Configuring Dynamic Multipoint VPN Using GRE Over IPSec With EIGRP, NAT, and CBAC

Posted on 12:45 AM by Bharathvn

Introduction

This document provides a sample configuration for Hub-and-Spoke Dynamic Multipoint VPN (DMVPN) using generic routing encapsulation (GRE) over IPSec with Enhanced Interior Gateway Routing Protocol (EIGRP), Network Address Translation (NAT), and Context-Based Access Control (CBAC).

Prerequisites

Requirements

Before a multipoint GRE (mGRE) and IPSec tunnel can be established, you must define an Internet Key Exchange (IKE) policy by using the crypto isakmp policy command.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco IOS® Software Release 12.2(15)T1 on the hub router and 12.3(1.6) on the spoke routers
  • Cisco 3620 as hub router, two Cisco 1720 routers and one Cisco 3620 router as spoke routers

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Conventions

For more information on document conventions, refer to [/en/US/tech/tk801/tk36/technologies_tech_note09186a0080121ac5.shtml Cisco Technical Tips Conventions].

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Network Diagram

This document uses the network setup shown in the diagram below.


dmvpn-gre-eigrp.gif

Configurations

This document uses the configurations shown below.

Hub - 3620-B

3620-B#write terminal
Building configuration...

Current configuration : 2607 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3620-B
!
logging queue-limit 100
!
memory-size iomem 10
ip subnet-zero
!
!
ip cef
no ip domain lookup
!

!--- This is the CBAC configuration and what to inspect.
!--- This will be applied outbound on the external interface.

ip inspect name in2out rcmd
ip inspect name in2out ftp
ip inspect name in2out tftp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out http
ip inspect name in2out udp
ip audit po max-events 100
!
!
!

!--- Create an Internet Security Association and Key Management
!--- Protocol (ISAKMP) policy for Phase 1 negotiations.

!
crypto isakmp policy 5
authentication pre-share
group 2

!--- Add dynamic pre-shared key.

crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
crypto isakmp nat keepalive 20
!
!

!--- Create the Phase 2 policy for actual data encryption.

crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!

!--- Create an IPSec profile to be applied dynamically
!--- to the GRE over IPSec tunnels.

crypto ipsec profile dmvpnprof
set transform-set dmvpnset
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!

!--- This is the inside interface.

interface Loopback1
ip address 192.168.117.1 255.255.255.0
ip nat inside
!

!--- This is the mGRE interface for dynamic GRE tunnels.

interface Tunnel1
description MULTI-POINT GRE TUNNEL for BRANCHES
bandwidth 1000
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 300
no ip split-horizon eigrp 1
no ip mroute-cache
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile dmvpnprof
!

!--- This is the outside interface.

interface FastEthernet0/0
ip address 14.24.117.1 255.255.0.0
ip nat outside
ip access-group 100 in
ip inspect in2out out
no ip mroute-cache
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
clockrate 2000000
no fair-queue
!
interface FastEthernet0/1
no ip address
no ip mroute-cache
duplex auto
speed auto
!

!--- Enable a routing protocol to send/receive dynamic
!--- updates about the private networks over the tunnels.

router eigrp 1
network 172.16.0.0 0.0.0.255
network 192.168.117.0
no auto-summary
!

!--- Perform NAT on local traffic
!--- going directly out FastEthernet0/0.

ip nat inside source list 110 interface FastEthernet0/0 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 14.24.1.1
ip route 2.0.0.0 255.0.0.0 14.24.121.1
!
!
!

!--- Allow ISAKMP, ESP, and GRE traffic inbound.
!--- CBAC will open other inbound access as needed.

access-list 100 permit udp any host 14.24.117.1 eq 500
access-list 100 premit esp any host 14.24.117.1
access-list 100 permit gre any host 14.24.117.1
access-list 100 deny ip any any
access-list 110 permit ip 192.168.117.0 0.0.0.255 any
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
!
end

3620-B#


Spoke 1 - 3620-A

3620-A#write terminal
Building configuration...

Current configuration : 2559 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 3620-A
!
boot system flash slot0:c3620-ik9o3s7-mz.122-15.T1.bin
logging queue-limit 100
!
memory-size iomem 15
ip subnet-zero
!
!
ip cef
no ip domain lookup
!

