What You’ll Learn
- The need for DMVPN, and the terminology
- Device components of DMVPN (hub and spoke)
- Configuration components of DMVPN (hub and spoke)
- Configuring DMVPN hub and spoke using Phase 1
What You’ll Need
- Cisco Modeling Labs (2.x) DMVPN YAML File
- Five Cisco IOS routers running the Security License
- A test computer and server connected to the spokes
DMVPN is a site-to-site VPN tunneling technology that was developed by Cisco to provide secure connectivity to remote offices. It is able to not only send data across the VPN tunnel, but also voice and video. The biggest advantage of using DMVPN is that in addition to encrypting the data that flows through the tunnel, it supports a full mesh design using a hub-and-spoke architecture. DMVPN is able to support three phases of configuration that allow the administrator to support different use cases. The most basic and simple to configure is Phase 1, which is going to be the main focus of this tutorial.
With DMVPN Phase 1, all spokes (remote sites) will need to send traffic to the hub (HQ site) to forward traffic to other spokes. This setup will make the hub the central point of communication for all sites, including the hub site.
DMVPN is made up of two devices:
Hub: As the main device in the DMVPN tunnel network, the hub allows all the remote spoke devices to connect to one central location to pass traffic, so the spokes can send traffic not only to the hub but to each other.
Spoke: The spoke device is used to connect remote sites together via the hub. If a remote site wants to send data to another remote site, it uses the hub to forward the traffic to the spoke that is connected to the other site.
DMVPN has five main components:
mGRE: The Multipoint Generic Routing Encapsulation (mGRE) interface provides the main connection into the DMVPN tunnel, making the configuration simpler to manage. The mGRE interface unicast IP, multicast IP, and non-IP traffic. The router that is configured to use the mGRE interface uses routing to direct traffic into the DMVPN tunnel.
NHRP server: The DMVPN network uses private IPs to forward traffic, but the routers still need a public IP to build the DMVPN tunnel. In order to do this in a dynamic way, Next Hop Resolution Protocol (NHRP) is used to learn the public interface address on each spoke and register it with the NHRP hub. The hub will be considered the server and the spokes the client.
Routing protocols: Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) can be used to advertise the private networks to the hub so that they can be distributed to other spokes.
IPsec: IP Security (IPsec) is the main framework that is used to securely encapsulate the GRE tunnel traffic.
NHRP client: The client registers the public interface IP with the hub as soon as the router boots the operating system. The spoke will then query the NHRP server for public IP information form the server when it needs to build a DMVPN tunnel.
The hub is the central point in the DMVPN network and acts as the concentrator or primary point of contact for all remote spokes to communicate security. The hub in most cases has a static public IP address to make it easy for spoke routers to establish connections with it.
To configure a hub, you will first need an Internet Security Association and Key Management Protocol (ISAKMP) policy:
hub-0#configure terminal
hub-0(config)#crypto isakmp policy 20
hub-0(config-isakmp)#encryption aes 256
hub-0(config-isakmp)#hash sha384
hub-0(config-isakmp)#authentication pre-share
hub-0(config-isakmp)#group 14
hub-0(config-isakmp)#exit
Note: If an ISAKMP policy is not configured, the Cisco IOS devices will assume the default ISAKMP policy.
In order to provide ISAKMP security to keep rogue spokes from entering the DMVPN network, we will need to configure a ISAKMP pre-shared key on the hub:
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 13.0.0.1 #spoke-0
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 14.0.0.1 #spoke-1
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 15.0.0.1 #spoke-2
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 16.0.0.1 #spoke-3
In order to protect the traffic while going through the mGRE interface, a transform set needs to be configured and applied to an IPsec profile.
hub-0(config)#crypto ipsec transform-set MyDMVPN-Transform esp-aes 256 esp-sha256-hmac
hub-0(cfg-crypto-trans)#mode transport
hub-0(cfg-crypto-trans)exit
hub-0(config)#crypto ipsec profile DMVPNmyProfile
hub-0(ipsec-profile)#set transform-set MyDMVPN-Transform
Note: Transport mode is being used instead of tunnel mode, which is the default. This is because we are using mGRE as the tunneling protocol.
