Cisco CCNP Security 300-730 SVPN – Site-to-Site Virtual Private Networks on Routers and Firewalls Part 3
8. DMVPN Phase 3 with IPsec
To my topology. And as you can see my topology, I have added to an extra spoke right here, spoke number four. And I’m keeping the other two right here. I’m just adding a new one, spoke number four. So let’s go and start with this configuration. So the first thing that I want to configure is going to be the hub. So we are going to go into config, configt. And the first thing that we want to do is to configure the crypto Isaacam policy so we can configure it. Version one, crypto Isaac, isaacam policy. This one is going to be policy ten. And from here we need to turn that authentication that we are going to be using. It’s a pretty shirt key. The encryption is going to be three days and the matching is going to be Nd five and the group number is going to be two. Okay, so this is from the hub, right? So after we do that, we are done with the crypto configuring the policy. And this is for Ike version one, face one that I’m configuring right now. Then we need to go ahead and create the crypto Isaacamp or Isaacamp key. And on the key we are going to call it the mVPN key. And this key is going to be for the address of for this address. So that means that we are going to be using any IP address because as you guys know that the hub is going to be, I’m sorry, the hub is going to create a tunnel between spoke three and spoke two and spoke four. So therefore, I want to use this key for all of them.
And since I want to use it for all of them, I’m just going to add this thing that says that any of them it’s allowed to use this key, right? That’s basically what I’m saying. Enter. And after that is configured, we need to configure crypto IPsec transform set and we’re going to call this TSET. We are going to be using ESPAS 25 six and then ESP Sha with HMAC. And the mode is going to be transfer mode exit. After we do this, what we need to do is configure that crypto IPsec profile, right? Profile. Crypto IPsec profile. Here it is. And we’re going to be called this DMVPN profile. And what we need to do over here is we need to set the transform set and then we need to attach the transform set to the DMVPN profile paste. There it is. So we are done configuring. As you can see, we configured the crypto Ice account policy, which is Ike version one, phase one. And we also configure that key that we’re going to be using, which is also part of Ike version one, phase one.
Then we started configuring the transform set which is IC version one, phase two configuration. And then we added also the transform set. We attached that to the IPsec profile, which is part of the IC version one, phase two configuration. So we are done. So now what we need to do is we need to go ahead and create the tonal that MGRE tonal and then we need to attach that DMVPN profile into it. So it’s going to configure the interface tonal. It’s going to be tunnel zero. We’re going to give you an IP address as you can see right here, right? And then after that we need to configure no IP or no split. There’s a no IP split horizon IPN HRP network ID ten IP and then the IP NSRP map multicast IP NSRP map multicast dynamic and then IP NhRP. I think this is it because it is the hub so we don’t need to do any of those NhRP mapping. So after that we need to go ahead and configure the tonal source. So I don’t forget tonal source is gigabit, right? It’s this one right here where the MBMA addresses and then we need to go ahead and configure the tunnel mode GRE it is a multi point because we are going to point because they are going to have multiple tunnels being built from this single interface.
Then we need to add the tunnel protection IPsec and the profile and we need to go ahead and attach a profile that we created and the profile has the transform set which tells you how we want to protect our data. There we go. So that it’s done. You can go ahead and exit out of here. And what I want to do, I want to do a show run section. It’s going to be the crypto section that I want to see. Here we go. So what I want to do from here, since this is going to have to be configured for spoke two, three and four, I don’t want to be typing it. Everything all begins. I’m going to go ahead and copy it. We’re going to open Leafpad, we are going to paste it right here and what we’re going to be doing is we are going to just go ahead and copy and paste it into each one of those spokes, right? And also I forgot to do something like always, I always forget to do the router ERG ten network and I’m doing ten because I did no split horizon ERG ten. So you got to make sure that the autonomous number matches. Okay before we do that, let’s go ahead and do no auto summary and then we got to add the network of one, which is my look back address and then the network of 192-1810 which is the tunnel.
