What You’ll Learn
- The need for DMVPN, and the terminology
- Device components of DMVPN (hub and spoke)
- Configuration components of DMVPN (hub and spoke)
- Configuring DMVPN hub and spoke using Phase 3
What You’ll Need
- Cisco Modeling Labs (2.x) DMVPN YAML File
- Five Cisco IOS routers running the Security License
- A test computer and server connected to the spokes
DMVPN is a site-to-site VPN tunneling technology that was developed by Cisco to provide secure connectivity to remote offices. It is able to not only send data across the VPN tunnel, but also voice and video. The biggest advantage of using DMVPN is that in addition to encrypting the data that flows through the tunnel, it supports a full mesh design using a hub-and-spoke architecture. DMVPN is able to support three phases of configuration that allow the administrator to support different use cases.
With DMVPN Phase 3, all spokes (remote sites) will have the ability to send data directly to themselves instead of using the hub as a central point of distribution.
In DMVPN Phase 2, the spoke will send an NHRP query to the hub asking it to share the public IP information for the spoke that it is trying to reach. The hub will then provide an NHRP response with the public IP of the spoke. The hub is queried for this information because when spokes register with the hub, they share this information with the hub. The hub keeps track of this information on the NHRP database.
With DMVPN Phase 3, however, the hub and spokes still use NHRP, but instead of using an NHRP query, the source spoke will send the traffic to the hub temporary to send to the destination spoke. This process will trigger an NHRP redirection from the hub to the source spoke informing it of a direct path to the destination spoke router. The source spoke router can then bypass the hub router for subsequent traffic between them and send the traffic directly to the destination spoke router, thus reducing the load on the hub.
DMVPN is made up of two devices:
Hub: As the main device in the DMVPN tunnel network, the hub allows all the remote spoke devices to connect to one central location to pass traffic, so the spokes can send traffic not only to the hub but to each other.
Spoke: The spoke device is used to connect remote sites together via the hub. If a remote site wants to send data to another remote site, it uses the hub to forward the traffic to the spoke that is connected to the other site.
DMVPN has five main components:
mGRE: The Multipoint Generic Routing Encapsulation (mGRE) interface provides the main connection into the DMVPN tunnel, making the configuration simpler to manage. The mGRE interface unicast IP, multicast IP, and non-IP traffic. The router that is configured to use the mGRE interface uses routing to direct traffic into the DMVPN tunnel.
NHRP server: The DMVPN network uses private IPs to forward traffic, but the routers still need a public IP to build the DMVPN tunnel. In order to do this in a dynamic way, NHRP is used to learn the public interface address on each spoke and register it with the NHRP hub. The hub will be considered the server and the spokes the client.
Routing protocols: Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) can be used to advertise the private networks to the hub so that they can be distributed to other spokes.
IPsec: IP Security (IPsec) is the main framework that is used to securely encapsulate the GRE tunnel traffic.
NHRP client: The client registers the public interface IP with the hub as soon as the router boots the operating system. The spoke will when query the NHRP server for public IP information form the server when it needs to build a DMVPN tunnel.
The hub is the central point in the DMVPN network and acts as the concentrator or primary point of contact for all remote spokes to communicate security. The hub in most cases has a static public IP address to make it easy for spoke routers to establish connections with it.
To configure a hub, you will first need an Internet Security Association and Key Management Protocol (ISAKMP) policy:
hub-0#configure terminal
hub-0(config)#crypto isakmp policy 20
hub-0(config-isakmp)#encryption aes 256
hub-0(config-isakmp)#hash sha384
hub-0(config-isakmp)#authentication pre-share
hub-0(config-isakmp)#group 14
hub-0(config-isakmp)#exit
Note: If an ISAKMP policy is not configured, the Cisco IOS devices will assume the default ISAKMP policy.
In order to provide ISAKMP security to keep rogue spokes from entering the DMVPN network, we will need to configure a ISAKMP preshared key on the hub:
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 13.0.0.1 #spoke-0
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 14.0.0.1 #spoke-1
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 15.0.0.1 #spoke-2
hub-0(config)#crypto isakmp key DmVPNmyKEY! address 16.0.0.1 #spoke-3
In order to protect the traffic while going through the mGRE interface, a transform set needs to be configured and applied to an IPsec profile:
hub-0(config)#crypto ipsec transform-set MyDMVPN-Transform esp-aes 256 esp-sha256-hmac
hub-0(cfg-crypto-trans)#mode transport
hub-0(cfg-crypto-trans)exit
hub-0(config)#crypto ipsec profile DMVPNmyProfile
hub-0(ipsec-profile)#set transform-set MyDMVPN-Transform
Note: Transport mode is being used instead of tunnel mode, which is the default. This is because we are using mGRE as the tunneling protocol.