The next step is to configure an mGRE interface, assuming that the hub router already has an interface IP configured that is public-facing.
hub-0(config)#interface Tunnel 0
hub-0(config-if)#tunnel mode gre multipoint
hub-0(config-if)#tunnel key 12345
hub-0(config-if)#tunnel source gigabitEthernet 0/0
hub-0(config-if)#ip address 10.0.0.1 255.255.255.0
On the mGRE interface, NHRP needs to be configured, and because we are configuring the hub, we will need to make NHRP the server.
hub-0(config-if)#ip nhrp network-id 1
hub-0(config-if)#ip nhrp authentication 1234!
hub-0(config-if)#ip nhrp map multicast dynamic
By default, the mGRE interface is going to use GRE encapsulation, which has no encryption. To enable encryption on the mGRE interface, you will need to apply the IPsec profile to the mGRE interface.
hub-0(config-if)#tunnel protection ipsec profile DMVPNmyProfile
GRE and IPsec add a lot of overhead on the IP packet and will introduce fragmentation issues in the tunnel. To avoid this problem, you can adjust the maximum transmission unit (MTU) and maximum segment size (MSS) on the mGRE interface.
hub-0(config-if)#ip mtu 1400
hub-0(config-if)#ip tcp ad
hub-0(config-if)#ip tcp adjust-mss 1360
hub-0(config-if)#end
The spoke is the remote end of the site or branch office that needs to communicate with other spokes and with the central hub securely. Each spoke site can have its own private IP network behind it that it manages. Spokes in most cases don’t have a static public IP, which can make it challenging to establishing direct, point-to-point connectivity when using DMVPN.
To configure a spoke, you will first need an ISAKMP policy:
spoke-0#configure terminal
spoke-0(config)#crypto isakmp policy 20
spoke-0(config-isakmp)#encryption aes 256
spoke-0(config-isakmp)#hash sha384
spoke-0(config-isakmp)#authentication pre-share
spoke-0(config-isakmp)#group 14
spoke-0(config-isakmp)#exit
Each spoke will need to have an ISAKMP key configured that points to the hub.
spoke-0(config)#crypto isakmp key DmVPNmyKEY! address 11.0.0.1
The spokes also will require a transform set and IPsec profile.
spoke-0(config)#crypto ipsec transform-set MyDMVPN-Transform esp-aes 256 esp-sha256-hmac
spoke-0(cfg-crypto-trans)#mode transport
spoke-0(cfg-crypto-trans)exit
spoke-0(config)#crypto ipsec profile DMVPNmyProfile
spoke-0(ipsec-profile)#set transform-set MyDMVPN-Transform
The next step is to configure a GRE interface, assuming that the hub router already has an interface IP configured that is public-facing.
spoke-0(config)#interface Tunnel0
spoke-0(config-if)# tunnel key 12345
spoke-0(config-if)# ip address 10.0.0.x 255.255.255.0 # x = IP of Spoke
spoke-0(config-if)# tunnel destination 11.0.0.1 # x = Hub Public IP
spoke-0(config-if)# tunnel source GigabitEthernet0/0
On the GRE interface, NHRP needs to be configured, and because we are configuring the spoke, we will need to make NHRP the client. The mapping for the NHRP server will need to be added as well.
spoke-0(config-if)# ip nhrp network-id 1
spoke-0(config-if)# ip nhrp authentication 1234!
spoke-0(config-if)# ip nhrp map 10.0.0.1 11.0.0.1 # mGRE IP, and Public IP
spoke-0(config-if)# ip nhrp nhs 10.0.0.1 # mGRE Hub IP.
By default, the GRE interface is going to use GRE encapsulation, which has no encryption. To enable encryption on the GRE interface, you will need to apply the IPsec profile to the interface.
spoke-0(config-if)#tunnel protection ipsec profile DMVPNmyProfile
GRE and IPsec add a lot of overhead on the IP packet and will introduce fragmentation issues in the tunnel. To avoid this problem, you can adjust the MTU and MSS on the GRE interface.
spoke-0(config-if)#ip mtu 1400
spoke-0(config-if)#ip tcp ad
spoke-0(config-if)#ip tcp adjust-mss 1360
spoke-0(config-if)#end
Because we are using DMVPN Phase 1, we need to send out the default summary route to the spokes via the hub. If this task is not done, the spokes will only be able to communicate to the hub inside the network.
hub-0(config)#interface Tunnel 0
hub-0(config-if)#ip summary-address eigrp 1 0.0.0.0 0.0.0.0
Note: The 1 represents the EIGRP Autonomous System (AS) network.
It is very important that your hub and spokes do not have a default route; otherwise, it will cause routing issues.