There it is. So that is done. So now what I want to do is I want to go ahead and configure first. Before we configure, I’m going to be manually configuring the tunnels for each one of them because I want to practice these tunnels. I want to make sure that I know it by muscle memory, right? So since I want to do that, I don’t want to copy and paste it. The only thing that I’m going to copy and paste is going to be it version one, phase one. And it works in one phase two because it’s going to be the same and I know how to configure those by muscle memory. There we go. Paste it. We’re going to save some time. Paste it. There we go. So we have configured it version one, face one and phase two. Four spoke two, three and four. So now exit. What we need to do is configure the tunnels zero. We need to give an IP address for spoke too, which is this one right here. The IP address is going to be 121-6812 and then we’re going to do IP NSRP network ID is going to be 192-1811 and then we want to add the NBMA IP address of the hub which is going to be this one right here, 192101. And then Ipnsrp, let’s see if I remember IP IP NSRP map multicast and we need to tell which one is the multicast, which is this one. And then Ipnsrp and HS. And this one is to tell it if you do a question mark, the NHS specify the next half server and the next app server is the hub. So NHS and we need to add right here the protocol IP address of the NHS. So that means that we need to add that tonal IP address.
That one is eight. That one the one. And he knows how to get here because we created a map over here, right? It says that if you want to get to this address, you need to go to this MBMA address. Okay, that’s good. Now we need to do the tunnel source, the tunnel mode which is going to be GRE multi point. And we are doing multi point right here in tunnel destination it is because since we are going to be building, I hope to spoke and spoke to spokes, that means that we’re going to be building multipoint or multiports tunnels. Right? Great. That is all good. Now the last step that you want to do is build the tunnel protection IPsec profile and we need to attach that profile that we created. And that profile that we created was called DMVPN profile.
There we go. And as you can see right now, the crypto I second went from off to being on. If you wanted to verify those, you can see that the hub right here already has a crypto receive. Not a SEC. So if you do N show Ipnsrp you see that we have a dynamic map configure. If we do a show crypto axacamp SA. We have one built right now. It is active and it is going to this destination one nine 2110 one. And the source is coming from one nine 2121. If you do a showcrypto Ipsecase you can see it right here the tunnels that being created. So everything looks like it is working. So we have created a ton of with spoke number two. Now let’s go ahead and do it for the same for spoke number three interface tunnel or actually I forgot to do something that I always forget rather here you are p ten no outer summary network two, two and then network 192810. There you go. That should form a never relationship with the Hub and you can see it right here as well. So that’s good. Let’s go ahead and go into spoke number three and configure the same IP address is going to be oops interface tunnel zero IP address 1st 19218.
That one three, spoke three. And from right here, after we do that, let’s go ahead and do IP NSRP network ID ten Ipnsrp and NSRP map one, nine, 2168-192-1921 IP NSRP multicast, map multicast and this one is to have the multicast. It’s going to be the NBMA IP address and then IP NhRP NHS and the NHS destination is going to be another destination. We don’t configure that, that’s only for Facebook, for Dmvp and Face version one, for Face version two we do it another way. So let’s go ahead and do this source and then after we do that I will do IP, let me do mode GRE, see if I remember tunnel mode GRE multi point. Okay, so we have configured, let’s verify this. We have configured the network ID, we did the map multicast, the NHS, the next hop server, we did the source, we did the mode and now we need to go ahead and create that tonal protection IPsec profile and it is that we can just get it from here, the Mvpm profile. Attach it right there. Good.
Now let’s go into router GRP ten, no auto summary network and then network 1025 and there it is. Good. Now. We should have another IP. MSRP. Now you can see that we have two. One is for 1921-6812, which is spoken number two and the other one is for which is spoke number three. Here’s the MVMA address and it was built dynamically as you can see right here. And if we do it from over here, end it. So IP NSRP, we can see that we only have one tonal right now and we only have one tono because we had not created a spoke to spoke tono. That’s because we don’t know about the other spokes. So if from this spoke we do it this little trace route and we are going to ping 1921-6813, which is spoke three, you can see that it’s sending it extended to the Hub. And then after you send it to the Hub, it’s only the first time that it sends it to the Hub.
So after it sends it to the Hub and the Hub send it back to the spoke three. Now the spoke two knows where spoke three is and now it should have built another tunnel, right? So if we do from spoke three, you can see now that we have built a tono with one nine two that wants to sake down one to one, which is the Hub. And then we have configured another 119-21-6168, that one, that two, which is spoken number two. And we also built our own one, which is for our own tunnel spoke number three. And you can see right here that the flag says it is a rather unique local. And for the other one, as you can see, there are dynamic tunnels. The only static one is the one to the Hub, because the Hub is the one that’s after we created with the Hub and then we find out where spoke number two is, we created a dynamic tunnel. So we don’t need to manually configure it, right? And you can see the flags for the tunnel spoke to spoke tunnel with spoke number two, you can see that it says router implicit use Next app. Okay, so that’s good.