The next step is to configure an mGRE interface, assuming that the hub router already has an interface IP configured that is public-facing.
hub-0(config)#interface Tunnel 0
hub-0(config-if)#tunnel mode gre multipoint
hub-0(config-if)#tunnel key 12345
hub-0(config-if)#tunnel source gigabitEthernet 0/0
hub-0(config-if)#ip address 10.0.0.1 255.255.255.0
On the mGRE interface, NHRP needs to be configured, and because we are configuring the hub, we will need to make NHRP the server.
hub-0(config-if)#ip nhrp network-id 1
hub-0(config-if)#ip nhrp authentication 1234!
hub-0(config-if)#ip nhrp map multicast dynamic
To enable DMVPN Phase 3 redirection, the ip nhrp redirection command is needed on the mGRE interface on the hub only.
hub-0(config-if)#ip nhrp redirection
The ip nhrp shortcut command is also needed on the hub.
hub-0(config-if)#ip nhrp shortcut
Note: The
ip nhrp shortcutcommand is enabled by default on most Cisco IOS 15.x routers on the mGRE interfaces that use the NHRP feature.
By default, the mGRE interface is going to use GRE encapsulation, which has no encryption. To enable encryption on the mGRE interface, you will need to apply the IPsec profile to the interface.
hub-0(config-if)#tunnel protection ipsec profile DMVPNmyProfile
GRE and IPsec add a lot of overhead on the IP packet and will introduce fragmentation issues in the tunnel. To avoid this problem, you can adjust the maximum transmission unit (MTU) and maximum segment size (MSS) on the mGRE interface.
hub-0(config-if)#ip mtu 1400
hub-0(config-if)#ip tcp ad
hub-0(config-if)#ip tcp adjust-mss 1360
hub-0(config-if)#end
The spoke is the remote end of the site or branch office that needs to communicate with other spokes and with the central hub security. Each spoke site can have its own private IP network behind it that it manages. Spokes in most cases don’t have a static public IP, which can make it challenging to establishing direct, point-to-point connectivity when using DMVPN.
To configure a spoke, you will first need an ISAKMP policy:
spoke-0#configure terminal
spoke-0(config)#crypto isakmp policy 20
spoke-0(config-isakmp)#encryption aes 256
spoke-0(config-isakmp)#hash sha384
spoke-0(config-isakmp)#authentication pre-share
spoke-0(config-isakmp)#group 14
spoke-0(config-isakmp)#exit
Each spoke will need to have an ISAKMP key configured that points to the hub.
spoke-0(config)#crypto isakmp key DmVPNmyKEY! address 11.0.0.1
The spokes also will require a transform set and IPsec profile.
spoke-0(config)#crypto ipsec transform-set MyDMVPN-Transform esp-aes 256 esp-sha256-hmac
spoke-0(cfg-crypto-trans)#mode transport
spoke-0(cfg-crypto-trans)exit
spoke-0(config)#crypto ipsec profile DMVPNmyProfile
spoke-0(ipsec-profile)#set transform-set MyDMVPN-Transform
The next step is to configure an mGRE interface, assuming that the hub router already has an interface IP configured that is public-facing. The mGRE interface allows the spoke to create dynamic IPsec connections not only to the hub but also other spokes, meaning that we no longer need the tunnel destination 11.0.0.1 command on the spoke.
spoke-0(config)#interface Tunnel0
spoke-0(config-if)# tunnel mode gre multipoint
spoke-0(config-if)# tunnel key 12345
spoke-0(config-if)# ip address 10.0.0.x 255.255.255.0 # x = IP of Spoke
spoke-0(config-if)# tunnel source GigabitEthernet0/0
On the mGRE interface, NHRP needs to be configured, and because we are configuring the spoke, we will need to make NHRP the client. The mapping for the NHRP server will need to be added as well.