The biggest problem with any VPN system is routing, routing, routing! If routing is not working, everything will break, and you will not be able to communicate to your spoke remote sites. For example, if the administrator forgets to configure the hub-0(config-if)#ip summary-address eigrp 1 0.0.0.0 0.0.0.0 command, the spoke will only see the hub site local routes.
spoke-0#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Tunnel0
L 10.0.0.2/32 is directly connected, Tunnel0
11.0.0.0/24 is subnetted, 1 subnets
S 11.0.0.0 [1/0] via 13.0.0.2
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.0.0.0/24 is directly connected, GigabitEthernet0/0
L 13.0.0.1/32 is directly connected, GigabitEthernet0/0
14.0.0.0/24 is subnetted, 1 subnets
S 14.0.0.0 [1/0] via 13.0.0.2
15.0.0.0/24 is subnetted, 1 subnets
S 15.0.0.0 [1/0] via 13.0.0.2
16.0.0.0/24 is subnetted, 1 subnets
S 16.0.0.0 [1/0] via 13.0.0.2
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D 172.16.1.0/24 [90/26880256] via 10.0.0.1, 00:00:13, Tunnel0
C 172.16.2.0/24 is directly connected, GigabitEthernet0/1
L 172.16.2.1/32 is directly connected, GigabitEthernet0/1
Notice the D 172.16.1.0/24 [90/26880256] via 10.0.0.1, 00:00:13, Tunnel0 entry. This is a local network on the hub site, but there are no other spoke site local networks.
When we try to ping, we get no communication to other spoke local networks.
# Hub Local Network
spoke-0#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/7/12 ms
# Spoke-0 Local Network
spoke-0#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
# Spoke-1 Local Network
spoke-0#ping 172.16.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
# Spoke-2 Local Network
spoke-0#ping 172.16.4.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
# Spoke-3 Local Network
spoke-0#ping 172.16.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
After configuring hub-0(config-if)#ip summary-address eigrp 1 0.0.0.0 0.0.0.0 on the mGRE interface of the hub, the spokes will get the summary default route inserted into their routing tables, and so will the hub.
hub-0(config)#interface Tunnel 0
hub-0(config-if)#ip summary-address eigrp 1 0.0.0.0 0.0.0.0
*Sep 26 16:38:39.557: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.5 (Tunnel0) is resync: summary configured
*Sep 26 16:38:39.558: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.4 (Tunnel0) is resync: summary configured
*Sep 26 16:38:39.558: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.3 (Tunnel0) is resync: summary configured
*Sep 26 16:38:39.559: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.2 (Tunnel0) is resync: summary configured
spoke-0#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
D* 0.0.0.0/0 [90/26880256] via 10.0.0.1, 00:01:25, Tunnel0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Tunnel0
L 10.0.0.2/32 is directly connected, Tunnel0
11.0.0.0/24 is subnetted, 1 subnets
S 11.0.0.0 [1/0] via 13.0.0.2
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.0.0.0/24 is directly connected, GigabitEthernet0/0
L 13.0.0.1/32 is directly connected, GigabitEthernet0/0
14.0.0.0/24 is subnetted, 1 subnets
S 14.0.0.0 [1/0] via 13.0.0.2
15.0.0.0/24 is subnetted, 1 subnets
S 15.0.0.0 [1/0] via 13.0.0.2
16.0.0.0/24 is subnetted, 1 subnets
S 16.0.0.0 [1/0] via 13.0.0.2
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.2.0/24 is directly connected, GigabitEthernet0/1
L 172.16.2.1/32 is directly connected, GigabitEthernet0/1
Notice Gateway of last resort is 10.0.0.1 to network 0.0.0.0 and D 0.0.0.0/0 [90/26880256] via 10.0.0.1, 00:01:25, Tunnel0 on the spoke routing table. Now if you try to ping the other spoke local networks, it should work.
spoke-0#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/16/19 ms
spoke-0#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
spoke-0#ping 172.16.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/31/35 ms
spoke-0#ping 172.16.4.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 26/27/30 ms
spoke-0#ping 172.16.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/20/24 ms
Another way to do this is to configure hub-0(config-if)#no ip split-horizon eigrp 1 on the mGRE interface of the hub. The main difference is that instead of a summary default route, the hub will send all the routes for each of the spokes.