Now let’s go ahead and configure spoke number three interface, the IP address. Let’s go ahead and do it. IPN SRP network ID ten IP p NSRP map 110 one ipnsrp Nssrp map multicast and the map multicast we need to add the Mbmap address one nine 2110 one. Okay, so that is good. And then we need to specify the tonal source gigabit, right, for spoken number 40. And then we need to do a tonal mode mode GRE multipoint. And then we do the tunnel protection IPsec profile. And the IPsec profile is DMVPN profile. That’s what it’s called. There we go. Isaacamp, which means that Isaac Camp is basically Ike version one for off two on. Now let’s do router URP autonomous system ten, no auto summary network four, network 121-81-0255. It should build a network relationship with the Hub. There it is. Okay. And it built that network relationship with the Hub. That’s because we told that the multicast is not the multicast. We told that the we created a static mapping right here to the Hub. And since the Hub is also advertising that on your URP, that’s how I created neighbors.
So if you go to the Hub and do show IP neighbors, which you have three neighbors rather spoke four, spoke three and spoke two. And now if we do show IP and SRP, which you see that we have three connection, but they were established dynamically. The unique flag is unique register used for Next app. And for Next app, you can see the NVM IP address for each one of them actually right here. And the Tonal IP address for each one of them for this one and this one, you can see that it is working. If you go to spoke for show IP MSRP, we only have one that we have established and it is with the Hub. But if we do a trace search and let’s go ahead and create spoke to, spoke connection with the hub. Let’s go ahead and ping spoke three twice. As you can see, the first one went through the hub, and the second one goes straight to the spoke because we have created a tunnel with router three. And if we do a tracer, route two, spoke two, you can see that the first packet went to the Hub. The second one is going to go straight to spoke two. And that’s because we have created another tunnel with spoke number two.
Okay? And now if you also go into spoke three, you can see the tunnels that we have built before we receive that package from spok three. But now if we do it again, we should have an extra one. So we have this extra one right here, which is spoke number four. Okay? And if you want to see that IPsec is working, you can do a Show Crypto IPsec essay. You can see that we have encapsulated, ten of them. And if we do a spoke three, if we do a ping 192-1814, repeat 100 times, then if we do a Show Crypto IPsec essay, you can see that it increased to 104 and 103. That means that encapsulation is working. So IPsec, it is working correctly, just the way we wanted it. All right? And if we do repeat 100 more times, if we don’t Show Crypto IPsec, you can see that it went up to 200 now because this is the one for the current pier, 182141, 500, right? And if you go into the other one, let’s see into, like, current pier 20 or 192, 121, which you spoke to, you only have four. But if we do a ping to that one, that two which you spoke to, it should increase to 100 more. Let’s go ahead and take a look at it. There it is. It increased to 100 more because we paying 100 times. We send 100 packets to it. And if you go ahead and take a look at let’s go ahead. Yeah, I think that’s it. This is spoke three. The pier is spoke four. That’s the one that we pay 200 times. Kind of gets a little bit messy to see what you have over here. This one spoke too. We ping 100 more times only 100 times only.
But if you want to see of the hub, 133 or 138, and if you ping that 100 times, you want to ping the Hub, show Crypto happyseca. If you go ahead and take a look at the Hub one, which I believe is the last one. There we go. It increased by $100. Okay, so that it’s working. And if you want to see the Show Crypto Isaacamp essay is for IC, version one, face one, and IPsec is for IC, version one. See if we can look at it for showcrypto IPsec. Essay is for IC, version one, phase two. And Show crypto Isaac appsa is for IC, version one. Phase one. And there it is. You can see we have three connections. One, two. This one spoke three. One, two, spoke four. Right. Another one to the Hub and the other one to spoke two. Okay, so as you can see, QM in Idle and it is active.
You can see the connection ID and you can see that it is working correctly. So another thing that you can do is you can do a Show DMVPN detail that gives you all the detail of the DMVPN. You can see right here, spoke three. You can see we have a DMVPN connection with the Hub we spoke to and with ourself, right? Spoke three ourselves and this one with spoke four. And you can see that, you can see the MVMA address. You can see the Tonal IP address. You can see how long it’s been up for. And you can see that this one was configured statically. This one was dynamically. And this one is the Dynamic local tunnel. And this one was dynamic as well. Okay, guys, so this is it for this video. I hope you guys enjoyed this video. I hope it’s served a lot. I hope it help you understand more of the MVP and Face version two and I version one, phase one and phase two configuration. And we did a couple of show commands too. So you can see how it is working behind the scenes, right? Yeah.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »