DMVPN Phase-3 with IPSec IKEv2

Blue_Bird · ‎08-11-2025

DMVPN Phase-3 with IPSec IKEv2

Introduction

Lab Topology

DMVPN Phase-3 Configuration

IPsec IKEv2 Configuration

Verification

Introduction

The final phase of DMVPN changes the way NHRP operates. The spoke routers no longer need specific routes to reach remote spokes and it doesn't matter what the next hop IP address is. When a spoke router wants to reach a remote spoke, they will forward their traffic to the hub.

When the hub receives the traffic, it will realize that another spoke is the destination and it will then send a NHRP redirect to both spokes. When the spokes receive the NHRP redirect, they will both send a NHRP resolution to figure out each other's NBMA IP addresses. The spoke routers will then install a new entry in the routing table so that they can reach each other directly.

Assuming that all routers are configured with Underlay. First we are going to see DMVPN Phase 3 (Overlay) Configuration. Since traffic is not encrypted by default with DMVPN, we are going to implement IKEv2 IPsec to encrypt the traffic passing through the DMVPN tunnels and secure them.

Lab Topology

DMVPN Configuration

Hub Configuration

R1(config)#interface Tunnel 0

R1(config-if)#ip address 192.168.1.1 255.255.255.0

R1(config-if)#no ip redirects

R1(config-if)#tunnel mode gre multipoint

R1(config-if)#tunnel source Ethernet0/0

R1(config-if)#ip nhrp authentication vpn

R1(config-if)#ip nhrp map multicast dynamic

R1(config-if)#ip nhrp network-id 1

R1(config-if)#ip nhrp redirect

R1(config-if)#exit

R1(config)#router eigrp 1

R1(config-router)#network 10.10.1.0 0.0.0.255

R1(config-router)#network 192.168.1.0

R1(config-router)#no auto-summary

R1(config-router)#exit

R1(config)#int tunnel 0

R1(config-if)#no ip split-horizon eigrp 1

R1(config-if)#no ip next-hop-self eigrp 1

R1(config-if)#exit

R1(config)#

Spoke1 Configuration

R2(config)#interface tunnel 0

R2(config-if)#ip address 192.168.1.2 255.255.255.0

R2(config-if)#ip nhrp authentication vpn

R2(config-if)#ip nhrp map 192.168.1.1 1.1.1.1

R2(config-if)#ip nhrp map multicast 1.1.1.1

R2(config-if)#ip nhrp network-id 1

R2(config-if)#ip nhrp nhs 192.168.1.1

R2(config-if)#tunnel source Ethernet0/0

R2(config-if)#tunnel mode gre multipoint

R2(config-if)#ip nhrp shortcut

R2(config-if)#exit

R2(config)#router eigrp 1

R2(config-router)#network 10.10.2.0 0.0.0.255

R2(config-router)#network 192.168.1.0

R2(config-router)#no auto-summary

R2(config-router)#exit

R2(config)#

IPsec IKEv2 Configuration

Hub (R1) Configuration

Step 1: Define IKEv2 Proposal

R1(config)# crypto ikev2 proposal PROPOSAL-R1

R1(config-ikev2-proposal)# encryption aes-cbc-192 aes-cbc-256

R1(config-ikev2-proposal)# group 14 20 24

R1(config-ikev2-proposal)# integrity sha256 sha384

R1(config-ikev2-proposal)# exit

Step 2: Define IKEv2 Policies

R1(config)# crypto ikev2 policy POLICY-R1

R1(config-ikev2-policy)# proposal PROPOSAL-R1

R1(config-ikev2-policy)# exit

Step 3: Define IKEv2 Keyring

R1(config)# crypto ikev2 keyring KEYRING-R1

R1(config-ikev2-keyring)# peer dmvpn_node

R1(config-ikev2-keyring)# address 0.0.0.0 0.0.0.0

R1(config-ikev2-keyring)# pre-shared-key cisco@123

R1(config-ikev2-keyring)# exit

Step 4: Define IKEv2 Profile

R1(config)# crypto ikev2 profile IKEv2-PROFILE-R1

R1(config-ikev2-profile)# match identity remote address 0.0.0.0 0.0.0.0

R1(config-ikev2-profile)# match address local 0.0.0.0

R1(config-ikev2-profile)# authentication local pre-share

R1(config-ikev2-profile)# authentication remote pre-share

R1(config-ikev2-profile)# keyring local KEYRING-R1

R1(config-ikev2-profile)# exit

Step 5: Define IPSEC Settings

R1(config)#crypto IPsec transform-set TSET-R1 esp-aes 256 esp-sha-hmac

R1(cfg-crypto-trans)# mode tunnel

R1(cfg-crypto-trans)# exit

!

R1(config)#crypto IPsec profile IPSEC-PROFILE-R1

R1(ipsec-profile)# set transform-set TSET-R1

R1(ipsec-profile)# set ikev2-profile IKEv2-PROFILE-R1

Step 5: Apply IPSEC Profile to the Tunnel Interface

R1(config)# interface Tunnel 0

R1(config-if)# tunnel protection ipsec profile IPSEC-PROFILE-R1

Spoke1(R2) Configuration

Step 1: Define IKEv2 Proposal

R2(config)# crypto ikev2 proposal PROPOSAL-R2

R2(config-ikev2-proposal)# encryption aes-cbc-192 aes-cbc-256

R2(config-ikev2-proposal)# group 14 20 24

R2(config-ikev2-proposal)# integrity sha256 sha384

R2(config-ikev2-proposal)# exit

Step 2: Define IKEv2 Policies

R2(config)# crypto ikev2 policy POLICY-R2

R2(config-ikev2-policy)# proposal PROPOSAL-R2

R2(config-ikev2-policy)# exit

Step 3: Define IKEv2 Keyring

R2(config)# crypto ikev2 keyring KEYRING-R2

R2(config-ikev2-keyring)# peer dmvpn_node

R2(config-ikev2-keyring)# address 0.0.0.0 0.0.0.0

R2(config-ikev2-keyring)# pre-shared-key cisco@123

R2(config-ikev2-keyring)# exit

Step 4: Define IKEv2 Profile

R2(config)# crypto ikev2 profile IKEv2-PROFILE-R2

R2(config-ikev2-profile)# match identity remote address 0.0.0.0 0.0.0.0

R2(config-ikev2-profile)# match address local 0.0.0.0

R2(config-ikev2-profile)# authentication local pre-share

R2(config-ikev2-profile)# authentication remote pre-share

R2(config-ikev2-profile)# keyring local KEYRING-R2

R2(config-ikev2-profile)# exit

Step 5: Define IPSEC Settings

R2(config)#crypto IPsec transform-set TSET-R2 esp-aes 256 esp-sha-hmac

R2(cfg-crypto-trans)# mode tunnel

R2(cfg-crypto-trans)# exit

!

R2(config)#crypto IPsec profile IPSEC-PROFILE-R2

R2(ipsec-profile)# set transform-set TSET-R2

R2(ipsec-profile)# set ikev2-profile IKEv2-PROFILE-R2

Step 5: Apply IPSEC Profile to the Tunnel Interface

R2(config)# interface Tunnel 0

R2(config-if)# tunnel protection ipsec profile IPSEC-PROFILE-R2

Same way…Configure Spoke2 (R3) router with DMVPN and IPsec IKEv2 Configurations..!

Verification

....................................................................... Thank you very much..! ....................................................................................