Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
331
Views
0
Helpful
0
Comments

Implementing IPSec (IKEv1) over DMVPN Phase-3 Tunnel

Blue_Bird
VIP
VIP
‎06-30-2025 12:04 AM

                                                                         Implementing IPsec over DMVPN  Phase-3 Tunnels

Introduction

Lab Topology

IPsec Configuration

Verification

Conclusion

Introduction

The drawbacks of DMVPN Phase 2 are overcome by DMVPN Phase 3 implementation. DMVPN Tunnels don't offer any encryption, so the traffic passing through these tunnels are not secure. You can implement ipsec protocol over DMVPN tunnels to encrypt traffic and make them secure.

While IPsec is not mandatory for a DMVPN (Dynamic Multipoint VPN) setup, it's highly recommended, especially when using the internet as the underlay network. DMVPN, in itself, provides a scalable and dynamic way to create VPN tunnels between multiple sites, but it doesn't inherently encrypt the traffic. IPsec, on the other hand, provides encryption and authentication for the data being transmitted, enhancing the security of the VPN connection.

So, in this article, we will discuss how to implement IPsec over DMVPN Tunnels. To know more about DMVPN Phase 3 implementation, please go through the following the link: https://community.cisco.com/t5/vpn/dmvpn-phase-3-implementation/m-p/5302916#M299236

Lab Topology

                                    Blue_Bird_0-1751266140488.png

Assuming that all routers are configured with Underlay and Overlay (DMVPN Phase 3) configurations. Since traffic is not encrypted by default with DMVPN, we are going to implement IPsec to encrypt the traffic passing through the DMVPN tunnels and secure them.

IPSec Configuration

R1 Configuration

R1(config)# crypto isakmp policy 5

R1(config-isakmp)# encryption aes 256

R1(config-isakmp)# hash sha256

R1(config-isakmp)# authentication pre-share

R1(config-isakmp)# group 14

R1(config-isakmp)# exit

R1(config)# crypto isakmp key cisco@123 address 0.0.0.0

R1(config)# crypto ipsec transform-set TSET esp-aes 128 esp-sha384-hmac

R1(cfg-crypto-trans)# mode transport

R1(cfg-crypto-trans)# exit

R1(config)# crypto ipsec profile PRO

R1(ipsec-profile)# set transform-set TSET

R1(ipsec-profile)# exit

R1(config)# Interface Tunnel 0

R1(config-if)# ip mtu 1400

R1(config-if)# ip tcp adjust-mss 1272

R1(config-if)# tunnel protection ipsec profile PRO

R1(config-if)# end

R2 Configuration

R2(config)# crypto isakmp policy 5

R2(config-isakmp)# encryption aes 256

R2(config-isakmp)# hash sha256

R2(config-isakmp)# authentication pre-share

R2(config-isakmp)# group 14

R2(config-isakmp)# exit

R2(config)# crypto isakmp key cisco@123 address 0.0.0.0

R2(config)# crypto ipsec transform-set TSET esp-aes 128 esp-sha384-hmac

R2(cfg-crypto-trans)# mode transport

R2(cfg-crypto-trans)# exit

R2(config)# crypto ipsec profile PRO

R2(ipsec-profile)# set transform-set TSET

R2(ipsec-profile)# exit

R2(config)# Interface Tunnel 0

R2(config-if)# ip mtu 1400

R2(config-if)# ip tcp adjust-mss 1272

R2(config-if)# tunnel protection ipsec profile PRO

R2(config-if)# end

R3 Configuration

R3(config)# crypto isakmp policy 5

R3(config-isakmp)# encryption aes 256

R3(config-isakmp)# hash sha256

R3(config-isakmp)# authentication pre-share

R3(config-isakmp)# group 14

R3(config-isakmp)# exit

R3(config)# crypto isakmp key cisco@123 address 0.0.0.0

R3(config)# crypto ipsec transform-set TSET esp-aes 128 esp-sha384-hmac

R3(cfg-crypto-trans)# mode transport

R3(cfg-crypto-trans)# exit

R3(config)# crypto ipsec profile PRO

R3(ipsec-profile)# set transform-set TSET

R3(ipsec-profile)# exit

R3(config)# Interface Tunnel 0

R3(config-if)# ip mtu 1400

R3(config-if)# ip tcp adjust-mss 1272

R3(config-if)# tunnel protection ipsec profile PRO

R3(config-if)# end

Once we configure IKE Phase 1 policy, we need to specify the address of our VPN peers. However, this is meant to be dynamic. Therefore, we have to specify the address 0.0.0.0 0.0.0.0, which will allow any IP address to connect as long as they know the password.

DMVPNs would send traffic over mGRE tunnels, and the data is encrypted using IPSec. Now IPSec and mGRE each add their own headers, and this could lead to the packet size exceeding the MTU, or the maximum transmission unit. And this would cause fragmentation, and fragmentation is bad because it increases CPU usage on routers. So to work around this, we can use the client MSS setting in order to adjust the MTU size. Now Cisco recommends that when you set the GRE MTU on the tunnel interface, that the MTU is set to 1400.

Now from this, we can then calculate the MSS. Let's say, for example, we have a GRE packet, and the maximum MTU is 1400. Now, we have the GRE header itself that's 24 bytes, then we also have the DMVPN key in the header. That's another 4 bytes. We have the IPSec header, which is 60 bytes. After the IPSec header, we have the TCP header, which is 20 bytes, and we have the IP header, which is another 20 bytes. This makes a total overhead of 128 bytes. So, if we subtract 128 from 1400, we get 1272.

                                Blue_Bird_1-1751266364962.png

Verification

Blue_Bird_2-1751266427213.png

Blue_Bird_3-1751266453043.png

Blue_Bird_4-1751266484036.png

Blue_Bird_5-1751266503795.png

Blue_Bird_6-1751266646760.png

Blue_Bird_7-1751266665609.png

Blue_Bird_8-1751266690915.png

Blue_Bird_9-1751266709246.png

Conclusion:

As we know that DMVPNs allows multi-point connectivity over the internet, but they can only do so with Cisco routers. What happens if you have a non-cisco router and you wanted to connect to a Cisco router? Well in this situation, you’d use FlexVPNs. We will discuss FlexVPNs in another article.

........................................................................................ Thank you very much..! ...............................................................................

 

 

 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents