Cisco CCNP Security 300-730 SVPN – Site-to-Site Virtual Private Networks on Routers and Firewalls Part 6

  • By
  • January 26, 2023
0 Comment

11. DMVPN with IKEv2

Here is my topology and like always I like to start from the hub. I like to configure the hub first before we start, something to point out is that I have configured, this is a loop back address and that’s the loop back address that we are going to be using for the tunnel. You guys are going to see that later on. We have another loopback address here, eight. And this one is going to mimic the network, kind of like a network. And this one is the NBMA IP address, which is the IP address of this interface. And they are all configured and they are all able to pin each other.

So I just configure the static route and so they’re able to pin each other. Okay, that’s just how I’m going to start. So the first thing that we need to do for this configuration is that we need to create an interface virtual template. And this one, it’s not like a tunnel that we’re going to be creating, it is going to be a Dvti. And a Dvti is a ton of tunnel that provides on demand separate virtual access interface for each VPN session. So Dvti, what it does is every time somebody connects, let’s say that router one is going to connect with Hub with Dvti. It’s going to provide a separate virtual interface for this connection and if our two connects to it, it’s going to provide another virtual access interface for that section as well.

And even if this one is running GRE, right? So if this one is running your static GRE, that’s going to give you, it’s going to match that template, that Dvti and this one is running MGRE. It’s going to match it but it’s just going to put it in a different logical interface per se. So we are going to be doing multiple virtual interface. So that’s why we’re going to be using Dvti for I version two. Because I version two, if I can’t recall from the Hub standpoint, you can only use Dvti for this configuration. Okay? So let’s go ahead and start with that. It’s going to be a new command and it is interface virtual template. Oops, let’s get out of this first. Virtual template.

And this virtual template, we are going to have to give it a number. Let’s call this number eight, right? And then the type is going to be a tunnel enter. So in here, in this tunnel, what we’re going to do is that we’re going to be a tunnel. We’re going to add the toner mode and the toner mode for that is going to be GRE with IP, right? Okay. And then after that, what we need to do is we need to configure an IP number loop back and we need to add that loopback address 88 that I configure before I started this video.

Here we go, 88. And this loopac 88 has an IP address of 80. 80, 80, 88 there you go. And what this means is that IPO number loopack 88, what’s going to happen is that with that command IP and Number allows you to process IP packets without a unique IP address on an interface. And it works by borrowing an IP address from another interface. So that’s what we’re doing. We’re borrowing the IP address of eight. If you do it do show IP interface brief. You can see that loopback 88 has this IP address and also the template that we configured. The Dvti also has an IP address of 88.

And this one, the IP no number loopback 88. That was set up because back in the days before when we didn’t have the VLM or the V what is it? The vSLM? I forgot the VLSM yet, the viral length, something that max. So before what we used to have was we only have class full IP address, so we could only use either the 16 or the 24 of Sumner mask and you had to use all those IP addresses or they were all going to waste.

So if you were going to pick an IP address of like 1921-6810 or that one, then all the other IP addresses were going to go to waste even though you were only going to use one. And therefore back in the days they came out with this IPO number loopback 88 so we didn’t have to waste a ton of IP address. You can just borrow an IP address for another interface like we’re doing right now. But now it’s not really the case because now we have classless IP address, right?

So just letting you know. There it is. And we did that with IP number loop back address. Hopefully I explained that right then. I explained it to you guys. You can always leave a comment and I will try to explain it to you a little bit better. So let’s keep going. I’m talking too much and not configuring a lot. So after that is done, we need to start configuring the IC version two configuration. So for Ike version two, we need to do a crypto. This one is going to be a crypto AGV two. So we need to configure the key ring and give it a name. IQB two side is keyring. What we need to do is we need to add those peers IP address and also their local and remote key. Like I said, for this peer, we need to go to peer R one.

And from this pier R one, we need to provide that NBMA IP address, which is one I 2101. There we go. And then after that we need to do the pre shared key logo, which is going to be my key, the logo key. I’m just going to put the same for all the keys. And also we need to do the pre shark key for the remote, which is our one. We are just going to provide the same key, DMVPN key. Okay. And then we need to do Pier R two. And we can just do 21 over here. Local key, same remote key, the same. Then we can do peer three addresses, going to be different. 30 local key.

The same remote key is going to be the same as Low. And after that is done, we need to go ahead and configure crypto ICV two profile and we are going to give it a name. ICV two profile. They’ll do this one crypto, crypto ICV two. There we go. And number here. What we need to do is we need to do a match identity, right? Yeah, I do this right. Profile. Or is it identity? Okay, identity. No, it is matched. I need to do there we go. Match identity of the remote. So we need to add a couple of remote identities. 1921. Why should I take an identity? Remote address? Okay. Address one and 2101 and then 21, and then 31.

