The task of VPNs is to connect each remote office to the headquarter; the DMVPN creates a mesh VPN topology. This means that each site (spoke) can connect directly with all other sites, no matter where they are located.
A DMVPN service runs on VPN routers or firewall. Each remote site has a router configured to connect to the company’s headquarters VPN device (hub), providing access to the resources available. When two spokes are required to exchange data between each other -- for a voip telephone call, for example -- the spoke will contact the hub, obtain the necessary information about the other end, and create a dynamic IPsec VPN tunnel directly between them.
Configure DMVPN
Secure the DMVPN tunnel using IPSEC according to the following requirements
· configure IKE phase 1 as per the following
· Use AES encryption with the pre-shared key NORTEL
· The key must appear in plain text in the config
· All IPSEC tunnels must be authenticated using the same IKE phase 1 preshared key
· Use 1024 bits for the key exchange using the Diffie-Hellman algorithm
· configure a single policy using priority 10
· config IKE phase 2 as per the following requirements
· use NORTELXFORM as transform set name
· use NORTELPROFILE as IPSEC profile name
· use IPSEC in transport mode
· use the IPSEC protocol ESP and algorithm AES with 128 bits
· Ensure that the DMVPN cloud is secured using above parameters. use
tunnel protection in your config
R1
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes
R1(config-isakmp)#group 2
R1(config)#crypto isakmp key CCIE address 203.3.18.2
R1(config)#crypto isakmp key CCIE address 203.3.19.2
R1(config)#crypto ipsec transform-set CCIEXFORM esp-aes esp-md5-hmac
R1(cfg-crypto-trans)#mode transport
R1(config)#crypto ipsec profile NORTELPROFILE
R1(cfg-ipsec-profile)#set transform-set NORTELXFORM
R1(config)#int tunnel 0
R1(config)#tunnel protection ipsec profile NORTELPROFILE
R2
R2(config)#crypto isakmp enable
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption aes
R2(config-isakmp)#group 2
R2(config)#crypto isakmp key NORTEL address 203.3.17.2
R2(config)#crypto ipsec transform-set NORTELXFORM esp-aes esp-md5-hmac
R2(cfg-crypto-trans)#mode transport
R2(config)#crypto ipsec profile NORTELPROFILE
R2(cfg-ipsec-profile)#set transform-set NORTELXFORM
R2(config)#int tunnel 0
R2(config)#tunnel protection ipsec profile NORTELPROFILE
R3
R3(config)#crypto isakmp enable
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes
R3(config-isakmp)#group 2
R3(config)#crypto isakmp key NORTEL address 203.3.17.2
R3(config)#crypto ipsec transform-set NORTELXFORM esp-aes esp-md5-hmac
R3(cfg-crypto-trans)#mode transport
R3(config)#crypto ipsec profile NORTELPROFILE
R3(cfg-ipsec-profile)#set transform-set NORTELXFORM
R3(config)#int tunnel 0
R3(config)#tunnel protection ipsec profile NORTELNPROFILE
Verify
#sh ip nhrp brief
#sh crypto isakmp statistics
#show crypto ipsec sa on all devices running DMVPN
A DMVPN service runs on VPN routers or firewall. Each remote site has a router configured to connect to the company’s headquarters VPN device (hub), providing access to the resources available. When two spokes are required to exchange data between each other -- for a voip telephone call, for example -- the spoke will contact the hub, obtain the necessary information about the other end, and create a dynamic IPsec VPN tunnel directly between them.
Configure DMVPN
Secure the DMVPN tunnel using IPSEC according to the following requirements
· configure IKE phase 1 as per the following
· Use AES encryption with the pre-shared key NORTEL
· The key must appear in plain text in the config
· All IPSEC tunnels must be authenticated using the same IKE phase 1 preshared key
· Use 1024 bits for the key exchange using the Diffie-Hellman algorithm
· configure a single policy using priority 10
· config IKE phase 2 as per the following requirements
· use NORTELXFORM as transform set name
· use NORTELPROFILE as IPSEC profile name
· use IPSEC in transport mode
· use the IPSEC protocol ESP and algorithm AES with 128 bits
· Ensure that the DMVPN cloud is secured using above parameters. use
tunnel protection in your config
R1
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes
R1(config-isakmp)#group 2
R1(config)#crypto isakmp key CCIE address 203.3.18.2
R1(config)#crypto isakmp key CCIE address 203.3.19.2
R1(config)#crypto ipsec transform-set CCIEXFORM esp-aes esp-md5-hmac
R1(cfg-crypto-trans)#mode transport
R1(config)#crypto ipsec profile NORTELPROFILE
R1(cfg-ipsec-profile)#set transform-set NORTELXFORM
R1(config)#int tunnel 0
R1(config)#tunnel protection ipsec profile NORTELPROFILE
R2
R2(config)#crypto isakmp enable
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption aes
R2(config-isakmp)#group 2
R2(config)#crypto isakmp key NORTEL address 203.3.17.2
R2(config)#crypto ipsec transform-set NORTELXFORM esp-aes esp-md5-hmac
R2(cfg-crypto-trans)#mode transport
R2(config)#crypto ipsec profile NORTELPROFILE
R2(cfg-ipsec-profile)#set transform-set NORTELXFORM
R2(config)#int tunnel 0
R2(config)#tunnel protection ipsec profile NORTELPROFILE
R3
R3(config)#crypto isakmp enable
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes
R3(config-isakmp)#group 2
R3(config)#crypto isakmp key NORTEL address 203.3.17.2
R3(config)#crypto ipsec transform-set NORTELXFORM esp-aes esp-md5-hmac
R3(cfg-crypto-trans)#mode transport
R3(config)#crypto ipsec profile NORTELPROFILE
R3(cfg-ipsec-profile)#set transform-set NORTELXFORM
R3(config)#int tunnel 0
R3(config)#tunnel protection ipsec profile NORTELNPROFILE
Verify
#sh ip nhrp brief
#sh crypto isakmp statistics
#show crypto ipsec sa on all devices running DMVPN
