoke1-spoke2. This is secure but it’s not a very scalable solution, the more spoke routers we add to the network, the more keys we have to configure.
• Configure a “wildcard” pre-shared key: this allows us to use a single key for all routers. This is the most convenient but it also means that if you want to change the key, you have to do it on all your routers.

I’ll use the wildcard pre-shared key for our example: