In this tutorial, you will learn how to configure Phase 3 Dynamic Multipoint VPN (DMVPN), which will allow many sites to send data directly to each other using the spokes instead of the hub. Phase 3 makes use of Next Hop Resolution Protocol (NHRP) redirection instead of an NHRP query to make this possible.

What You’ll Learn

What You’ll Need

DMVPN is a site-to-site VPN tunneling technology that was developed by Cisco to provide secure connectivity to remote offices. It is able to not only send data across the VPN tunnel, but also voice and video. The biggest advantage of using DMVPN is that in addition to encrypting the data that flows through the tunnel, it supports a full mesh design using a hub-and-spoke architecture. DMVPN is able to support three phases of configuration that allow the administrator to support different use cases.

With DMVPN Phase 3, all spokes (remote sites) will have the ability to send data directly to themselves instead of using the hub as a central point of distribution.

In DMVPN Phase 2, the spoke will send an NHRP query to the hub asking it to share the public IP information for the spoke that it is trying to reach. The hub will then provide an NHRP response with the public IP of the spoke. The hub is queried for this information because when spokes register with the hub, they share this information with the hub. The hub keeps track of this information on the NHRP database.

With DMVPN Phase 3, however, the hub and spokes still use NHRP, but instead of using an NHRP query, the source spoke will send the traffic to the hub temporary to send to the destination spoke. This process will trigger an NHRP redirection from the hub to the source spoke informing it of a direct path to the destination spoke router. The source spoke router can then bypass the hub router for subsequent traffic between them and send the traffic directly to the destination spoke router, thus reducing the load on the hub.

img.png

DMVPN is made up of two devices:

DMVPN has five main components:

The hub is the central point in the DMVPN network and acts as the concentrator or primary point of contact for all remote spokes to communicate security. The hub in most cases has a static public IP address to make it easy for spoke routers to establish connections with it.

To configure a hub, you will first need an Internet Security Association and Key Management Protocol (ISAKMP) policy:

hub-0#configure terminal
hub-0(config)#crypto isakmp policy 20
hub-0(config-isakmp)#encryption aes 256
hub-0(config-isakmp)#hash sha384
hub-0(config-isakmp)#authentication pre-share
hub-0(config-isakmp)#group 14
hub-0(config-isakmp)#exit

Note: If an ISAKMP policy is not configured, the Cisco IOS devices will assume the default ISAKMP policy.

In order to provide ISAKMP security to keep rogue spokes from entering the DMVPN network, we will need to configure a ISAKMP preshared key on the hub:

hub-0(config)#crypto isakmp key DmVPNmyKEY! address 13.0.0.1 #spoke-0
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 14.0.0.1 #spoke-1
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 15.0.0.1 #spoke-2
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 16.0.0.1 #spoke-3

In order to protect the traffic while going through the mGRE interface, a transform set needs to be configured and applied to an IPsec profile:

hub-0(config)#crypto ipsec transform-set MyDMVPN-Transform esp-aes 256 esp-sha256-hmac
hub-0(cfg-crypto-trans)#mode transport
hub-0(cfg-crypto-trans)exit
hub-0(config)#crypto ipsec profile DMVPNmyProfile
hub-0(ipsec-profile)#set transform-set MyDMVPN-Transform

Note: Transport mode is being used instead of tunnel mode, which is the default. This is because we are using mGRE as the tunneling protocol.

The next step is to configure an mGRE interface, assuming that the hub router already has an interface IP configured that is public-facing.

hub-0(config)#interface Tunnel 0
hub-0(config-if)#tunnel mode gre multipoint
hub-0(config-if)#tunnel key 12345
hub-0(config-if)#tunnel source gigabitEthernet 0/0
hub-0(config-if)#ip address 10.0.0.1 255.255.255.0

On the mGRE interface, NHRP needs to be configured, and because we are configuring the hub, we will need to make NHRP the server.

hub-0(config-if)#ip nhrp network-id 1
hub-0(config-if)#ip nhrp authentication 1234!
hub-0(config-if)#ip nhrp map multicast dynamic

To enable DMVPN Phase 3 redirection, the ip nhrp redirection command is needed on the mGRE interface on the hub only.

hub-0(config-if)#ip nhrp redirection

The ip nhrp shortcut command is also needed on the hub.

hub-0(config-if)#ip nhrp shortcut

Note: The ip nhrp shortcut command is enabled by default on most Cisco IOS 15.x routers on the mGRE interfaces that use the NHRP feature.

By default, the mGRE interface is going to use GRE encapsulation, which has no encryption. To enable encryption on the mGRE interface, you will need to apply the IPsec profile to the interface.

hub-0(config-if)#tunnel protection ipsec profile DMVPNmyProfile

GRE and IPsec add a lot of overhead on the IP packet and will introduce fragmentation issues in the tunnel. To avoid this problem, you can adjust the maximum transmission unit (MTU) and maximum segment size (MSS) on the mGRE interface.

hub-0(config-if)#ip mtu 1400
hub-0(config-if)#ip tcp ad
hub-0(config-if)#ip tcp adjust-mss 1360
hub-0(config-if)#end

The spoke is the remote end of the site or branch office that needs to communicate with other spokes and with the central hub security. Each spoke site can have its own private IP network behind it that it manages. Spokes in most cases don’t have a static public IP, which can make it challenging to establishing direct, point-to-point connectivity when using DMVPN.

To configure a spoke, you will first need an ISAKMP policy:

spoke-0#configure terminal
spoke-0(config)#crypto isakmp policy 20
spoke-0(config-isakmp)#encryption aes 256
spoke-0(config-isakmp)#hash sha384
spoke-0(config-isakmp)#authentication pre-share
spoke-0(config-isakmp)#group 14
spoke-0(config-isakmp)#exit

Each spoke will need to have an ISAKMP key configured that points to the hub.

spoke-0(config)#crypto isakmp key DmVPNmyKEY! address 11.0.0.1

The spokes also will require a transform set and IPsec profile.

spoke-0(config)#crypto ipsec transform-set MyDMVPN-Transform esp-aes 256 esp-sha256-hmac
spoke-0(cfg-crypto-trans)#mode transport
spoke-0(cfg-crypto-trans)exit
spoke-0(config)#crypto ipsec profile DMVPNmyProfile
spoke-0(ipsec-profile)#set transform-set MyDMVPN-Transform

The next step is to configure an mGRE interface, assuming that the hub router already has an interface IP configured that is public-facing. The mGRE interface allows the spoke to create dynamic IPsec connections not only to the hub but also other spokes, meaning that we no longer need the tunnel destination 11.0.0.1 command on the spoke.

spoke-0(config)#interface Tunnel0
spoke-0(config-if)# tunnel mode gre multipoint
spoke-0(config-if)# tunnel key 12345
spoke-0(config-if)# ip address 10.0.0.x 255.255.255.0 # x = IP of Spoke
spoke-0(config-if)# tunnel source GigabitEthernet0/0

On the mGRE interface, NHRP needs to be configured, and because we are configuring the spoke, we will need to make NHRP the client. The mapping for the NHRP server will need to be added as well.

The ip nhrp map multicast command is used to configure a mapping between the multicast IP address used for NHRP traffic and the physical IP address of a specific remote DMVPN spoke. NHRP is used in DMVPN networks to dynamically discover the public IP address of remote spokes and to facilitate direct communication between spokes without traffic needing to flow through the hub. Without this command, Phase 3 will not work!

spoke-0(config-if)# ip nhrp network-id 1
spoke-0(config-if)# ip nhrp authentication 1234!
spoke-0(config-if)# ip nhrp map 10.0.0.1 11.0.0.1 # mGRE IP, and Public IP
spoke-0(config-if)# ip nhrp nhs 10.0.0.1 # mGRE Hub IP.
spoke-0(config-if)# ip nhrp map multicast 11.0.0.1

The ip nhrp shortcut command is also needed on the spoke, allowing it to accept the redirection request coming from the hub and create a Cisco Express Forwarding shortcut for the traffic being sent through the hub. This will create a direct spoke-to-spoke connection.

hub-0(config-if)#ip nhrp shortcut

Note: The ip nhrp shortcut is enabled by default on most Cisco IOS 15.x routers on the mGRE interfaces that use the NHRP feature.

