Cisco CCNP Security 300-730 SVPN – Site-to-Site Virtual Private Networks on Routers and Firewalls Part 2

6. Implement DMVPN Phase 1 With IPSEC

Hello, guys. Welcome to another video. And in this video, we are going to go over DMVPN phase one and we are going to be configuring DMVPN phase one with IPV SEC on top of it so we can provide data encryption, data confidentiality, integrity, and the cai it’s only going to provide actually data confidentiality and data integrity with IPsec. And with IPsec you could encrypt your data to provide data confidentiality and hash your data to provide data integrity. So we are going to be using that DMVPN phase one with IPsec and IC version one.

So let’s go and start with the configuration. Since the configuration is already long and if you have been following me on my YouTube channel, I have configured already IPsec my site to site IPsec with Ike version one. And I’ve also configured the MVP in phase one. But I have not combined both of them at the same time, so I’m not going to be explaining a lot of what the command do. But if you want to know what each command does, I suggest you go to my YouTube channel and watch a IPsec side to side VPN configuration and also watch the DMVPN face version one configuration.

So let’s go ahead and start with this configuration. The first thing that we need to do is that we need to create a tonal and this tunnel is going to be for that DMVPN tunnel and we need to give it an IP address. First of all, this one’s going to be 24 after we do that. What we want to do, we are going to do no split horizon and this one’s going to be ten. After we do that we need to go ahead and do an IP and HRP map multicast. This is going to be dynamic and then IPN SRP the network ID is going to retain the tunnel source is going to be zero zero, which is different right here.

Okay? After we configure that we need to configure the tunnel mode GRE multi point and that is going to be it for now. So after we do that we have to configure erjrp no auto summary network that we need to add is going to be one one to which is the IP address of my loop pack address that is actually working like a network so I can ping to it. And the other network is going to be that MDRA tono that has a configure. So that is good. So now we are done with this configuration. Now we need to move on to the configuration of Ike phase one and to configure Ike version one. Phase one we need to do a crypto map or not a crypto mac crypto isaaccamp policy. We’re going to say policy ten.

And from here we need to provide an authentication method. There’s going to be a redshirt key, a hashtag. We are going to do Nd five encryption. We are going to do three group number is going to be group number two and that is it. For that we’re going to exit and then we are going to go ahead and create a crypto Isacam key. And the key we are going to call this key DMVPN key for now, if you remember guys, from my IPsec site to site VPN configuration over here, what you need to specify is an address and you would specify an IP address of a remote location of a remote router. So if you were going to configure this for this folk, then you would put this IP address right here. But since we are going to use the preshare key for the two both of these devices, then what we’re going to do is go like this, use this preserve key for any network.

So for any spoke we are going to use in the same key, which is the mVPN key. Enter. Okay, so that is good and we can do show run. Actually we can do it at the end. Let’s go ahead and keep going. And after we do that, we need to go ahead and configure IP version one, phase two. And to do that you need to configure a crypto IPsec transform set and we’re going to call this the TSET. And from over here we’re going to do ESPAS and ESP shop with HMAC. The tone of the mode is going to be transfer mode. Good. After we do that we need to go ahead and configure an IPsec profile. In crypto you’re going to do a crypto IPsec profile and we’re going to call this DMVPN profile DMVPN profile or IPsec profile actually. So crypto. IPsec DMVPN IPsec profile. And over here all we need to do is attach the transform set that we have created and the transform set that we created was called the TSET. There it is. So after that has been configured, one last thing that we need to do is we need to go ahead and attach that to the tunnel that we have created and I believe it was tunnel zero. Yes. So over here now what we need to do is protection, I believe tonal protection IPsec profile and we need to attach that profile that we just created. And there it is. That’s good.

