Summary of the content on the page No. 1
SOLUTION OVERVIEW
CONFIGURING DYNAMIC MULTIPOINT VPN
WITH ON-DEMAND ROUTING
OVERVIEW
This document provides a sample configuration for configuring On-Demand Routing (ODR) with Dynamic Multipoint VPN (DMVPN) in hub to
spoke configuration. The DMVPN feature simplifies the hub router IPsec configuration and supports dynamic IP addresses at the spoke router.
DMVPN combines Generic Routing Encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP). It provides IP
Summary of the content on the page No. 2
• This configuration guide uses private addresses only. When using private addresses and connecting to the Internet, an appropriate Network Address Translation (NAT) or Port Address Translation (PAT) configuration is required to provide connectivity over the Internet. • The ODR provides a default route only to the spoke, the configuration support hub and spoke topology; no split tunneling PRECAUTIONS Before configurations are made to any router, confirm the following: • The spoke rou
Summary of the content on the page No. 3
CONFIGURATION OF THE CISCO 3725 ROUTER Following are the configurations on the Hub router: Current configuration: ! version 12.3 ! hostname c3725-21 ! no aaa new-model ! ip subnet-zero ip cef ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto ipsec profile SDM_Profile1 set transfo
Summary of the content on the page No. 4
tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile SDM_Profile1 ! interface FastEthernet0/0 ip address 10.0.149.221 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.20.21 255.255.255.0 duplex auto speed 100 ! router odr distribute-list 101 in ! router eigrp 1 redistribute odr metric 2000 100 255 255 1400 network 192.168.1.0 network 192.168.2.0 network 192.168.20.0 n
Summary of the content on the page No. 5
VERIFYING THE CISCO 3725 ROUTER RESULTS Normal Operation This section provides information that can be used to confirm that the configuration is working properly. c3725-21#show ip route Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2 E1-OSPF external type 1, E2-OSPF external type 2 i-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2 ia-
Summary of the content on the page No. 6
IPSEC FLOW: permit 47 host 10.0.149.221 host 10.0.150.2 Active SAs: 2, origin: crypto map Inbound: #pkts dec’ed 6757 drop 0 life (KB/Sec) 4427309/2860 Outbound: #pkts enc’ed 65162 drop 1 life (KB/Sec) 4427290/2860 c3725-21#show ip protocols Routing Protocol is “nhrp” Maximum path: 0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 0) Routing Protocol is “eigrp 1” Outgoing update filter list for all interfaces is not set Inc
Summary of the content on the page No. 7
Hardware is Tunnel Internet address is 192.168.1.1/24 MTU 1514 bytes, BW 1000 Kbit, DLY 10000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 10.0.149.221 (FastEthernet0/0), destination UNKNOWN Tunnel protocol/transport multi-GRE/IP Key 0x186A0, sequencing disabled Checksumming of packets disabled Fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (k
Summary of the content on the page No. 8
! hostname c1751-16 ! no aaa new-model ip subnet-zero ! ip cef ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac mode transport ! crypto ipsec profile SDM_Profile1 set transform-set ESP-3DES-SHA1 ! crypto ipsec profile SDM_Pr
Summary of the content on the page No. 9
tunnel source FastEthernet0/0 tunnel destination 10.0.149.221 tunnel key 100000 tunnel protection ipsec profile SDM_Profile1 ! interface Tunnel1 bandwidth 1000 ip address 192.168.2.10 255.255.255.0 ip mtu 1400 ip nhrp authentication DMPVN_BU ip nhrp map 192.168.2.1 10.0.149.220 ip nhrp network-id 100001 ip nhrp holdtime 360 ip nhrp nhs 192.168.2.1 ip nhrp server-only ip tcp adjust-mss 1360 delay 1000 cdp enable tunnel source FastEthernet0/0 tunnel destinati
Summary of the content on the page No. 10
N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2 E1-OSPF external type 1, E2-OSPF external type 2 i-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2 ia-IS-IS inter area, *-candidate default, U-per-user static route o-ODR, P-periodic downloaded static route Gateway of last resort is 192.168.2.1 to network 0.0.0.0 10.0.0.0/24 is subnetted, 2 subnets C 10.0.150.0 is directly connected, FastEthernet0/0 S 10.0.149.0 [1/0] via 10.0.150.207 C
Summary of the content on the page No. 11
Gateway Distance Last Update Distance: (default is 0) c1751-16#show cdp neighbor Capability Codes: R-Router, T-Trans Bridge, B-Source Route Bridge S-Switch, H-Host, I-IGMP, r-Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID c2950-xl Eth 0/0 165 S I WS-C2950G-Fas 0/6 c2950-xl Fas 0/0 165 S I WS-C2950G-Fas 0/9 c3725-21.cisco.com Tunnel0 152 R S I 3725 Tunnel0 c3745-20.cisco.com Tu
Summary of the content on the page No. 12
! resource manager ! ip subnet-zero ip cef ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto ipsec profile SDM_Profile1 set transform-set ESP-3DES-SHA ! ! ! ! interface Tunnel0 bandwidth 1000 ip address 192.168.2.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentic
Summary of the content on the page No. 13
ip address 10.0.149.220 255.255.255.0 speed 100 full-duplex ! interface FastEthernet0/1 description $FW_INSIDE$ ip address 192.168.20.20 255.255.255.0 speed 100 full-duplex ! router odr distribute-list 101 in ! router eigrp 1 redistribute odr network 192.168.2.0 network 192.168.20.0 no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 10.0.149.207 ! access-list 101 permit ip any 192.168.0.0 0.0.255.255 ! end CISCO 831 ROUTER CONFIGURATION Current co
Summary of the content on the page No. 14
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac mode transport ! crypto ipsec profile SDM_Profile1 set transform-set ESP-3DES-SHA1 ! crypto ipsec profile SDM_Profile2 set transform-set ESP-3DES-SHA ! ! interface Tunnel0 bandwidth 1000 ip address 192.168.1.11 255.255.255.0 ip mtu 1400 ip nhrp aut
Summary of the content on the page No. 15
cdp enable tunnel source Ethernet1 tunnel destination 10.0.149.220 tunnel key 100001 tunnel protection ipsec profile SDM_Profile2 ! interface Ethernet0 ip address 192.168.27.1 255.255.255.0 ! interface Ethernet1 ip address dhcp duplex auto ! ip classless ip route 10.0.149.0 255.255.255.0 dhcp ! end RELATED INFORMATION • IPsec Support Page • An Introduction to IPsec Encryption • Configuring On-Demand Routing, Release 12.2 Configuration Guide • Designing Large-
Summary of the content on the page No. 16
Corporate Headquarters European Headquarters Americas Headquarters Asia Pacific Headquarters Cisco Systems, Inc. Cisco Systems International BV Cisco Systems, Inc. Cisco Systems, Inc. 170 West Tasman Drive Haarlerbergpark 170 West Tasman Drive 168 Robinson Road San Jose, CA 95134-1706 Haarlerbergweg 13-19 San Jose, CA 95134-1706 #28-01 Capital Tower USA 1101 CH Amsterdam USA Singapore 068912 www.cisco.com The Netherlands www.cisco.com www.cisco.com Tel: 408 526-4000 www-europe.cisco.