By default, the mGRE interface is going to use GRE encapsulation, which has no encryption. To enable encryption on the mGRE interface, you will need to apply the IPsec profile to the interface.

spoke-0(config-if)#tunnel protection ipsec profile DMVPNmyProfile

GRE and IPsec add a lot of overhead on the IP packet and will introduce fragmentation issues in the tunnel. To avoid this problem, you can adjust the MTU and MSS on the mGRE interface.

spoke-0(config-if)#ip mtu 1400
spoke-0(config-if)#ip tcp ad
spoke-0(config-if)#ip tcp adjust-mss 1360
spoke-0(config-if)#end

Because we are using DMVPN Phase 3, we need to make sure that the spokes can send traffic to each other. This task is made possible by using the no ip split-horizon eigrp 1 command, which will install all routes from other spokes that are learned via the hub connected to other spokes using EIGRP as the routing protocol.

hub-0(config-if)#no ip split-horizon eigrp 1

In order to limit the size of the routing tables on the spokes, we can summarize the information using the ip summary-address eigrp 1 0.0.0.0 0.0.0.0 command. This command will install a default route pointing to the hub.

The biggest problem with any VPN system is routing, routing, routing! If routing is not working, everything will break, and you will not be able to communicate to your spoke remote sites. For example, if the administrator forgets to configure the hub-0(config-if)#no ip split-horizon eigrp 1 command, the spoke will only be able to reach the local hub network and not other spoke local networks.

spoke-0#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/24 is directly connected, Tunnel0
L        10.0.0.2/32 is directly connected, Tunnel0
      11.0.0.0/24 is subnetted, 1 subnets
S        11.0.0.0 [1/0] via 13.0.0.2
      13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        13.0.0.0/24 is directly connected, GigabitEthernet0/0
L        13.0.0.1/32 is directly connected, GigabitEthernet0/0
      14.0.0.0/24 is subnetted, 1 subnets
S        14.0.0.0 [1/0] via 13.0.0.2
      15.0.0.0/24 is subnetted, 1 subnets
S        15.0.0.0 [1/0] via 13.0.0.2
      16.0.0.0/24 is subnetted, 1 subnets
S        16.0.0.0 [1/0] via 13.0.0.2
      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D        172.16.1.0/24 [90/26880256] via 10.0.0.1, 00:00:09, Tunnel0
C        172.16.2.0/24 is directly connected, GigabitEthernet0/1
L        172.16.2.1/32 is directly connected, GigabitEthernet0/1

Notice that all the spokes can only reach the hub local network and not the other spokes.

hub-0(config)#interface Tunnel 0
hub-0(config-if)#no ip split-horizon eigrp 1
hub-0(config-if)#
*Sep 26 18:44:21.773: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.5 (Tunnel0) is resync: split horizon changed
*Sep 26 18:44:21.775: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.2 (Tunnel0) is resync: split horizon changed
*Sep 26 18:44:21.776: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.3 (Tunnel0) is resync: split horizon changed
*Sep 26 18:44:21.776: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.4 (Tunnel0) is resync: split horizon changed
*Sep 26 18:44:23.691: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.4 (Tunnel0) is up: new adjacency
*Sep 26 18:44:23.729: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.3 (Tunnel0) is up: new adjacency
*Sep 26 18:44:23.742: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.2 (Tunnel0) is up: new adjacency
*Sep 26 18:44:23.781: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.5 (Tunnel0) is up: new adjacency

After configuring hub-0(config-if)#no ip split-horizon eigrp 1 on the mGRE interface of the hub, the spokes will get direct routes to the spoke routers.

spoke-0#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/24 is directly connected, Tunnel0
L        10.0.0.2/32 is directly connected, Tunnel0
      11.0.0.0/24 is subnetted, 1 subnets
S        11.0.0.0 [1/0] via 13.0.0.2
      13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        13.0.0.0/24 is directly connected, GigabitEthernet0/0
L        13.0.0.1/32 is directly connected, GigabitEthernet0/0
      14.0.0.0/24 is subnetted, 1 subnets
S        14.0.0.0 [1/0] via 13.0.0.2
      15.0.0.0/24 is subnetted, 1 subnets
S        15.0.0.0 [1/0] via 13.0.0.2
      16.0.0.0/24 is subnetted, 1 subnets
S        16.0.0.0 [1/0] via 13.0.0.2
      172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
D        172.16.1.0/24 [90/26880256] via 10.0.0.1, 00:00:37, Tunnel0
C        172.16.2.0/24 is directly connected, GigabitEthernet0/1
L        172.16.2.1/32 is directly connected, GigabitEthernet0/1
D        172.16.3.0/24 [90/28160256] via 10.0.0.1, 00:00:27, Tunnel0
D        172.16.4.0/24 [90/28160256] via 10.0.0.1, 00:00:27, Tunnel0
D        172.16.5.0/24 [90/28160256] via 10.0.0.1, 00:00:27, Tunnel0

Notice that the spokes can now send traffic to the mGRE interface of each of the other spoke on the DMVPN network via the hub. This is where NHRP redirects will help in sending the traffic directly to the spokes.

