*Dec 5 19:59:26.210: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec’d packet not an IPSEC packet. PHX1(config-if)# tunnel protection ipsec profile ProtectTheTunnel PHX1(ipsec-profile)# set transform-set CCIE PHX1(config)# cry ipsec profile ProtectTheTunnel PHX1(config)# cry ipsec transform-set CCIE esp-aes esp-sha-hmac PHX1(config)# crypto isa key LoopedBack!!! address 0.0.0.0 End with CNTL/Z.Ģ4 Diffie-Hellman group 24 (2048 bit, 256 bit subgroup) I will walk through a sample IPSec Profile config step by step on the NHS (PHX1)Įnter configuration commands, one per line. Once Phase 1 and Phase 2 are configured, you apply it to your Tunnel Interface, and you now have IPSec encryption running on your DMVPN Tunnel!
Tunnel protection ipsec profile ProtectTheTunnel Then apply the IPSec Profile to the Tunnel Interface This is where you create the IPSec Profiles which are applied to the Tunnel Interface itself, the exact ciphers used must match on both sides of the VPN, if they do not match the routers will show the Tunnel as up but traffic encryption / decryption will fail. Transport mode is used over “mode tunnel” with DMVPN as GRE does the Tunnel Encapsulation of traffic, and the IPSec Profile provides the encryption. I’ve made a single transform-set named CCIE here, however generally Routers / Firewalls will have every transform-set combination configured and available, and the naming convention looks exactly the same as the actual encryption ciphers. If Authentication fails, the VPN Tunnel will break or never come up originally, and will not even attempt to negotiate Phase 2 (encryption) to send traffic.Ĭrypto ipsec transform-set CCIE esp-aes esp-sha-hmac
DMVPN LAB CCNP HOW TO
This will be the pre-shared key that each router will match against, with a wildcard address of 0.0.0.0 as the neighbors will be Dynamic being DMVPN, once the two neighbors authenticate they will move on to Phase 2 of how to encrypt / decrypt the DMVPN Traffic between their endpoints.
This chunk of Phase 1 can be a bit confusing at first, as dozens of the isakmp policy #’s can be configured on a device, and the two VPN Peers have to find one common policy between themselves to move onto the pre-shared key / authentication for Phase 1.Ĭrypto isakmp key LoopedBack!!! address 0.0.0.0
This is the same with ASA Firewall Site-to-Site IPSec VPN Tunnel configurations, that there is a Phase 1 of the IPSec Tunnel which is the Authentication portion, and Phase 2 which determines the ciphers that will be used for Encryption and Decryption of traffic. Without further ado we can dissect the IPSec Profile into Phase 1 and Phase 2 While troubleshooting my branch office deployment I also found NHRP Authentication somewhere configured on a Tunnel interface in a forum, so I wanted to explore that as well, to further secure the DMVPN Network. Drawing up IPSec Profiles to secure the DMVPN Network is honestly as easy as pictured above, though in modern networks there would be much stronger passwords, and most likely multiple profiles that would be deployed at different branches in the event one IPSec Profile were to become compromised.
0 kommentar(er)
