Dynamic Multipoint VPN with OSPF in Cisco Router

Dynamic Multipoint VPN [OSPF]

We assume you have already configured the routers and basic connectivity is achieved and tested using ICMP between physical interfaces of R1, R3 and R4!
Phase 1:
Creating the TUNNEL interface!
Let us first start by creating a Tunnel Interface in the range 172.16.134.0/24 on all the 3 devices!
At R1(HUB):
  • R1(config)# interface Tunnel0
    • ip address 172.16.134.1 255.255.255.0
    • no ip redirects
    • ip mtu 1400
    •  ip nhrp authentication cisco123
    • ip nhrp map multicast dynamic
    • ip nhrp network-id 123
    • tunnel source FastEthernet0/0
    • tunnel mode gre multipoint
At R3 (SPOKE):
  • R3(config)# interface Tunnel0
    • ip address 172.16.134.3 255.255.255.0
    • ip mtu 1400
    •  ip nhrp authentication cisco123
    • ip nhrp map 172.16.134.1 10.1.12.1
    • ip nhrp network-id 123
    • ip nhrp nhs 172.16.134.1
    • tunnel source FastEthernet0/0
    • tunnel destination 10.1.12.1
At R4 (SPOKE):
  • R4(config)# interface Tunnel0
    • ip address 172.16.134.4 255.255.255.0
    • ip mtu 1400
    •  ip nhrp authentication cisco123
    • ip nhrp map 172.16.134.1 10.1.12.1
    • ip nhrp network-id 123
    • ip nhrp nhs 172.16.134.1
    • tunnel source FastEthernet0/0
    • tunnel destination 10.1.12.1
At this point the tunnel would have come up and we can ping each other using the tunnel IP of the range 172.16.134.0/24
Configuring OSPF!
We start by configuring the OSPF routing on each devices!
At R1(HUB):
  • R1(config)# router ospf 1
    • router-id 172.16.134.1
    • network 1.1.1.1 0.0.0.0 area 0
    • network 172.16.134.1 0.0.0.0 area 0
  • R1(config)# interface Tunnel0
    • ip ospf network point-to-multipoint // Remember for Phase 1 HUB should be OSPF Network of Point to Multipoint
    • ip ospf hello-interval 10 // For Point to Multipoint, the Hello Timer gets changed to 40s. But since our spokes have 10s, we have to change this!
At R3 (SPOKE):
  • R3(config)#router ospf 1
    • router-id 172.16.134.3
    • network 3.3.3.3 0.0.0.0 area 0
    • network 172.16.134.3 0.0.0.0 area 0
  • R3(config)#interface Tunnel0
    • ip ospf network point-to-point // Spokes should be of OSPF network type Point to Point
At R4 (SPOKE):
  • R4(config)#router ospf 1
    • router-id 172.16.134.4
    • network 4.4.4.4 0.0.0.0 area 0
    • network 172.16.134.4 0.0.0.0 area 0
  • R4(config)#interface Tunnel0
    • ip ospf network point-to-point // Spokes should be of OSPF network type Point to Point
Configure Crypto (IPSec/ISAKMP)!
Now we will start configuring the crypto configurations to make this a DMVPN!
At R1(HUB):
  • R1(config)# crypto isakmp policy 10
    • authentication pre-share
  • R1(config)# crypto isakmp key cisco4 address 0.0.0.0 0.0.0.0
  • R1(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac
    • mode transport
  • R1(config)# crypto ipsec profile DMVPN
    • set transform-set TSET
  • R1(config)# interface Tunnel0
    • tunnel protection ipsec profile DMVPN
At R3 (SPOKE):
  • R3(config)# crypto isakmp policy 10
    • authentication pre-share
  • R3(config)# crypto isakmp key cisco3 address 0.0.0.0 0.0.0.0 // We cannot use peer ip address, because the OSPF adjacency will FAIL!
  • R3(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac
    • mode transport
  • R3(config)# crypto ipsec profile DMVPN
    • set transform-set TSET
  • R3(config)# interface Tunnel0
    • tunnel protection ipsec profile DMVPN
At R4 (SPOKE):
  • R4(config)# crypto isakmp policy 10
    • authentication pre-share
  • R4(config)# crypto isakmp key cisco4 address 0.0.0.0 0.0.0.0 // We cannot use peer ip address, because the OSPF adjacency will FAIL!
  • R4(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac
    • mode transport
  • R4(config)# crypto ipsec profile DMVPN
    • set transform-set TSET
  • R4(config)# interface Tunnel0
    • tunnel protection ipsec profile DMVPN
At this point, our DMVPN Phase 1 configuration is successful! Any communication between any device will get encrypted. All the communication in Phase 1 will happen through the HUB!
Some Verifications!
 