Using the ip summary-address eigrp 1 0.0.0.0 0.0.0.0 command will create a summarized default route to each spoke, reducing the processing needed on the spokes that might not have the CPU or memory to handle larger numbers of routing tables.

ub-0(config-if)#ip summary-address eigrp 1 0.0.0.0 0.0.0.0
hub-0(config-if)#exit
hub-0(config)#
*Sep 28 17:16:55.239: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.4 (Tunnel0) is resync: summary configured
*Sep 28 17:16:55.239: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.3 (Tunnel0) is resync: summary configured
*Sep 28 17:16:55.239: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.5 (Tunnel0) is resync: summary configured
*Sep 28 17:16:55.239: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.2 (Tunnel0) is resync: summary configured

After configuring ip summary-address eigrp 1 0.0.0.0 0.0.0.0 on the mGRE interface of the hub, the spokes will get a summarized default route installed to the hub.

spoke-0#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

D*    0.0.0.0/0 [90/26880256] via 10.0.0.1, 00:02:23, Tunnel0
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/24 is directly connected, Tunnel0
L        10.0.0.2/32 is directly connected, Tunnel0
      11.0.0.0/24 is subnetted, 1 subnets
S        11.0.0.0 [1/0] via 13.0.0.2
      13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        13.0.0.0/24 is directly connected, GigabitEthernet0/0
L        13.0.0.1/32 is directly connected, GigabitEthernet0/0
      14.0.0.0/24 is subnetted, 1 subnets
S        14.0.0.0 [1/0] via 13.0.0.2
      15.0.0.0/24 is subnetted, 1 subnets
S        15.0.0.0 [1/0] via 13.0.0.2
      16.0.0.0/24 is subnetted, 1 subnets
S        16.0.0.0 [1/0] via 13.0.0.2
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.2.0/24 is directly connected, GigabitEthernet0/1
L        172.16.2.1/32 is directly connected, GigabitEthernet0/1

We now have full direct communication to all spokes on the DMVPN network.

# Hub Local Network
spoke-0#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/6/10 ms

# Spoke-0 Local Network
spoke-0#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

# Spoke-1 Local Network
spoke-0#ping 172.16.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 22/27/31 ms

# Spoke-2 Local Network
spoke-0#ping 172.16.4.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 26/39/63 ms

# Spoke-3 Local Network
spoke-0#ping 172.16.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 23/41/73 ms
spoke-0#

Once DMVPN Phase 3 is configured, a basic check needs to be done. For example, verify ISAKMP from the hub and the spoke sides.

hub-0#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
11.0.0.1        15.0.0.1        QM_IDLE           1026 ACTIVE
11.0.0.1        14.0.0.1        QM_IDLE           1025 ACTIVE
11.0.0.1        13.0.0.1        QM_IDLE           1024 ACTIVE
11.0.0.1        16.0.0.1        QM_IDLE           1027 ACTIVE

IPv6 Crypto ISAKMP SA

As you can see, the hub ISAKMP connects to all the spokes via their public IPs.

spoke-0# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
11.0.0.1        13.0.0.1        QM_IDLE           1005 ACTIVE

IPv6 Crypto ISAKMP SA

spoke-0#

However, the spokes only have connections to the hub and not to other spokes.