Now let’s go ahead and do show IP or do show run. We’re going to do a section crypto section. And since we are going to be using the LeadPad, since we’re going to be using the same authentication so the same IC version one face, one configuration, we can just go ahead and paste this right here. We can use it for spoke number two and spoke number three. Okay, so that is done. Also if we could do a do short run maybe IPsec. Okay, so from IPsec we can go ahead and copy this key. We are going to use the same if it is not here already. Oh, everything is here from that crypto from when I did the two Chevron crypto, you can see that we got the Isaacam policy which is Ike version one, phase one and then we got the key and we also got the transform set and the DMVPN profile. So that is good, that is all we need. So we have phase one and phase two over here. Okay, so let’s see what else we need to do. I think we are done from the Hub. So since we are done from the Hub, we need to go into spoke number. Let’s start with spoke number two. And from over here, what we need to do is we need to go ahead and configure. First of all, I want to configure all of this right here. We can just go ahead and copy it, config T, paste it or done exit and let’s go ahead and create the interface tonal zero.

And from over here, what we need to do is we need to go ahead and configure that IP address which is two for spoke to. After that is configured, we need to go ahead and configure an IP and HRP map. IP NhRP map and this one is going to tell it where the NHS is. We need to provide the MBMA IP address and the NhRP IP address which is this one. So what this is telling us is that to reach this logic you need to take this one into one, which is this one right here. Okay, so after that is done, we need to specify where to send the multicast package. So you want to send that to the MBMA address then ipnsrp network ID we’re going to be using Ten and then we need to specify what the NHS is. So IP NhRP NHS is going to be this one right here. So we are good. After that is done, we need to go ahead and specify the tunnel protection with IPsec profile and the IPsec profile that we configure was DMVPN IPsec profile and attach it right here. That is good.

So now if we could copy everything that we configure, this is going to be interface tonal. This is going to be for the spoke number three, the IP address we just need to configure. This is going to be the only thing that we need to configure or change just like that. The map is going to be the same. Actually, let’s do if we do show IP interface, show run section interface I want to show me anything? No do show run. This is the do show run. This should give me all the commands that I need. So therefore I need to copy it one by one. If we go into right here, you can go ahead and actually we provided most of it so we can just go ahead and copy this and paste it right here. There we go. NSRP NSRP network NSRP NHS tonal protection, IPsec tunnel. So that looks good. And everything looks good. So now what we need to do is we need to go ahead and copy this and go into the spoke number three. Actually, I forgot to do something on this spoke. So exit and we need to do a router ERP ten no outer summary network, which is my loop back address. And then network that should phone for my network adjacency it did not do it. And that show IP route show IP neighbors no run section EIGRP. Okay, so we configure this network. 1921 H 1010. I’ll be able to do. Being 192101.

We’ll be able to do that. Interesting. Let’s do ipnhrp. We have it right here. Show IP NhRP. They don’t have any NhRP mapping. Show run. Let’s see if I miss a configuration over here. So multicast no split horizon network. ID source did. I don’t think I did a source for spoke too. So that’s why I config t interface tono zero source. I believe I didn’t do a source. So tunnel source gigabit internal destination. I believe the destination has to be the NBMA IP address. There we go. So I forgot to do this. That’s why it was not working. So we can go ahead and copy this and paste it on our configuration and also source. Okay, so that’s why it was not coming up. But now it is working. Let’s go ahead and spoke number three and also do that router URP ten, no auto summary. And network three three, which is the loop back address that we have configured over here. And then network. Let’s go ahead and create the Ike version. One free one and two. That is done. Now let’s go ahead and create this tunnel paste that is done and then let’s go ahead and create that router AJR p ten there it is ended. So now if we do a couple of commands so we can verify our configuration if we do a show crypto isecamp SA. You can see right now it is an idle but it is active.

Let’s do a show crypto IPsec essay. You can see right here that it is working because we have some encapsulation and the capsulation. And this is probably due because of EHRP sending packets. And you can see that the local identity 131 and the identity of the remote which is the Hub is 182101. And we only have a connection with the Hub because this is a DMVPN face version one and DMV and face version one only creates a spoke to Hub or Hub to spoke tunnel. It does not create a ton of between the spoke to spoke. Okay? And you can see right here more stuff on it and also what you could do more you can do a show mVPN detail and for over here you can see that the tonal was created using IQ version one and you can see that it is up inactive and the inbound has decrypted 28 packets and encrypted 29 packets. The stacket state is open IPsec flow is to permit host one nine 2131 to the host, which is the internal interface of the logical interface of this. And this is the NBMA IP address of the host that we want to permit. This is like the proxy ACL. Okay, so you can see everything is working right here. If you go to the hub you can also do more testing over here. If we do a show crypto IPsec SA, you can see the same thing. It is the encapsulation and the capitalization keeps going up. And if we do a show WPN detail you can see that we have these two peers right here, which is spoke number two and spoke number three. And it is up and running. And then you can see over here the configuration for the two tunnels and there is this one right here, which is a local tunnel and we have two tunnels. Right now we have one, which is the local IP address, which is this one. And then we have a connection with the remote and you can see that we’re using port 500 and that’s because we’re not using net, we’re not using network added translation.

And when we’re not using network agile translation the equation one and IPsec uses port 500 and you can see what we are permitting over here you can see how many packets we have encrypted and decrypted from the spoke number two, decrypted and encrypted. And then there is the other turnover here, which is this local IP address. The same local IP address, right. The only thing that is changing is the remote IP address, which is the remote IP address of spoke number three. And this one is for spoke number two. And you can see that we have encrypted 45 packets and decrypted 45 and encrypted for the five packets. So it is working just like the way we wanted it. Show IP and HRP. You can see that we have two dynamics tunnel that have been created and everything is working like I said, just the way we wanted. Everything working good.

And if we go ahead and for spoke number two, let’s do a debug. Let’s see if I remember a debug engine or debug package. Engine recognized domain debug crypto engine package is turned on. So now you can see that whenever we send a packet it is being encrypted and right now it is sending packets for ERP route and that’s why it keeps encapsulating and capsulating. And also if we go ahead and ping, let’s go ahead and ping one out of 216813 which is spoken number three. You can see right now that it is encrypting and encrypting everything as you can see right here. So let’s go ahead and do on to stop debugging. So you can see that everything is working the way we wanted it. So we have configure successfully configure DMVPN phase one with IC version one and IPsec on top of it. So it is being decrypted and encrypted. So on the next video, what we’re going to be doing is that we are going to configure the mVPN version two. And in phase version two, you guys are going to see a little bit of a different configuration and you guys are going to see that we’re going to be able to build two tones and it’s going to be spoken spoke tunnel and also spoke to help tunnel. And they’re both going to be encrypted. And thank you guys for watching this video.

7. DMVPN Phase 2 with IPsec

Hello guys, welcome to another video on DMVPN and we are going to be configuring DMVPN phase version three with Ike version one and IPsec so we can encrypt and provide data confidentiality and data integrity. And in phase version three it is similar to phase version two but in phase version three that we are going to be configuring. Right now these folks are going to be getting into the NhRP process because in Dmvp and face version two they were not doing that. The help was the one sending those NhRP replies and requests to the spokes, right? So we will send from the spoke, we will send an NhRP request to the hub and then the hub will send it to the spoke and then the two spoke would be creating those tunnels. But now what the hub is going to be doing, they’re not going to be in it. Whenever the spoke to spoke tunnel is going to be created, it just going to go straight to the spoke. Okay? So with that being said, the hub is going to not going to get used a lot is going to get used a lot less than in phase version two. Okay? That way it reduces the single point of failure that could happen. If the hub goes down, then they won’t be able to communicate. But in the MVP and face version two and Face version three, it doesn’t work like that. If the hub goes down, the spoke to spoke tones are still going to be there, right? So let’s go ahead and start with this configuration. I like to start with the hub and then we are going to go to spoke two, spoke three and spoke number four.