R1#sh ip ospf neigh

Neighbor ID        Pri   State                  Dead Time  Address           Interface
172.16.134.3      0     FULL/DROTHER    00:00:32    172.16.134.3    Tunnel0
172.16.134.4      0     FULL/DROTHER    00:00:30    172.16.134.4    Tunnel0

// DROTHER means it is neither a DR nor a BDR
R3#sh ip route

************Irrelevant Output Removed**************

1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/11112] via 172.16.134.1, 00:09:21, Tunnel0
3.0.0.0/24 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, Loopback0
4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/22223] via 172.16.134.1, 00:09:02, Tunnel0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       172.16.134.0/24 is directly connected, Tunnel0
      172.16.134.1/32 [110/11111] via 172.16.134.1, 00:09:21, Tunnel0
10.0.0.0/24 is subnetted, 1 subnets
C       10.1.23.0 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 10.1.23.2

R4#sh ip route
************Irrelevant Output Removed**************

1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/11112] via 172.16.134.1, 00:11:37, Tunnel0
3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/22223] via 172.16.134.1, 00:11:37, Tunnel0
4.0.0.0/24 is subnetted, 1 subnets
C       4.4.4.0 is directly connected, Loopback0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       172.16.134.0/24 is directly connected, Tunnel0
O       172.16.134.1/32 [110/11111] via 172.16.134.1, 00:11:37, Tunnel0
10.0.0.0/24 is subnetted, 1 subnets
C       10.1.24.0 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 10.1.24.2

R1#sh ip nhrp
172.16.134.3/32 via 172.16.134.3, Tunnel0 created 00:13:20, expire 01:46:39
Type: dynamic, Flags: unique registered
NBMA address: 10.1.23.3
172.16.134.4/32 via 172.16.134.4, Tunnel0 created 00:12:59, expire 01:47:00
Type: dynamic, Flags: unique registered
NBMA address: 10.1.24.4 
 
R3#sh ip nhrp
172.16.134.1/32 via 172.16.134.1, Tunnel0 created 00:28:46, never expire
Type: static, Flags:
NBMA address: 10.1.12.1
 
R4#sh ip nhrp
172.16.134.1/32 via 172.16.134.1, Tunnel0 created 01:31:26, never expire
Type: static, Flags:
NBMA address: 10.1.12.1
R1#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst                 src                state                conn-id slot status
10.1.12.1       10.1.24.4       QM_IDLE           1002    0    ACTIVE
10.1.12.1       10.1.23.3       QM_IDLE           1001    0    ACTIVE
R3#sh ip cef 4.4.4.4
4.4.4.4/32, version 37, epoch 0
0 packets, 0 bytes
via 172.16.134.1, Tunnel0, 0 dependencies
next hop 172.16.134.1, Tunnel0
    valid adjacency
R4#sh ip cef 3.3.3.3
3.3.3.3/32, version 24, epoch 0
0 packets, 0 bytes
via 172.16.134.1, Tunnel0, 0 dependencies
next hop 172.16.134.1, Tunnel0
    valid adjacency
Phase 2: (Changes from Phase 1 are highlighted and are made to Tunnel Interface only)
 
R1#sh run int tun 0
Building configuration…
Current configuration : 351 bytes
!
interface Tunnel0
ip address 172.16.134.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip nhrp holdtime 360
ip ospf network broadcast // The OSPF network has been changed to BROADCAST
ip ospf priority 255
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
end

