DMVPN Hub and Spoke configuration

Basic configuration of dmvpn on cisco IOS using pre-shared keys

akonkol
July 15, 2013
tunn3l

nhrpPASS

90

4.4.4.4

10.198.1.1

255.255.255.0

10.198.1.0

0.0.0.255

10.198.1.2

255.255.255.0

10.221.0.2

255.255.255.255

conf t
!!!HUB!!!
crypto isakmp policy 100
 authentication pre-share
crypto isakmp key %{tunnel_password}% address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set DMVPN esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN-PROFILE
 set transform-set DMVPN
 set pfs group2

router eigrp %{eigrp_instance}%
 network %{eigrp_network}% %{eigrp_network_mask}%
 no auto-summary


interface Tunnel2
 description DMVPN TUNNEL
 ip address %{hub_tunnel_ip}% %{hub_tunnel_mask}%
 no ip redirects
 ip mtu 1400
 ip nhrp authentication %{nhrp_password}%
 ip nhrp map multicast dynamic
 ip nhrp network-id %{eigrp_instance}%
 ip nhrp holdtime 180
 ip nhrp registration timeout 60
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp %{eigrp_instance}%
 load-interval 30
 qos pre-classify
 cdp enable
 tunnel source GigabitEthernet0/1 !usually outside interface
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN-PROFILE


!!!SPOKE!!!
interface lo0
 ip address %{spoke_loopback_ip}% %{spoke_loopback_mask}%

interface Tunnel2
 description DMVPN TUNNEL
 ip address %{spoke_tunnel_ip}% %{spoke_tunnel_mask}%
 no ip redirects
 ip mtu 1400
 ip nhrp authentication %{nhrp_password}%
 ip nhrp map %{hub_tunnel_ip}% %{hub_public_ip}%
 ip nhrp map multicast %{hub_public_ip}%
 ip nhrp network-id %{eigrp_instance}%
 ip nhrp holdtime 180
 ip nhrp nhs %{hub_tunnel_ip}%
 ip nhrp registration timeout 60
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 ip summary-address eigrp %{eigrp_instance}% %{spoke_loopback_ip}% %{spoke_loopback_mask}%
 load-interval 30
 qos pre-classify
 cdp enable
 tunnel source GigabitEthernet0/2
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN-PROFILE

router eigrp %{eigrp_instance}%
 network %{eigrp_network}% %{eigrp_network_mask}%
 no auto-summary


crypto isakmp policy 100
 authentication pre-share
crypto isakmp key %{tunnel_password}% address 0.0.0.0
!
!
crypto ipsec transform-set DMVPN esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN-PROFILE
 set transform-set DMVPN
 set pfs group2