hub-0#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 11.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (16.0.0.1/255.255.255.255/47/0)
   current_peer 16.0.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 831, #pkts encrypt: 831, #pkts digest: 831
    #pkts decaps: 827, #pkts decrypt: 827, #pkts verify: 827
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 11.0.0.1, remote crypto endpt.: 16.0.0.1
     plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xA7402F36(2806001462)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x3ABEBB73(985578355)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 19, flow_id: SW:19, sibling_flags 80004000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4285635/3026)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA7402F36(2806001462)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 20, flow_id: SW:20, sibling_flags 80004000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4285635/3026)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (15.0.0.1/255.255.255.255/47/0)
   current_peer 15.0.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 834, #pkts encrypt: 834, #pkts digest: 834
    #pkts decaps: 825, #pkts decrypt: 825, #pkts verify: 825
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 11.0.0.1, remote crypto endpt.: 15.0.0.1
     plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xF984C4AD(4186227885)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x259252AB(630346411)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 17, flow_id: SW:17, sibling_flags 80004000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4152694/3022)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF984C4AD(4186227885)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 18, flow_id: SW:18, sibling_flags 80004000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4152694/3022)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (14.0.0.1/255.255.255.255/47/0)
   current_peer 14.0.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 839, #pkts encrypt: 839, #pkts digest: 839
    #pkts decaps: 831, #pkts decrypt: 831, #pkts verify: 831
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 11.0.0.1, remote crypto endpt.: 14.0.0.1
     plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x130B82A0(319521440)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x38AD3679(950875769)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 23, flow_id: SW:23, sibling_flags 80004000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4247953/3107)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x130B82A0(319521440)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 24, flow_id: SW:24, sibling_flags 80004000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4247952/3107)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
   current_peer 13.0.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 874, #pkts encrypt: 874, #pkts digest: 874
    #pkts decaps: 860, #pkts decrypt: 860, #pkts verify: 860
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 11.0.0.1, remote crypto endpt.: 13.0.0.1
     plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xA9BECC3D(2847853629)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x520D29D8(1376594392)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 21, flow_id: SW:21, sibling_flags 80004000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4260868/3097)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA9BECC3D(2847853629)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 22, flow_id: SW:22, sibling_flags 80004000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4260868/3097)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
hub-0#$

As you can see from the above output, you will get a view from all the spokes connected to the hub, how many packets are being encrypted, and the security parameter index (SPI) database information for each spoke.

spoke-0#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 13.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (16.0.0.1/255.255.255.255/47/0)
   current_peer 16.0.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 13.0.0.1, remote crypto endpt.: 16.0.0.1
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (15.0.0.1/255.255.255.255/47/0)
   current_peer 15.0.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 13.0.0.1, remote crypto endpt.: 15.0.0.1
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (14.0.0.1/255.255.255.255/47/0)
   current_peer 14.0.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 13.0.0.1, remote crypto endpt.: 14.0.0.1
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
   current_peer 11.0.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 873, #pkts encrypt: 873, #pkts digest: 873
    #pkts decaps: 888, #pkts decrypt: 888, #pkts verify: 888
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 13.0.0.1, remote crypto endpt.: 11.0.0.1
     plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x520D29D8(1376594392)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xA9BECC3D(2847853629)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 5, flow_id: SW:5, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4245473/3032)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x520D29D8(1376594392)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 6, flow_id: SW:6, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4245473/3032)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
spoke-0#

As you can see above, from the spoke point of view, with Phase 3 DMVPN, we now have direct connections to other spokes to send traffic.

hub-0#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable, I2 - Temporary
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface Tunnel0 is up/up, Addr. is 10.0.0.1, VRF ""
   Tunnel Src./Dest. addr: 11.0.0.1/Multipoint, Tunnel VRF ""
   Protocol/Transport: "multi-GRE/IP", Protect "DMVPNmyProfile"
   Interface State Control: Disabled
   nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 4

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1 13.0.0.1               10.0.0.2    UP 01:00:51     D        10.0.0.2/32
    1 14.0.0.1               10.0.0.3    UP 01:00:34     D        10.0.0.3/32
    1 15.0.0.1               10.0.0.4    UP 01:00:13     D        10.0.0.4/32
    1 16.0.0.1               10.0.0.5    UP 01:00:06     D        10.0.0.5/32


Crypto Session Details:
--------------------------------------------------------------------------------

Interface: Tunnel0
Session: [0x0D05BD90]
  Session ID: 0
  IKEv1 SA: local 11.0.0.1/500 remote 13.0.0.1/500 Active
          Capabilities:(none) connid:1001 lifetime:22:59:06
  Crypto Session Status: UP-ACTIVE
  fvrf: (none), Phase1_id: 13.0.0.1
  IPSEC FLOW: permit 47 host 11.0.0.1 host 13.0.0.1
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 888 drop 0 life (KB/Sec) 4260864/2965
        Outbound: #pkts enc'ed 903 drop 0 life (KB/Sec) 4260863/2965
   Outbound SPI : 0xA9BECC3D, transform : esp-256-aes esp-sha256-hmac
    Socket State: Open