!--- This is the CBAC configuration and what to inspect.
!--- This will be applied outbound on the external interface.

ip inspect name in2out rcmd
ip inspect name in2out tftp
ip inspect name in2out udp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out realaudio
ip inspect name in2out vdolive
ip inspect name in2out netshow
ip audit po max-events 100
!
!
!

!--- Create an ISAKMP policy for
!--- Phase 1 negotiations.

crypto isakmp policy 5
authentication pre-share
group 2

!--- Add dynamic pre-shared key.

crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
!
!

!--- Create the Phase 2 policy for actual data encryption.

crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!

!--- Create an IPSec profile to be applied dynamically
!--- to the GRE over IPSec tunnels.

crypto ipsec profile dmvpnprof
set transform-set dmvpnset
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!

!--- This is the inside interface.

interface Loopback1
ip address 192.168.118.1 255.255.255.0
ip nat inside
!

!--- This is the mGRE interface for dynamic GRE tunnels.

interface Tunnel1
description HOST DYNAMIC TUNNEL
bandwidth 1000
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn
ip nhrp map 172.16.0.1 14.24.117.1
ip nhrp map multicast 14.24.117.1
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp nhs 172.16.0.1
no ip mroute-cache
delay 1000
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile dmvpnprof
!

!--- This is the outside interface.

interface Ethernet0/0
ip address 14.24.118.1 255.255.0.0
ip nat outside
ip inspect in2out out
ip access-group 100 in
no ip mroute-cache
half-duplex
!
interface Ethernet0/1
no ip address
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!

!--- Enable a routing protocol to send/receive dynamic
!--- updates about the private networks over the tunnel.

router eigrp 1
network 172.16.0.0 0.0.0.255
network 192.168.118.0
no auto-summary
!

!--- Perform NAT on local traffic
!--- going directly out Ethernet0/0.

ip nat inside source list 110 interface Ethernet0/0 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 14.24.1.1
!
!

!--- Allow ISAKMP, ESP, and GRE traffic inbound.
!--- CBAC will open inbound access as needed.

access-list 100 permit udp any host 14.24.118.1 eq 500
access-list 100 premit esp any host 14.24.118.1
access-list 100 permit gre any host 14.24.118.1
access-list 100 deny ip any any
access-list 110 permit ip 192.168.118.0 0.0.0.255 any
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
!
end

3620-A#

Spoke 2 - 1720-b

1720-b#write terminal
Building configuration...

Current configuration : 2543 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 1720-b
!
boot system flash flash:c1700-ny-mz.122-8.YJ
logging queue-limit 100
enable password cisco
!
username 7206-B password 0 cisco
ip subnet-zero
!
!
no ip domain lookup
!
ip cef

!--- This is the CBAC configuration and what to inspect.
!--- This will be applied outbound on the external interface.

ip inspect name in2out rcmd
ip inspect name in2out tftp
ip inspect name in2out udp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out realaudio
ip inspect name in2out vdolive
ip inspect name in2out netshow
ip audit po max-events 100
!
!
vpdn-group 1
request-dialin
protocol pppoe
!
!

!--- Create an ISAKMP policy for
!--- Phase 1 negotiations.

crypto isakmp policy 5
authentication pre-share
group 2

!--- Add dynamic pre-shared key.

crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
!
!

!--- Create the Phase 2 policy for actual data encryption.

crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!

!--- Create an IPSec profile to be applied dynamically
!--- to the GRE over IPSec tunnels.

crypto ipsec profile dmvpnprof
set transform-set dmvpnset
!
!

!--- This is the inside interface.

interface Loopback1
ip address 192.168.116.1 255.255.255.0
ip nat inside
!

!--- This is the mGRE interface for dynamic GRE tunnels.

interface Tunnel1
description HOST DYNAMIC TUNNEL
bandwidth 1000
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn
ip nhrp map 172.16.0.1 14.24.117.1
ip nhrp map multicast 14.24.117.1
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp nhs 172.16.0.1
no ip mroute-cache
delay 1000
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile dmvpnprof
!
interface Ethernet0
no ip address
half-duplex
!
interface FastEthernet0
no ip address
no ip mroute-cache
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!