And then we can do the identity of the local, which is one, nine, 2181. Forgot to add address over here. There we go. And then we need to do the authentication. How we’re going to do the authentication for the remote, it’s going to replace our key. And authentication for the local is also going to replace our key. Okay. And then we are going to attach the key ring local and it’s going to be that curing that we created. I could be two curing. So we need to attach it to the Irish and two profile. There it is. And then we need to attach that virtual template that we created and we gave it a number of eight. There we go. And then after that we need to create the transform set. So we do a crypto crypto IPsec transform set. We’re going to call this TSET ESP with AES two, five, six ESP with Sha and HMAC. There we go. So that is done. We have created that transform set.

So now what we need to do is create a crypto IPsec profile and we’re going to call this IPsec profile. And from here what we need to do is we need to set the transform set. So we need to attach the transform set that we created and we also need to attach that aggravated profile which we call see if I can find it around. Here we go. IQB two profile. We attach it to the IPsec profile. There we go. Okay, so we set the IPsec profile, we attach the Tseet and we attach the IQ profile which also has the kirin and the virtual template as well. And then after that, what we want to do is you want to go into router ergrp ten. And from over here, what we need to do is let’s just go ahead and do no auto summary and we need to add those networks of 80, 80, 80, 88 and also network eight. And then we go back to the interface of the virtual template that we created, templates eight, it was a type tonal. I don’t know how to go template type tonal. And from here we need to do add the tonal protection using the IPsec profile and that IPsec profile that we created was called IPsec profile and then we can do no IP or no IPS split horizon ERGP ten.

And you guys should know by my other video what this does and if you don’t know, go ahead and watch my other videos because I don’t really have a lot of time to explain it. All right, so we have configured as you can see as a campus now on Good Stuff. So now we do a show run section crypto. Okay, so since we are going to be using the same Ike version two profile for all of them, what we need to do is go ahead and copy this. Let’s go and open Leafpad. And what we’re going to do is just edit whatever we need and for router one or two, router three, we are only going to create a connection with the hub. So if we go let me see what the so this one is called Hub. So since we’re only going to have a connection with the hub, what we can do is put hub right here, put the IP address of the hub which is 80. That one remote key and local key are going to be the same. We can delete this because we’re not going to have a spoke to spoke this only hope to spoke, we can go ahead and delete this to right here and the remote identity is going to be 80, right? I mean, we can even see it right here because we copy and paste it. Yes, the remote identity is that the local identity for router one is going to be ten authentication, remote pusher key, the templates, all that good stuff, crypto, SEC, motono, crypto, all that good stuff. Okay, so that’s going to be like that.

So before we can do that but we want to do is phone number one, we are going to go ahead and do that, but you’re going to see that it’s going to be different. The configuration we are not going to use a Dvti, it is going to be different. So the configuration is going to be different and since it’s going to be different, actually we are not going to use this virtual template so we can get rid of that. Okay, good. And let’s go ahead and start this configuration for R one. And what we’re going to do, we’re going to do a ton of going to be interface tunnel eight info here. We need to do tonal mode, GRE IP, tonal source gigabit, right? And then Tonaldestination is going to be the MBMA IP address of the hub 192, 181, maybe a donor destination because it’s going to be a point to point configuration, right? So it’s only going to be helped to spoke. That’s why we’re doing this destination. Otherwise we will use just that turner mode multipoint configuration or the multipoint command here. Okay? And after that we can do an IP on number as well. IP on number and we are going to be using that IP address of look back eleven. You do show IP interface brief make sure that it is do show IP interface brief. There we go, that’s the correct one. Good. So after that is done, what we do is we go ahead and configure aggression two. And since we’re not going to waste any time, we are going to go ahead and copy and paste this right here. Let me make sure that everything is good.

The address of the Hub is good, keys are good, remote identity good. Local identity good and then the rest will be good. So let’s go ahead and paste that right here. Okay good. So after that is done, make sure that everything was in there. We added the transform securing so that’s good. Yes, we are done. Okay so now what we need to do is we need to go ahead and go back to the tunnel eight. And for tunnel eight now we can just add the tono and protection IPsec profile and we need to add that profile that we created, that IPsec profile and we call it IPsec underscore profile. There we go. You can see the Isaac camp is now on good. And also if we do a show IP interface brief, actually do show, you can see that it’s up and up. You can see that we have an interface, a virtual interface access one. We do a show. IP interface brief. We can see now that we have a virtual access one connection and it is up and up and this one is protocol is down for some reason. I think if we go config configt interface virtual template h type tono okay, let’s just go ahead and leave it like that. Let’s go to N. Let’s do show IP and SRP. We’re not running that show. IP DMVPN or show DMVPN okay, nothing. All right, that’s fine. Let’s go ahead and go into our one and let’s go ahead and finish this configuration. The next step is to configure that router ERP ten no out of summary network and then network 1111 1111. That should form a neighbor relationship with the Hub. Good, show IP interface brief looks good. So now actually let me go ahead and go to interface tunnel H. I think I forgot to do something. Just shut it down. Okay, that’s going to config t interface virtual template eight type tunnel and what if we do tunnel? Do we need to do a ton of source gigabytes? Do we show IP interface brief? I should do a shutdown no shutdown.

All right, that’s fine. Let’s go ahead and do no shut down over here. Isaac camp is now on and we have reformed that a relationship. That virtual access is now up and running. So I’d be interface brief. Good. I’ll be able to bing we are show crypto IC version two. We do have a connection via the remote via the hub, right. And the local IP address is this one. So it looks like it is working the way we wanted it. So it looks good. We do show crypto Ipseg. I say packets are being encrypted and decrypted. As you can see, those hello packets are being encrypted and decrypted. If we do a ping one one to to one repeat 100 times and then we do a show crypto IPsec, I say it looks like it was not encrypted or decrypted. What if we go ahead and ping 1111? 1111 interesting. Let’s go into the hub and do a show crypto IPsec SA it is working. Okay, I just want to make sure that I configure everything correctly. Tunnel mode IP, everything should be good.

Let’s go ahead and go now to R two and do basically the same that we did in our one. And from over here what we need to do is we need to go into the caps are on so interface I think it’s frozen. There we go, interface. And for this tunnel h, what we need to do is we need to go ahead and configure the tunnel mode grip then the tonal destination 181. There we go to another destination. Then IP on number. We’re going to use the loopback to show IP interface brief. Yes, we borrow that IP address so it looks good. And now that is done. What we need to do is configure Ike version two. It’s going to be with the hub, it’s always going to be the same. The remote is going to be the hub. The local though is going to be 20 and then the rest is the same. Go ahead and paste that over here. Good, we are done. Now let’s go ahead and go into the interface tono eight and do a tonal protection IPsec profile and we need to attach that IPsec profile over here. Then I said should come up. Good. Now if you go ahead to the router you can see that we have a new virtual interface show IP interface brief. There we go. So we have now another virtual access.

So every time we have a connection, like I said, we create a new logical interface. All right, great. Now let’s go ahead and move on to our three interface. We are going and then after that we need to do IP a number so we can borrow that IP address from loop back to three. And then we’re going to go ahead and configure ike version two. The only thing that we need to change is this local address copy it, paste it looks good, right? Okay, now we need to go back to interface tunnel eight and do an IP or tunnel protection IPsec profile and we need to attach that profile over here, paste exit. Let’s go into routerjrp ten. No out of summary network. We need to add two networks, three, three and then network 3333-3333. I don’t think that we added over here. We did not add it that let’s go ahead and do router ERP ten to network actually, no auto summary network two twoNetwork 2222-2222. There we go. That should form a neighbor relationship. Good. Now, if we do a Show IB Neighbors, we have three neighbors via Virtual Interface Two, via interface Three and virtual Interface one.

So that’s good. Show IB interface brief. It looks good. Let’s see if I’m missing something. Everything looks good. Let’s go and go to the Hub show and Show run, verify my configuration over here. Curing peers. We got all the peers, we got all the remotes IPsec aggregation two, we got a look backs and we got those no split horizon. We added a source that protection. That’s good. So it looks like everything is good. And we have successfully configured all that. So if we do a Show Crypto Ike version two, say you can see that we have three tunnels. They’re using AES CBC with a key size of two, five, six, using Shop 512, 2300 and Go five. And it’s all the same for all three tonal ID connections. For all these tonal connections. And if you do a Show IPsec, we can see those connections. We can see that we have 115, 116 over here we have 660 and 29. You can see those over here as well.

Let’s see if we ping. Let’s try to ping. Let me see the first one. Virtual access one. Let’s write to ping the peer ping this IP address and we’re going to repeat it 100 times. Then show crypto IP address. It looks like it didn’t go up. I’m not sure. Looks like it’s not being encrypted or something. Let’s do a show IP route. We have those routes. So if we get to this one, it’s going to be via eleven, 1111 to this via this interface. So let’s go ahead and ping repeat or ping repeat 100 times. Show Crypto say you can see I believe it is going up. Now, what if we go into a debug crypto packet or engine packet on let’s go ahead and ping 100 times if I want to go crazy. As you can see, it is being encrypted and decrypted right now because as you can see, we are getting this codes and those codes means that it’s being encrypted and encrypted all the data.

So I, version two is working on a DMVPN tunnel that we created with a Dvti. And those are the tunnels that provide an on demand separate virtual access interface for each VPN section. Okay? And we do on all so we can stop it. And like I said, on all, it’s still going because since I paint 100 times. Still going to go for a little bit. And if you do it show IP interface. Breathe. Like I said, that whenever we configure a Dvti, the tones the Dvti provides an on demand separate virtual access interface for each VPN section. And this is what it means that whenever we create this template and then we create a tunnel, I hope to spoke tunnel. What it does is it creates a separate virtual interface for each connection for each VPN connection that we have. And that is what VTi does. Okay, so this is it for this video, guys. I hope you guys enjoyed this video on.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img