Interface: Tunnel0
Session: [0x0D05BE88]
  Session ID: 0
  IKEv1 SA: local 11.0.0.1/500 remote 14.0.0.1/500 Active
          Capabilities:(none) connid:1002 lifetime:22:59:23
  Crypto Session Status: UP-ACTIVE
  fvrf: (none), Phase1_id: 14.0.0.1
  IPSEC FLOW: permit 47 host 11.0.0.1 host 14.0.0.1
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 859 drop 0 life (KB/Sec) 4247949/2975
        Outbound: #pkts enc'ed 868 drop 0 life (KB/Sec) 4247948/2975
   Outbound SPI : 0x130B82A0, transform : esp-256-aes esp-sha256-hmac
    Socket State: Open

Interface: Tunnel0
Session: [0x0D05BF80]
  Session ID: 0
  IKEv1 SA: local 11.0.0.1/500 remote 15.0.0.1/500 Active
          Capabilities:(none) connid:1003 lifetime:22:59:45
  Crypto Session Status: UP-ACTIVE
  fvrf: (none), Phase1_id: 15.0.0.1
  IPSEC FLOW: permit 47 host 11.0.0.1 host 15.0.0.1
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 853 drop 0 life (KB/Sec) 4152690/2890
        Outbound: #pkts enc'ed 863 drop 0 life (KB/Sec) 4152690/2890
   Outbound SPI : 0xF984C4AD, transform : esp-256-aes esp-sha256-hmac
    Socket State: Open

Interface: Tunnel0
Session: [0x0D05C078]
  Session ID: 0
  IKEv1 SA: local 11.0.0.1/500 remote 16.0.0.1/500 Active
          Capabilities:(none) connid:1004 lifetime:22:59:52
  Crypto Session Status: UP-ACTIVE
  fvrf: (none), Phase1_id: 16.0.0.1
  IPSEC FLOW: permit 47 host 11.0.0.1 host 16.0.0.1
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 856 drop 0 life (KB/Sec) 4285631/2894
        Outbound: #pkts enc'ed 860 drop 0 life (KB/Sec) 4285631/2894
   Outbound SPI : 0xA7402F36, transform : esp-256-aes esp-sha256-hmac
    Socket State: Open

Pending DMVPN Sessions:

hub-0#

The show dmvpn detail command gives you a summary of everything except ISAKMP information. In addition, it will give you nonbroadcast multiaccess (NBMA) peer information, which is made possible via NHRP.

We are using Phase 3, so NHRP is very critical, because it allows the hub to send the NHRP redirection to the source spoke in order to get directly to the destination spoke and send traffic.

When the spoke first boots up, the NHRP cache is empty; this can be seen using the show ip nhrp command.

spoke-0#show ip nhrp
10.0.0.1/32 via 10.0.0.1
   Tunnel0 created 00:49:21, never expire
   Type: static, Flags: used
   NBMA address: 11.0.0.1

However, you can start talking to other hosts on other spokes by sending an Internet Control Message Protocol (ICMP) ping.

spoke-0#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
spoke-0#ping 172.16.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 26/30/34 ms
spoke-0#ping 172.16.4.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/33/47 ms
spoke-0#ping 172.16.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/34/50 ms

After the ICMP ping is complete for each spoke local network, you will now see the dynamic entries on the NHRP cache. This is due to the NHRP redirection sent from the hub.

spoke-0#show ip nhrp
10.0.0.1/32 via 10.0.0.1
   Tunnel0 created 01:05:32, never expire
   Type: static, Flags: used
   NBMA address: 11.0.0.1
10.0.0.3/32 via 10.0.0.3
   Tunnel0 created 00:00:09, expire 00:09:50
   Type: dynamic, Flags: router implicit nhop nf
   NBMA address: 14.0.0.1
    (no-socket)
10.0.0.4/32 via 10.0.0.4
   Tunnel0 created 00:00:07, expire 00:09:52
   Type: dynamic, Flags: router implicit nhop nf
   NBMA address: 15.0.0.1
    (no-socket)
10.0.0.5/32 via 10.0.0.5
   Tunnel0 created 00:00:04, expire 00:09:55
   Type: dynamic, Flags: router implicit nhop nf
   NBMA address: 16.0.0.1
    (no-socket)
172.16.3.2/32
   Tunnel0 created 00:00:09, expire 00:02:55
   Type: dynamic, Flags: negative
   Cache hits: 2
172.16.4.2/32
   Tunnel0 created 00:00:07, expire 00:02:57
   Type: dynamic, Flags: negative
   Cache hits: 2
172.16.5.2/32
   Tunnel0 created 00:00:04, expire 00:03:00
   Type: dynamic, Flags: negative
   Cache hits: 2
spoke-0#

Learn More