hub-0(config)#interface Tunnel 0
hub-0(config-if)#no ip summary-address eigrp 1 0.0.0.0 0.0.0.0 # Remove Summary command
hub-0(config-if)#no ip split-horizon eigrp 1
spoke-0#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Tunnel0
L 10.0.0.2/32 is directly connected, Tunnel0
11.0.0.0/24 is subnetted, 1 subnets
S 11.0.0.0 [1/0] via 13.0.0.2
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.0.0.0/24 is directly connected, GigabitEthernet0/0
L 13.0.0.1/32 is directly connected, GigabitEthernet0/0
14.0.0.0/24 is subnetted, 1 subnets
S 14.0.0.0 [1/0] via 13.0.0.2
15.0.0.0/24 is subnetted, 1 subnets
S 15.0.0.0 [1/0] via 13.0.0.2
16.0.0.0/24 is subnetted, 1 subnets
S 16.0.0.0 [1/0] via 13.0.0.2
172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
D 172.16.1.0/24 [90/26880256] via 10.0.0.1, 00:01:13, Tunnel0
C 172.16.2.0/24 is directly connected, GigabitEthernet0/1
L 172.16.2.1/32 is directly connected, GigabitEthernet0/1
D 172.16.3.0/24 [90/28160256] via 10.0.0.1, 00:00:29, Tunnel0
D 172.16.4.0/24 [90/28160256] via 10.0.0.1, 00:00:29, Tunnel0
D 172.16.5.0/24 [90/28160256] via 10.0.0.1, 00:00:29, Tunnel0
From a route summary point of view, the ip summary-address eigrp 1 0.0.0.0 0.0.0.0 command has a lot of advantages when it comes to reducing the number of routes sent to the spoke. But if you wish to do more traffic engineering from the spoke level, the hub-0(config-if)#no ip split-horizon eigrp 1 command opens up this possibility.
Once DMVPN Phase 1 is configured, a basic check needs to be done. For example, verify ISAKMP from the hub and the spoke sides.
hub-0#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
11.0.0.1 15.0.0.1 QM_IDLE 1021 ACTIVE
11.0.0.1 14.0.0.1 QM_IDLE 1022 ACTIVE
11.0.0.1 13.0.0.1 QM_IDLE 1023 ACTIVE
11.0.0.1 16.0.0.1 QM_IDLE 1020 ACTIVE
IPv6 Crypto ISAKMP SA
hub-0#
As you can see, the hub ISAKMP connects to all the spokes via their public IPs.
spoke-0# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
11.0.0.1 13.0.0.1 QM_IDLE 1005 ACTIVE
IPv6 Crypto ISAKMP SA
spoke-0#
However, the spokes only have connections to the hub and not to other spokes.
hub-0#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 11.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
current_peer 13.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 352, #pkts encrypt: 352, #pkts digest: 352
#pkts decaps: 350, #pkts decrypt: 350, #pkts verify: 350
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.0.0.1, remote crypto endpt.: 13.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xFEB75036(4273426486)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xD95D4894(3646769300)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 73, flow_id: SW:73, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4321828/2051)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFEB75036(4273426486)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 74, flow_id: SW:74, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4321828/2051)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (14.0.0.1/255.255.255.255/47/0)
current_peer 14.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 355, #pkts encrypt: 355, #pkts digest: 355
#pkts decaps: 356, #pkts decrypt: 356, #pkts verify: 356
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.0.0.1, remote crypto endpt.: 14.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x7D7A1545(2105152837)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x52305233(1378898483)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 69, flow_id: SW:69, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2047)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x42FE85D6(1123976662)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 71, flow_id: SW:71, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4247095/2047)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBCD9A26D(3168379501)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 70, flow_id: SW:70, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2047)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x7D7A1545(2105152837)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 72, flow_id: SW:72, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4247095/2047)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (15.0.0.1/255.255.255.255/47/0)
current_peer 15.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 368, #pkts encrypt: 368, #pkts digest: 368
#pkts decaps: 373, #pkts decrypt: 373, #pkts verify: 373
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.0.0.1, remote crypto endpt.: 15.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x1576FCC3(360119491)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xA61BB880(2786834560)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 67, flow_id: SW:67, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4184177/2017)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1576FCC3(360119491)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 68, flow_id: SW:68, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4184177/2017)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (16.0.0.1/255.255.255.255/47/0)
current_peer 16.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 368, #pkts encrypt: 368, #pkts digest: 368
#pkts decaps: 368, #pkts decrypt: 368, #pkts verify: 368
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.0.0.1, remote crypto endpt.: 16.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x8F325EE4(2402442980)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xC961C452(3378627666)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 61, flow_id: SW:61, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2015)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x69C3AB3(110901939)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 63, flow_id: SW:63, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4179912/2015)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA766E5A4(2808538532)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 62, flow_id: SW:62, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2015)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x8F325EE4(2402442980)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 64, flow_id: SW:64, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4179911/2015)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
hub-0#
As you can see from the above output, you will get a view from all the spokes connected to the hub, how many packets are being encrypted, and the security parameter index (SPI) database information for each spoke.