The ip nhrp map multicast command is used to configure a mapping between the multicast IP address used for NHRP traffic and the physical IP address of a specific remote DMVPN spoke. NHRP is used in DMVPN networks to dynamically discover the public IP address of remote spokes and to facilitate direct communication between spokes without traffic needing to flow through the hub. Without this command, Phase 3 will not work!
spoke-0(config-if)# ip nhrp network-id 1
spoke-0(config-if)# ip nhrp authentication 1234!
spoke-0(config-if)# ip nhrp map 10.0.0.1 11.0.0.1 # mGRE IP, and Public IP
spoke-0(config-if)# ip nhrp nhs 10.0.0.1 # mGRE Hub IP.
spoke-0(config-if)# ip nhrp map multicast 11.0.0.1
The ip nhrp shortcut command is also needed on the spoke, allowing it to accept the redirection request coming from the hub and create a Cisco Express Forwarding shortcut for the traffic being sent through the hub. This will create a direct spoke-to-spoke connection.
hub-0(config-if)#ip nhrp shortcut
Note: The
ip nhrp shortcutis enabled by default on most Cisco IOS 15.x routers on the mGRE interfaces that use the NHRP feature.
By default, the mGRE interface is going to use GRE encapsulation, which has no encryption. To enable encryption on the mGRE interface, you will need to apply the IPsec profile to the interface.
spoke-0(config-if)#tunnel protection ipsec profile DMVPNmyProfile
GRE and IPsec add a lot of overhead on the IP packet and will introduce fragmentation issues in the tunnel. To avoid this problem, you can adjust the MTU and MSS on the mGRE interface.
spoke-0(config-if)#ip mtu 1400
spoke-0(config-if)#ip tcp ad
spoke-0(config-if)#ip tcp adjust-mss 1360
spoke-0(config-if)#end
Because we are using DMVPN Phase 3, we need to make sure that the spokes can send traffic to each other. This task is made possible by using the no ip split-horizon eigrp 1 command, which will install all routes from other spokes that are learned via the hub connected to other spokes using EIGRP as the routing protocol.
hub-0(config-if)#no ip split-horizon eigrp 1
In order to limit the size of the routing tables on the spokes, we can summarize the information using the ip summary-address eigrp 1 0.0.0.0 0.0.0.0 command. This command will install a default route pointing to the hub.
The biggest problem with any VPN system is routing, routing, routing! If routing is not working, everything will break, and you will not be able to communicate to your spoke remote sites. For example, if the administrator forgets to configure the hub-0(config-if)#no ip split-horizon eigrp 1 command, the spoke will only be able to reach the local hub network and not other spoke local networks.
spoke-0#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Tunnel0
L 10.0.0.2/32 is directly connected, Tunnel0
11.0.0.0/24 is subnetted, 1 subnets
S 11.0.0.0 [1/0] via 13.0.0.2
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.0.0.0/24 is directly connected, GigabitEthernet0/0
L 13.0.0.1/32 is directly connected, GigabitEthernet0/0
14.0.0.0/24 is subnetted, 1 subnets
S 14.0.0.0 [1/0] via 13.0.0.2
15.0.0.0/24 is subnetted, 1 subnets
S 15.0.0.0 [1/0] via 13.0.0.2
16.0.0.0/24 is subnetted, 1 subnets
S 16.0.0.0 [1/0] via 13.0.0.2
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D 172.16.1.0/24 [90/26880256] via 10.0.0.1, 00:00:09, Tunnel0
C 172.16.2.0/24 is directly connected, GigabitEthernet0/1
L 172.16.2.1/32 is directly connected, GigabitEthernet0/1
Notice that all the spokes can only reach the hub local network and not the other spokes.
hub-0(config)#interface Tunnel 0
hub-0(config-if)#no ip split-horizon eigrp 1
hub-0(config-if)#
*Sep 26 18:44:21.773: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.5 (Tunnel0) is resync: split horizon changed
*Sep 26 18:44:21.775: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.2 (Tunnel0) is resync: split horizon changed
*Sep 26 18:44:21.776: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.3 (Tunnel0) is resync: split horizon changed
*Sep 26 18:44:21.776: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.4 (Tunnel0) is resync: split horizon changed
*Sep 26 18:44:23.691: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.4 (Tunnel0) is up: new adjacency
*Sep 26 18:44:23.729: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.3 (Tunnel0) is up: new adjacency
*Sep 26 18:44:23.742: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.2 (Tunnel0) is up: new adjacency
*Sep 26 18:44:23.781: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.5 (Tunnel0) is up: new adjacency
After configuring hub-0(config-if)#no ip split-horizon eigrp 1 on the mGRE interface of the hub, the spokes will get direct routes to the spoke routers.