!--- This is the outside interface.

interface Dialer1
ip address 2.2.2.10 255.255.255.0
ip inspect in2out out
ip access-group 100 in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
!

!--- Enable a routing protocol to send/receive dynamic
!--- updates about the private networks.

router eigrp 1
network 172.16.0.0 0.0.0.255
network 192.168.116.0
no auto-summary
!

!--- Perform NAT on local traffic
!--- going directly out Dialer1.

ip nat inside source list 110 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
!

!--- Allow ISAKMP, ESP, and GRE traffic inbound.
!--- CBAC will open inbound access as needed.

access-list 100 permit udp any host 14.24.116.1 eq 500
access-list 100 premit esp any host 14.24.116.1
access-list 100 permit gre any host 14.24.116.1
access-list 100 deny ip any any
access-list 110 permit ip 192.168.116.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
no scheduler allocate
end

1720-b#

Spoke 3 - 1720-A

1720-A#write terminal
Building configuration...

Current configuration : 1770 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1720-A
!
logging queue-limit 100
!
memory-size iomem 25
ip subnet-zero
!
!
!
ip cef

!--- This is the CBAC configuration and what to inspect.
!--- This will be applied outbound on the external interface.

ip inspect name in2out rcmd
ip inspect name in2out tftp
ip inspect name in2out udp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out realaudio
ip inspect name in2out vdolive
ip inspect name in2out netshow
ip audit po max-events 100
!
!

!--- Create an ISAKMP policy for
!--- Phase 1 negotiations.

crypto isakmp policy 5
authentication pre-share
group 2

!--- Add dynamic pre-shared key.

crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
!
!

!--- Create the Phase 2 policy for actual data encryption.

crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!

!--- Create an IPSec profile to be applied dynamically
!--- to the GRE over IPSec tunnels.

crypto ipsec profile dmvpnprof
set transform-set dmvpnset
!
!

!--- This is the inside interface.

interface Loopback1
ip address 192.168.120.1 255.255.255.0
ip nat inside
!

!--- This is the mGRE interface for dynamic GRE tunnels.

interface Tunnel1
description HOST DYNAMIC TUNNEL
bandwidth 1000
ip address 172.16.0.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn
ip nhrp map 172.16.0.1 14.24.117.1
ip nhrp map multicast 14.24.117.1
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp nhs 172.16.0.1
no ip mroute-cache
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile dmvpnprof
!
interface Ethernet0
no ip address
no ip mroute-cache
half-duplex
!

!--- This is the outside interface.

interface FastEthernet0
ip address 14.24.120.1 255.255.0.0
ip nat outside
ip inspect in2out out
ip access-group 100 in
no ip mroute-cache
speed auto
!

!--- Enable a routing protocol to send/receive dynamic
!--- updates about the private networks.

router eigrp 1
network 172.16.0.0 0.0.0.255
network 192.168.120.0
no auto-summary
!

!--- Perform NAT on local traffic
!--- going directly out FastEthernet0.

ip nat inside source list 110 interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 14.24.1.1
no ip http server
no ip http secure-server
!
!
!

!--- Allow ISAKMP, ESP, and GRE traffic inbound.
!--- CBAC will open inbound access as needed.

access-list 100 permit udp any host 14.24.116.1 eq 500
access-list 100 premit esp any host 14.24.116.1
access-list 100 permit gre any host 14.24.116.1
access-list 100 deny ip any any
access-list 110 permit ip 192.168.120.0 0.0.0.255 any
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
no scheduler allocate
end

1720-A#

Verify

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.

  • show crypto isakmp sa—Displays the state for the ISAKMP security association (SA).
  • show crypto engine connections active —Displays the total encrypts/decrypts per SA.
  • show crypto ipsec sa—Displays the statistics on the active tunnels.
  • show ip route—Displays the routing table.
  • show ip eigrp neighbor—Displays the EIGRP neighbors.
  • show ip nhrp—Displays the IP Next Hop Resolution Protocol (NHRP) cache, optionally limited to dynamic or static cache entries for a specific interface.
  • show crypto socket—Displays the crypto socket table between NHRP and IPSec.