===== Cisco IOS DMVPN =====
{{tag>Cisco IOS Routing}}
==== Description ====
When using EIGRP with classless subnets remember to disable auto summary.
{{ :images:routing:cisco-ios-dmvpn-01.png?nolink |}}
==== Configurations ====
=== Router 101 ===
!
crypto keyring keyring-vpn
local-address 12.101.0.2
pre-shared-key address 0.0.0.0 0.0.0.0 key tunvpnkey
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp profile isakmp-vpn
keyring keyring-vpn
match identity address 0.0.0.0
local-address 12.101.0.2
!
crypto ipsec transform-set tset-vpn esp-aes esp-sha-hmac
!
crypto ipsec profile ipsec-profile
set transform-set tset-vpn
set pfs group5
!
interface Tunnel1
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 10
ip nhrp authentication nhrpauth
ip nhrp map multicast dynamic
ip nhrp network-id 10101
ip nhrp holdtime 300
ip tcp adjust-mss 1379
no ip split-horizon eigrp 10
delay 1000
tunnel source 12.101.0.2
tunnel mode gre multipoint
tunnel key 10101
tunnel protection ipsec profile ipsec-profile
!
interface FastEthernet0/0
ip address 12.101.0.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.101.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router eigrp 10
network 10.101.0.0 0.0.255.255
network 172.16.1.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 12.101.0.1
!
ip nat inside source route-map rmap-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-nat
permit ip 10.101.0.0 0.0.255.255 any
!
route-map rmap-nat permit 10
match ip address acl-nat
!
=== Router 102 ===
!
crypto keyring keyring-vpn
local-address FastEthernet0/0
pre-shared-key address 0.0.0.0 0.0.0.0 key tunvpnkey
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp profile isakmp-vpn
keyring keyring-vpn
match identity address 0.0.0.0
local-address FastEthernet0/0
!
crypto ipsec transform-set tset-vpn esp-aes esp-sha-hmac
!
crypto ipsec profile ipsec-profile
set transform-set tset-vpn
set pfs group5
!
interface Tunnel1
ip address 172.16.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication nhrpauth
ip nhrp map 172.16.1.1 12.101.0.2
ip nhrp map multicast 12.101.0.2
ip nhrp network-id 10101
ip nhrp holdtime 300
ip nhrp nhs 172.16.1.1
ip tcp adjust-mss 1379
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10101
tunnel protection ipsec profile ipsec-profile
!
interface FastEthernet0/0
ip address 12.102.0.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.102.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router eigrp 10
network 10.102.0.0 0.0.255.255
network 172.16.1.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 12.102.0.1
!
ip nat inside source route-map rmap-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-nat
permit ip 10.102.0.0 0.0.255.255 any
!
route-map rmap-nat permit 10
match ip address acl-nat
!
=== Router 103 ===
!
crypto keyring keyring-vpn
local-address FastEthernet0/0
pre-shared-key address 0.0.0.0 0.0.0.0 key tunvpnkey
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp profile isakmp-vpn
keyring keyring-vpn
match identity address 0.0.0.0
local-address FastEthernet0/0
!
crypto ipsec transform-set tset-vpn esp-aes esp-sha-hmac
!
crypto ipsec profile ipsec-profile
set transform-set tset-vpn
set pfs group5
!
interface Tunnel1
ip address 172.16.1.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication nhrpauth
ip nhrp map 172.16.1.1 12.101.0.2
ip nhrp map multicast 12.101.0.2
ip nhrp network-id 10101
ip nhrp holdtime 300
ip nhrp nhs 172.16.1.1
ip tcp adjust-mss 1379
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10101
tunnel protection ipsec profile ipsec-profile
!
interface FastEthernet0/0
ip address 12.103.0.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.103.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router eigrp 10
network 10.103.0.0 0.0.255.255
network 172.16.1.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 12.103.0.1
!
ip nat inside source route-map rmap-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-nat
permit ip 10.103.0.0 0.0.255.255 any
!
route-map rmap-nat permit 10
match ip address acl-nat
!
=== Router 104 ===
!
crypto keyring keyring-vpn
local-address FastEthernet0/0
pre-shared-key address 0.0.0.0 0.0.0.0 key tunvpnkey
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp profile isakmp-vpn
keyring keyring-vpn
match identity address 0.0.0.0
local-address FastEthernet0/0
!
crypto ipsec transform-set tset-vpn esp-aes esp-sha-hmac
!
crypto ipsec profile ipsec-profile
set transform-set tset-vpn
set pfs group5
!
interface Tunnel1
ip address 172.16.1.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication nhrpauth
ip nhrp map 172.16.1.1 12.101.0.2
ip nhrp map multicast 12.101.0.2
ip nhrp network-id 10101
ip nhrp holdtime 300
ip nhrp nhs 172.16.1.1
ip tcp adjust-mss 1379
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10101
tunnel protection ipsec profile ipsec-profile
!
interface FastEthernet0/0
ip address 12.104.0.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.104.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router eigrp 10
network 10.104.0.0 0.0.255.255
network 172.16.1.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 12.104.0.1
!
ip nat inside source route-map rmap-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-nat
permit ip 10.104.0.0 0.0.255.255 any
!
route-map rmap-nat permit 10
match ip address acl-nat
!
=== Router 105 ===
!
crypto keyring keyring-vpn
local-address FastEthernet0/0
pre-shared-key address 0.0.0.0 0.0.0.0 key tunvpnkey
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp profile isakmp-vpn
keyring keyring-vpn
match identity address 0.0.0.0
local-address FastEthernet0/0
!
crypto ipsec transform-set tset-vpn esp-aes esp-sha-hmac
!
crypto ipsec profile ipsec-profile
set transform-set tset-vpn
set pfs group5
!
interface Tunnel1
ip address 172.16.1.5 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication nhrpauth
ip nhrp map 172.16.1.1 12.101.0.2
ip nhrp map multicast 12.101.0.2
ip nhrp network-id 10101
ip nhrp holdtime 300
ip nhrp nhs 172.16.1.1
ip tcp adjust-mss 1379
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10101
tunnel protection ipsec profile ipsec-profile
!
interface FastEthernet0/0
ip address 12.105.0.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.105.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router eigrp 10
network 10.105.0.0 0.0.255.255
network 172.16.1.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 12.105.0.1
!
ip nat inside source route-map rmap-nat interface FastEthernet0/0 overload
!
ip access-list extended acl-nat
permit ip 10.105.0.0 0.0.255.255 any
!
route-map rmap-nat permit 10
match ip address acl-nat
!
=== Public ===
!
interface FastEthernet0/0
ip address 12.101.0.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 12.102.0.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 12.103.0.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 12.104.0.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet3/0
ip address 12.105.0.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet4/0
ip address 12.106.0.1 255.255.255.252
duplex auto
speed auto
!