spoke-0#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Tunnel0
L 10.0.0.2/32 is directly connected, Tunnel0
11.0.0.0/24 is subnetted, 1 subnets
S 11.0.0.0 [1/0] via 13.0.0.2
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.0.0.0/24 is directly connected, GigabitEthernet0/0
L 13.0.0.1/32 is directly connected, GigabitEthernet0/0
14.0.0.0/24 is subnetted, 1 subnets
S 14.0.0.0 [1/0] via 13.0.0.2
15.0.0.0/24 is subnetted, 1 subnets
S 15.0.0.0 [1/0] via 13.0.0.2
16.0.0.0/24 is subnetted, 1 subnets
S 16.0.0.0 [1/0] via 13.0.0.2
172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
D 172.16.1.0/24 [90/26880256] via 10.0.0.1, 00:00:37, Tunnel0
C 172.16.2.0/24 is directly connected, GigabitEthernet0/1
L 172.16.2.1/32 is directly connected, GigabitEthernet0/1
D 172.16.3.0/24 [90/28160256] via 10.0.0.1, 00:00:27, Tunnel0
D 172.16.4.0/24 [90/28160256] via 10.0.0.1, 00:00:27, Tunnel0
D 172.16.5.0/24 [90/28160256] via 10.0.0.1, 00:00:27, Tunnel0
Notice that the spokes can now send traffic to the mGRE interface of each of the other spoke on the DMVPN network via the hub. This is where NHRP redirects will help in sending the traffic directly to the spokes.
Using the ip summary-address eigrp 1 0.0.0.0 0.0.0.0 command will create a summarized default route to each spoke, reducing the processing needed on the spokes that might not have the CPU or memory to handle larger numbers of routing tables.
ub-0(config-if)#ip summary-address eigrp 1 0.0.0.0 0.0.0.0
hub-0(config-if)#exit
hub-0(config)#
*Sep 28 17:16:55.239: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.4 (Tunnel0) is resync: summary configured
*Sep 28 17:16:55.239: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.3 (Tunnel0) is resync: summary configured
*Sep 28 17:16:55.239: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.5 (Tunnel0) is resync: summary configured
*Sep 28 17:16:55.239: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.2 (Tunnel0) is resync: summary configured
After configuring ip summary-address eigrp 1 0.0.0.0 0.0.0.0 on the mGRE interface of the hub, the spokes will get a summarized default route installed to the hub.
spoke-0#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
D* 0.0.0.0/0 [90/26880256] via 10.0.0.1, 00:02:23, Tunnel0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Tunnel0
L 10.0.0.2/32 is directly connected, Tunnel0
11.0.0.0/24 is subnetted, 1 subnets
S 11.0.0.0 [1/0] via 13.0.0.2
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.0.0.0/24 is directly connected, GigabitEthernet0/0
L 13.0.0.1/32 is directly connected, GigabitEthernet0/0
14.0.0.0/24 is subnetted, 1 subnets
S 14.0.0.0 [1/0] via 13.0.0.2
15.0.0.0/24 is subnetted, 1 subnets
S 15.0.0.0 [1/0] via 13.0.0.2
16.0.0.0/24 is subnetted, 1 subnets
S 16.0.0.0 [1/0] via 13.0.0.2
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.2.0/24 is directly connected, GigabitEthernet0/1
L 172.16.2.1/32 is directly connected, GigabitEthernet0/1
We now have full direct communication to all spokes on the DMVPN network.
# Hub Local Network
spoke-0#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/6/10 ms
# Spoke-0 Local Network
spoke-0#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
# Spoke-1 Local Network
spoke-0#ping 172.16.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 22/27/31 ms
# Spoke-2 Local Network
spoke-0#ping 172.16.4.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 26/39/63 ms
# Spoke-3 Local Network
spoke-0#ping 172.16.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 23/41/73 ms
spoke-0#
Once DMVPN Phase 3 is configured, a basic check needs to be done. For example, verify ISAKMP from the hub and the spoke sides.
hub-0#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
11.0.0.1 15.0.0.1 QM_IDLE 1026 ACTIVE
11.0.0.1 14.0.0.1 QM_IDLE 1025 ACTIVE
11.0.0.1 13.0.0.1 QM_IDLE 1024 ACTIVE
11.0.0.1 16.0.0.1 QM_IDLE 1027 ACTIVE
IPv6 Crypto ISAKMP SA
As you can see, the hub ISAKMP connects to all the spokes via their public IPs.
spoke-0# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
11.0.0.1 13.0.0.1 QM_IDLE 1005 ACTIVE
IPv6 Crypto ISAKMP SA
spoke-0#
However, the spokes only have connections to the hub and not to other spokes.
hub-0#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 11.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (16.0.0.1/255.255.255.255/47/0)
current_peer 16.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 831, #pkts encrypt: 831, #pkts digest: 831
#pkts decaps: 827, #pkts decrypt: 827, #pkts verify: 827
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.0.0.1, remote crypto endpt.: 16.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xA7402F36(2806001462)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x3ABEBB73(985578355)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 19, flow_id: SW:19, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4285635/3026)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA7402F36(2806001462)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 20, flow_id: SW:20, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4285635/3026)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (15.0.0.1/255.255.255.255/47/0)
current_peer 15.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 834, #pkts encrypt: 834, #pkts digest: 834
#pkts decaps: 825, #pkts decrypt: 825, #pkts verify: 825
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.0.0.1, remote crypto endpt.: 15.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xF984C4AD(4186227885)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x259252AB(630346411)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 17, flow_id: SW:17, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4152694/3022)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF984C4AD(4186227885)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 18, flow_id: SW:18, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4152694/3022)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (14.0.0.1/255.255.255.255/47/0)
current_peer 14.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 839, #pkts encrypt: 839, #pkts digest: 839
#pkts decaps: 831, #pkts decrypt: 831, #pkts verify: 831
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.0.0.1, remote crypto endpt.: 14.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x130B82A0(319521440)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x38AD3679(950875769)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 23, flow_id: SW:23, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4247953/3107)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x130B82A0(319521440)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 24, flow_id: SW:24, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4247952/3107)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
current_peer 13.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 874, #pkts encrypt: 874, #pkts digest: 874
#pkts decaps: 860, #pkts decrypt: 860, #pkts verify: 860
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.0.0.1, remote crypto endpt.: 13.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xA9BECC3D(2847853629)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x520D29D8(1376594392)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 21, flow_id: SW:21, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4260868/3097)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA9BECC3D(2847853629)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 22, flow_id: SW:22, sibling_flags 80004000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4260868/3097)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
hub-0#$
As you can see from the above output, you will get a view from all the spokes connected to the hub, how many packets are being encrypted, and the security parameter index (SPI) database information for each spoke.
spoke-0#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 13.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (16.0.0.1/255.255.255.255/47/0)
current_peer 16.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 13.0.0.1, remote crypto endpt.: 16.0.0.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (15.0.0.1/255.255.255.255/47/0)
current_peer 15.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 13.0.0.1, remote crypto endpt.: 15.0.0.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (14.0.0.1/255.255.255.255/47/0)
current_peer 14.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 13.0.0.1, remote crypto endpt.: 14.0.0.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (13.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (11.0.0.1/255.255.255.255/47/0)
current_peer 11.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 873, #pkts encrypt: 873, #pkts digest: 873
#pkts decaps: 888, #pkts decrypt: 888, #pkts verify: 888
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 13.0.0.1, remote crypto endpt.: 11.0.0.1
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x520D29D8(1376594392)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xA9BECC3D(2847853629)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 5, flow_id: SW:5, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4245473/3032)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x520D29D8(1376594392)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 6, flow_id: SW:6, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4245473/3032)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
spoke-0#
As you can see above, from the spoke point of view, with Phase 3 DMVPN, we now have direct connections to other spokes to send traffic.
hub-0#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 10.0.0.1, VRF ""
Tunnel Src./Dest. addr: 11.0.0.1/Multipoint, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "DMVPNmyProfile"
Interface State Control: Disabled
nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 4
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 13.0.0.1 10.0.0.2 UP 01:00:51 D 10.0.0.2/32
1 14.0.0.1 10.0.0.3 UP 01:00:34 D 10.0.0.3/32
1 15.0.0.1 10.0.0.4 UP 01:00:13 D 10.0.0.4/32
1 16.0.0.1 10.0.0.5 UP 01:00:06 D 10.0.0.5/32
Crypto Session Details:
--------------------------------------------------------------------------------
Interface: Tunnel0
Session: [0x0D05BD90]
Session ID: 0
IKEv1 SA: local 11.0.0.1/500 remote 13.0.0.1/500 Active
Capabilities:(none) connid:1001 lifetime:22:59:06
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 13.0.0.1
IPSEC FLOW: permit 47 host 11.0.0.1 host 13.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 888 drop 0 life (KB/Sec) 4260864/2965
Outbound: #pkts enc'ed 903 drop 0 life (KB/Sec) 4260863/2965
Outbound SPI : 0xA9BECC3D, transform : esp-256-aes esp-sha256-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x0D05BE88]
Session ID: 0
IKEv1 SA: local 11.0.0.1/500 remote 14.0.0.1/500 Active
Capabilities:(none) connid:1002 lifetime:22:59:23
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 14.0.0.1
IPSEC FLOW: permit 47 host 11.0.0.1 host 14.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 859 drop 0 life (KB/Sec) 4247949/2975
Outbound: #pkts enc'ed 868 drop 0 life (KB/Sec) 4247948/2975
Outbound SPI : 0x130B82A0, transform : esp-256-aes esp-sha256-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x0D05BF80]
Session ID: 0
IKEv1 SA: local 11.0.0.1/500 remote 15.0.0.1/500 Active
Capabilities:(none) connid:1003 lifetime:22:59:45
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 15.0.0.1
IPSEC FLOW: permit 47 host 11.0.0.1 host 15.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 853 drop 0 life (KB/Sec) 4152690/2890
Outbound: #pkts enc'ed 863 drop 0 life (KB/Sec) 4152690/2890
Outbound SPI : 0xF984C4AD, transform : esp-256-aes esp-sha256-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x0D05C078]
Session ID: 0
IKEv1 SA: local 11.0.0.1/500 remote 16.0.0.1/500 Active
Capabilities:(none) connid:1004 lifetime:22:59:52
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 16.0.0.1
IPSEC FLOW: permit 47 host 11.0.0.1 host 16.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 856 drop 0 life (KB/Sec) 4285631/2894
Outbound: #pkts enc'ed 860 drop 0 life (KB/Sec) 4285631/2894
Outbound SPI : 0xA7402F36, transform : esp-256-aes esp-sha256-hmac
Socket State: Open
Pending DMVPN Sessions:
hub-0#
The show dmvpn detail command gives you a summary of everything except ISAKMP information. In addition, it will give you nonbroadcast multiaccess (NBMA) peer information, which is made possible via NHRP.
We are using Phase 3, so NHRP is very critical, because it allows the hub to send the NHRP redirection to the source spoke in order to get directly to the destination spoke and send traffic.
When the spoke first boots up, the NHRP cache is empty; this can be seen using the show ip nhrp command.
spoke-0#show ip nhrp
10.0.0.1/32 via 10.0.0.1
Tunnel0 created 00:49:21, never expire
Type: static, Flags: used
NBMA address: 11.0.0.1
However, you can start talking to other hosts on other spokes by sending an Internet Control Message Protocol (ICMP) ping.
spoke-0#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
spoke-0#ping 172.16.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 26/30/34 ms
spoke-0#ping 172.16.4.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/33/47 ms
spoke-0#ping 172.16.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/34/50 ms
After the ICMP ping is complete for each spoke local network, you will now see the dynamic entries on the NHRP cache. This is due to the NHRP redirection sent from the hub.
spoke-0#show ip nhrp
10.0.0.1/32 via 10.0.0.1
Tunnel0 created 01:05:32, never expire
Type: static, Flags: used
NBMA address: 11.0.0.1
10.0.0.3/32 via 10.0.0.3
Tunnel0 created 00:00:09, expire 00:09:50
Type: dynamic, Flags: router implicit nhop nf
NBMA address: 14.0.0.1
(no-socket)
10.0.0.4/32 via 10.0.0.4
Tunnel0 created 00:00:07, expire 00:09:52
Type: dynamic, Flags: router implicit nhop nf
NBMA address: 15.0.0.1
(no-socket)
10.0.0.5/32 via 10.0.0.5
Tunnel0 created 00:00:04, expire 00:09:55
Type: dynamic, Flags: router implicit nhop nf
NBMA address: 16.0.0.1
(no-socket)
172.16.3.2/32
Tunnel0 created 00:00:09, expire 00:02:55
Type: dynamic, Flags: negative
Cache hits: 2
172.16.4.2/32
Tunnel0 created 00:00:07, expire 00:02:57
Type: dynamic, Flags: negative
Cache hits: 2
172.16.5.2/32
Tunnel0 created 00:00:04, expire 00:03:00
Type: dynamic, Flags: negative
Cache hits: 2
spoke-0#