All right, there we go. So let’s start with the configuration. The first thing that I configure is always IC version one, face one. So let’s go ahead and do that. Crypto. It’s going to be crypto Isaacamp policy. We have to create the policy. It’s going to be called policy number ten. From here we have to do the Tent occasion pressure key encryption. You’re going to use three desk hashing algorithm. You’re going to use national. Let’s use MD five and the group number, the TP Hammer group number is going to be group number two. I do not care about the lifetime so I’m just going to leave it like that. Then after that we need to configure another thing for face version, version one. Phase one, which is the Isaacamp key and that’s how we authenticate. So crypto Isaaccamp key, DMVPN key, that’s what we want to call it. And the address is going to be any this means that since we are going to have a multipoint connection from this single interface, then I want to use this key for any router, right? This key is going to be used for any of these spokes or any router. Okay, that is done. After that is done, we need to go ahead and configure aggression one face version phase two.

And in phase two, what we need to configure is we need to configure that TSET that transform set. And then after we configure the transform set, we need to attach that transform set into a profile that I’m going to be configuring into an IPsec profile, right? So let’s go ahead and start with that. You do a crypto IPsec transform set. We are going to call this TSET. And from here we are going to have an ESP with as two, five six encryption and ESP shot with HMAC. And the mode is going to be a transport mode. Then after that we need to go ahead and configure crypto IPsec profile and we’re going to be calling this Dnvpn profile. And what we need to do right here is set the transform set. So we need to attach the transform set that we just created, which we call it TSET. There we go, that is done. Now I want to do showrun pipe section crypto, and since we’re going to be using the same key, the same everything, I just want to do go ahead and copy this and paste it in all my other routers because we’re going to be using the same and I don’t want to waste time configuring all over again. There we go. Good. Over here too. Okay, so I version one, face one, and I version one. Phase two has been successfully configured in all the routers. So now what we need to do from the Hub is that we need to create that DMVPN tunnel or the GRE tunnel, whatever you want to call it.

So let’s go ahead and do that interface tonal zero. The first thing that I want to do is give an IP address of, as you can see right here, IP address for the tunnel. Okay, that’s good. After that is done, we need to do let’s go ahead and do no IP split horizon erdrp ten IP and SRP network ID ten. Then we have to do IP and SRP map multicast multicast dynamic, okay? And then after that we need to go ahead and tell what the source is. The source is Gigabyte, which is this one right here. And after that we need to configure a new command which is IP NhRP Redirect. And what this is going to do is that what it’s going to do is going to inform the spoke that it can communicate to other intended spoke directly. Okay? So whenever they send an NhRP request, instead of sending it to the Hub, it’s going to send it to spoke so they can create that spoke to spoke communication.

So the Hub is not going to be actually doing that NSRP request and reply between the spoke and the Hub. He’s just going to be doing it between the spoke and spoke. Okay, that’s what it means. And then after that we need to do a ton of tunnel GRE. GRE and it’s going to be a multi point. And then after that’s being configured, we need to go ahead and do a ton of protection IPsec profile and we need to attach that IPsec profile that we created. And that IPsec profile has the transform set attached to it. And that transform set is the one that tells you how to encrypt the data. There we go. It is on. So we are good to go. Now let’s go ahead and start configuring. Those folks actually always forget. Let’s go ahead and before we do that we need to do a router B ten, right? That’s the one that we set that horizon ten no auto summary network and we need to add a couple of network. The first one is the look back address which is actually acting like a network.

And then we need to add the tonal IP address. Done. Let’s go ahead and go to the spoke to interface tono zero. And then after we do that, let’s go ahead and configure the need to go ahead and configure the IP address which is 1921 H. That one. That two. There we go. After we do that we need to do IP NhRP network ID, ten IP and HRP map. And we need to map the Hub one. This is the Hub logical IP address or the IP address of the tunnel. And then after that we need to do the MVMA. Did I do it right? Let’s see. Actually we do not need to create a map. What we need to do is we need to tell it where the next app server is. And the next app server is 192-1681 and the MBMA address of this next app server which is the Hub is going to be the MBMA address, which is this one right here, which is the IP address. Or that gigabit interface 110 one.

And this one is going to be a multicast. Okay, now we need to go and create the ton of source and the ton of source for this one is going to be Gigabyte. And then we need to go ahead and do IP and SRP shortcut. And the shortcut is responsible to rewrite the CEF entry after getting the redirect message from the hub. So whenever the Hub sends that redirect message to the spoke, what is going to happen is that since we configure this shortcut, what it’s going to tell us is now this folk is responsible to rewrite the CF entry after getting the redirect message from the hub. Okay, so that it is done. Now we need to do IP mode GRE multi point.

Then the first alert multi IP. Did I do this right? It’s not IP. It’s GRE multi point. There we go. And then we do a tonal protection IPsec and we need to attach the profile which is called the Mvpm profile. There we go. Ice account was off and now it is back on. Great so let’s go ahead and do a router here at yourp ten because we need to have the same alternative system, the same as the Hub and the same as the other spokes. So no matter summary network, we need to add both two networks, the loop back address and network, which is the IP address of the interface of the tunnel interface. Right.

Okay. You can see here your P is up. We have a neighbor relationship with 192181, which is the Hub. Great. Now let’s go ahead and configure. We have to configure the spoke number three and do basically the same IP address. One I two wants to say 24 Ipnsrp network ID ten IPN SRP NHS one I 21681 MBMA one I two one. And then we need to call this a multicast. That means the multicast means that whenever we get a multicast package, like ERG package, we are going to send it to the Hub. Right? Okay. So after that is done, we need to do an IP. We do a tonal mode GRE multi point and then we do a ton of source. And the tonal source is going to be let’s see what else we have.

We got to do the IPN SRP shortcut of course. And then the IP or tono protection IPsec. We’re going to use a profile and the profile name is this. The Mvpm profile. You can see Isaac Amp is now on. Great. Now it’s going to configure your URP or router URP ten no auto summary network, network and then network 1982-168-1025. Good. That should create a network relationship with the Hub, as you can see. And if we go to the Hub and we do a show IP, show IP and SRP, you can see that. Now we have two dynamic tunnels or two top two spoke tunnel. One it’s via one and 2168 and one and two, which is spoke to, that is the IP address of the tunnel. And this one is the NBMA IP address which is the IP address of the interface. Okay. And then we have another one I 2168, which is the tonal IP address of the spoke number three. You can see the MVM

A IP address which is one I 2131. If we do a show Idroute, you can see that we have two networks and they are both via the tunnel. You can see right here, this one is two, which is going to 19212, the IP address of the tunnel spoke to and then 19213, which is the IP address of that tunnel. So they are both going to be hopping on the tunnel whenever you want to get to these two IP addresses. Okay, now let’s go ahead and configure spoke number three. Do an IP address. Of course, the first thing that you want to do then do Ipnsrp network ID ten IP NhRP NS NHS one one MBMA one nine 2110 one multicast do IP NSRP shortcuts think that we are done with those NSRP’s. After that is configured, we need to go ahead and configure the tunnel mode. GRE multi point multipoint means that we are going to have multiple connections in that single interface. Okay. And then tonal protection IPsec profile and we need to attach a profile. I think I have it because it’s going to be the same. There we go. I forgot one more tono source. There we go. Now that Tonal is on Isaac Ipisone. Now let’s go ahead and do a router ERP autonomous system ten no auto Summary Network ID 4525 network 19218, which you form a network relationship with the Hub. There it is. The Hub indicates that.

And now we can see that if we do a Show IPN HRP, which you have an extra one, which is spoke number 419-2184, is that logic IP address of that tunnel. And then we have the MBMA IP address, which is the IP address of that spoke for interface. And if we do a Show IP route here IP, you can see that we have another route, 249214, which is the tunnel. You can see right here, tono zero. Okay, so we have configure every time we want it. If you do a Show crypto Isaacamp SA, you can see that we have three tones connection. So we have a connectivity with them. So what I want to do is let’s go ahead and do Show IP NSRP. You can see that we have those. Let’s go to spoke three and show IP and SRP. You can see that we only have one tone created. But after I ping the spoke two from spoke three, I should be able to create another tunnel which is spoke to spoke tono. The tone that I have right now is the hook to spoke, as you can see right here. So let’s go ahead and ping ping spoke two.

You can see right there. Now if you go to spark number two and we do Show IP and SRP, you can see now that we have three tunnels. The first one is 219-2168, which is where this network is. So we created a dynamic tunnel and you can see that actually this is my bad. This is a local tunnel. So this is for spoke too. Yeah, because we are in spoke too. So the one that we created was this one right here, 19213, because we ping for spoke three. So we have a spoke to spoke to one right here and we reach it via one I 2131. And you can see that it’s a rather next Hub and it was a dynamic one. This one was a static because we manually created a spoke to help communication. Right? And if we go to the spoke, we should have something similar. So IP and SRP. There we go.

We have the two dynamically created and then you can see that we have another one which is the static one to the Hub. Right then we created another one, which is a dynamic one with 192168, which we spoke to, it was dynamically created. That means that we did not manually create it. And then you can also see another one, which is the unique local one. Okay, let’s try to ping spoke two from spoke four, and that should create another one. You can see right here that we only have one, two, three tunnels, but now we should have more. Now we have 1234 tunnels, and that’s because we create another tunnel with spoken number four. There we go, a dynamic tunnel. Right, good cubines. Right now let’s go ahead and do Show Crypto. Isaac camp SA. You can see all the connection that we have right here. We have from spoke to we have our own connection, right? Destination, source. Then we have another one with the Hub and you can see all the other ones. Okay. And then if you do a Show Crypto IPsec SA, this one for face version two. As you can see, everything we have right here, the local identity and the remote identity of that tunnel. You can see the current pier, and this one means it’s one and 2500. This is for spoke number four that we have created.

And we have only seen one packet there. So let’s go ahead and see if we ping again, what happens oops, put that back in there. And if we do Show Crypto, you can see that we receive more packets. And if we do repeat, repeat 100, you can see it over here that we should have more packets being encrypted and decrypted. There we go. Now we have 106 because we sent 100 packets, so they were both encrypted and decrypted. You can see that it is working. And if you do a debug crypto engine package, you can see that the packets are being encrypted and it is running right now because your URP keeps sending packets between the routers so they know when the router is down or when the router is up. You can see right here, and if you do a ping to that repeat 100, you can see that we’re going to get a lot more. You can see it right here.

Okay? So if you do it on all to stop the debugging, on all, that’s going to stop the debugging. But we still encrypt and decrypt the package because we actually sent 100. And right, another one that you could do is show IP the mVPN, show DMVPN. Where is that show DMVPN detail? You can see the detail of the DMVPN communication. You can see that from spoke four. You can see that we actually have two connections to spoke number two, the source. You can see the destination, another destination. You can see the NBMA IP address, you can see the IP address of the tunnel, and you can see the attributes DT two. And you can see the network that you’re going to reach when you get to this tunnel. And when you go to this tunnel to the same MBMA IP address, to the same tunnel, you can see that this is the way that we reach this interface. And then you can see that static communication between the spoke and the hub. You see the MBMA IP address and you see the IP address of the tunnel. And you can see that it was configured statically. And then we have another one which is the local one. You can see that DLX means that it is the local tunnel. So this is it for this video guys, to help you guys.

• Category: Uncategorized