! crypto keyring DMVPN pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxxxx ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 5 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 10 periodic crypto isakmp profile DMVPN keyring DMVPN match identity address 0.0.0.0 ! ! crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile Internet set transform-set TS set isakmp-profile DMVPN ! ! interface Loopback1 ip address 10.23.255.1 255.255.255.255 ! interface Tunnel1 ip address 172.16.200.23 255.255.254.0 no ip redirects ip mtu 1400 ip flow monitor nbar-mon input ip nhrp authentication vpnmesh ip nhrp map 172.16.200.1 1.1.1.1 ip nhrp map multicast 1.1.1.1 ip nhrp map multicast 2.2.2.2 ip nhrp map 172.16.200.8 2.2.2.2 ip nhrp network-id 1 ip nhrp holdtime 600 ip nhrp nhs 172.16.200.1 ip nhrp nhs 172.16.200.8 ip tcp adjust-mss 1350 ip ospf network broadcast ip ospf dead-interval 10 ip ospf hello-interval 5 ip ospf priority 0 ip ospf cost 30 qos pre-classify tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 123456 tunnel protection ipsec profile Internet ! interface Tunnel2 ip address 172.16.202.23 255.255.254.0 no ip redirects ip mtu 1400 ip nhrp authentication vpnmesh ip nhrp map multicast 2.2.2.2 ip nhrp map 172.16.202.1 1.1.1.1 ip nhrp map multicast 1.1.1.1 ip nhrp map 172.16.202.8 2.2.2.2 ip nhrp network-id 2 ip nhrp holdtime 600 ip nhrp nhs 172.16.202.1 ip nhrp nhs 172.16.202.8 ip tcp adjust-mss 1350 ip ospf network broadcast ip ospf dead-interval 10 ip ospf hello-interval 5 ip ospf priority 0 ip ospf cost 31 qos pre-classify tunnel source GigabitEthernet0/2 tunnel mode gre multipoint tunnel key 7891011 tunnel protection ipsec profile Internet ! interface GigabitEthernet0/0 description outside ip address 3.3.3.3 255.255.255.248 ip flow monitor nbar-mon input ip nat outside ip virtual-reassembly in duplex auto speed auto no lldp transmit no lldp receive service-policy output QOS-parent ! interface GigabitEthernet0/1 description inside ip address 10.23.1.3 255.255.240.0 ip flow monitor nbar-mon input ip nat inside ip virtual-reassembly in ip policy route-map REDIRECT in duplex auto speed auto ! interface GigabitEthernet0/2 description outside isp2 ip address 4.4.4.4 255.255.255.128 ip nat outside ip virtual-reassembly in shutdown duplex auto speed auto ! ! router ospf 1 area 1 range 10.23.0.0 255.255.0.0 passive-interface default no passive-interface Tunnel1 no passive-interface Tunnel2 network 10.0.0.0 0.255.255.255 area 1 network 172.16.0.0 0.0.255.255 area 0 ! ip local pool vpn-users 10.23.250.2 10.23.250.50 ip forward-protocol nd ! no ip http server no ip http secure-server ! ip ftp source-interface Loopback1 ip tftp source-interface GigabitEthernet0/1 ip tftp blocksize 1300 ip nat inside source route-map nat-isp2 interface GigabitEthernet0/2 overload ip nat inside source route-map nat-isp1 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 3.3.3.1 ip route 0.0.0.0 0.0.0.0 4.4.4.1 ! ip sla 1 icmp-echo 172.16.202.119 source-interface Tunnel2 frequency 5 ip sla schedule 1 life forever start-time now route-map nat-isp2 permit 10 match ip address 110 match interface GigabitEthernet0/2 ! route-map nat-isp1 permit 10 match ip address 110 match interface GigabitEthernet0/0 ! route-map REDIRECT permit 10 match ip address 101 set ip next-hop verify-availability 172.16.202.119 1 track 1 ! ! access-list 10 permit 10.23.0.0 0.0.255.255 access-list 11 permit 10.23.1.8 access-list 101 permit ip 10.23.0.0 0.0.255.255 10.119.0.0 0.0.255.255 access-list 101 permit ip 10.119.0.0 0.0.255.255 10.23.0.0 0.0.255.255 access-list 110 deny ip 10.23.0.0 0.0.255.255 10.0.0.0 0.255.255.255 access-list 110 permit ip 10.23.0.0 0.0.255.255 any !