R3#sh run int tun 0
Building configuration…Current configuration : 413 bytes
!
interface Tunnel0
ip address 172.16.134.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map 172.16.134.1 10.1.12.1
ip nhrp map multicast 10.1.12.1
ip nhrp network-id 123
ip nhrp holdtime 360
ip nhrp nhs 172.16.134.1
ip ospf network broadcast // The OSPF network has been changed to BROADCAST
ip ospf priority 0
tunnel source FastEthernet0/0
tunnel mode gre multipoint // Please note, before doing this you have to deconfigure the ‘tunnel destination’ command
tunnel protection ipsec profile DMVPN
end
R4#sh run int tun 0
Building configuration…Current configuration : 413 bytes
!
interface Tunnel0
ip address 172.16.134.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map 172.16.134.1 10.1.12.1
ip nhrp map multicast 10.1.12.1
ip nhrp network-id 123
ip nhrp holdtime 360
ip nhrp nhs 172.16.134.1
ip ospf network broadcast // The OSPF network has been changed to BROADCAST
ip ospf priority 0
tunnel source FastEthernet0/0
tunnel mode gre multipoint // Please note, before doing this you have to de-configure the ‘tunnel destination’ command
tunnel protection ipsec profile DMVPN
end
Some Verifications!
R3#sh ip route
************Irrelevant Output Removed**************
     4.0.0.0/32 is subnetted, 1 subnets

      4.4.4.4 [110/11112] via 172.16.134.4, 00:13:19, Tunnel0 // OSPF learnt route has been updated to directly contact the SPOKE

R4#sh ip route

************Irrelevant Output Removed**************

3.0.0.0/32 is subnetted, 1 subnets
      3.3.3.3 [110/11112] via 172.16.134.3, 00:15:23, Tunnel0 // OSPF learnt route has been updated to directly contact the SPOKE

R4#sh ip cef 3.3.3.3
3.3.3.3/32, version 30, epoch 0
0 packets, 0 bytes
via 172.16.134.3, Tunnel0, 0 dependencies
next hop 172.16.134.3, Tunnel0
    invalid adjacency // Because it doesnt have the information of physical interface to reach 3.3.3.3. After pinging once, it will be updated!
 
R3#sh ip cef 4.4.4.4
4.4.4.4/32, version 31, epoch 0
0 packets, 0 bytes
via 172.16.134.4, Tunnel0, 0 dependencies
next hop 172.16.134.4, Tunnel0
    invalid adjacency // Because it doesnt have the information of physical interface to reach 4.4.4.4. After pinging once, it will be updated!
Phase 3: (Changes from Phase 1 are highlighted and are made to Tunnel Interface only)
 
R1#sh run int tun 0
Building configuration…
Current configuration : 351 bytes
!
interface Tunnel0
ip address 172.16.134.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip nhrp redirect // The extra command for Phase 3
ip nhrp holdtime 360
ip ospf network point-to-multipoint
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
end

R3#sh run int tun 0
Building configuration…Current configuration : 413 bytes
!
interface Tunnel0
ip address 172.16.134.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map 172.16.134.1 10.1.12.1
ip nhrp map multicast 10.1.12.1
ip nhrp network-id 123
ip nhrp holdtime 360
ip nhrp nhs 172.16.134.1
ip nhrp shortcut // The extra command for Phase 3
ip ospf network point-to-multipoint // The OSPF network has been changed to Point-to-Multipoint
ip ospf priority 0
tunnel source FastEthernet0/0
tunnel mode gre multipoint // Please note, before doing this you have to deconfigure the ‘tunnel destination’ command
tunnel protection ipsec profile DMVPN
end
R4#sh run int tun 0
Building configuration…Current configuration : 413 bytes
!
interface Tunnel0
ip address 172.16.134.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map 172.16.134.1 10.1.12.1
ip nhrp map multicast 10.1.12.1
ip nhrp network-id 123
ip nhrp holdtime 360
ip nhrp nhs 172.16.134.1
ip nhrp shortcut // The extra command for Phase 3
ip ospf network point-to-multipoint // The OSPF network has been changed to Point-to-Multipoint
ip ospf priority 0
tunnel source FastEthernet0/0
tunnel mode gre multipoint // Please note, before doing this you have to de-configure the ‘tunnel destination’ command
tunnel protection ipsec profile DMVPN
end
Some Verifications!
R4#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static routeGateway of last resort is 10.1.24.2 to network 0.0.0.04.0.0.0/24 is subnetted, 1 subnets
C       4.4.4.0 is directly connected, Loopback0
172.16.0.0/24 is subnetted, 1 subnets
C       172.16.134.0 is directly connected, Tunnel0
10.0.0.0/24 is subnetted, 1 subnets
C       10.1.24.0 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 10.1.24.2

Was this article helpful?

Yes No

Related Articles

Leave A Comment?