spoke-0#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 13.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
current_peer 11.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2180, #pkts encrypt: 2180, #pkts digest: 2180
#pkts decaps: 2168, #pkts decrypt: 2168, #pkts verify: 2168
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 13.0.0.1, remote crypto endpt.: 11.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xD95D4894(3646769300)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xFEB75036(4273426486)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 15, flow_id: SW:15, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4263930/1978)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD95D4894(3646769300)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 16, flow_id: SW:16, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4263931/1978)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
spoke-0#
From the spoke point of view, it only sees information from the hub and not from other spokes.
hub-0#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 10.0.0.1, VRF ""
Tunnel Src./Dest. addr: 11.0.0.1/Multipoint, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "DMVPNmyProfile"
Interface State Control: Disabled
nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 4
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 13.0.0.1 10.0.0.2 UP 00:22:57 D 10.0.0.2/32
1 14.0.0.1 10.0.0.3 UP 00:23:01 D 10.0.0.3/32
1 15.0.0.1 10.0.0.4 UP 00:23:31 D 10.0.0.4/32
1 16.0.0.1 10.0.0.5 UP 00:23:33 D 10.0.0.5/32
Crypto Session Details:
--------------------------------------------------------------------------------
Interface: Tunnel0
Session: [0x111FD390]
Session ID: 0
IKEv1 SA: local 11.0.0.1/500 remote 13.0.0.1/500 Active
Capabilities:(none) connid:1023 lifetime:23:37:02
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 13.0.0.1
IPSEC FLOW: permit 47 host 11.0.0.1 host 13.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 313 drop 0 life (KB/Sec) 4321833/2222
Outbound: #pkts enc'ed 314 drop 0 life (KB/Sec) 4321833/2222
Outbound SPI : 0xFEB75036, transform : esp-256-aes esp-sha256-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x111FD488]
Session ID: 0
IKEv1 SA: local 11.0.0.1/500 remote 14.0.0.1/500 Active
Capabilities:(none) connid:1022 lifetime:23:36:58
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 14.0.0.1
IPSEC FLOW: permit 47 host 11.0.0.1 host 14.0.0.1
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 318 drop 0 life (KB/Sec) 4247101/2218
Outbound: #pkts enc'ed 317 drop 0 life (KB/Sec) 4247100/2218
Outbound SPI : 0x7D7A1545, transform : esp-256-aes esp-sha256-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x111FD678]
Session ID: 0
IKEv1 SA: local 11.0.0.1/500 remote 15.0.0.1/500 Active
Capabilities:(none) connid:1021 lifetime:23:36:28
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 15.0.0.1
IPSEC FLOW: permit 47 host 11.0.0.1 host 15.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 335 drop 0 life (KB/Sec) 4184182/2188
Outbound: #pkts enc'ed 331 drop 0 life (KB/Sec) 4184182/2188
Outbound SPI : 0x1576FCC3, transform : esp-256-aes esp-sha256-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x111FD580]
Session ID: 0
IKEv1 SA: local 11.0.0.1/500 remote 16.0.0.1/500 Active
Capabilities:(none) connid:1020 lifetime:23:36:26
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 16.0.0.1
IPSEC FLOW: permit 47 host 11.0.0.1 host 16.0.0.1
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 331 drop 0 life (KB/Sec) 4179917/2186
Outbound: #pkts enc'ed 331 drop 0 life (KB/Sec) 4179916/2186
Outbound SPI : 0x8F325EE4, transform : esp-256-aes esp-sha256-hmac
Socket State: Open
Pending DMVPN Sessions:
hub-0#
The show dmvpn detail command gives you a summary of everything except ISAKMP information. In addition, it will give you nonbroadcast multiaccess (NBMA) peer information, which is made possible via NHRP.