DMVPN over IPsec

In our first DMVPN lesson we talked about the basics of DMVPN and its different phases. DMVPN is a “routing technique” that relies on multipoint GRE and NHRP and IPsec is not mandatory.

However since you probably use DMVPN with the Internet as the underlay network, it might be wise to encrypt your tunnels. In this lesson I’ll show you how to configure IPsec to encrypt your multipoint GRE tunnels. Here’s the topology we will use:

DMVPN Example Topology with hub, two spokes and loopback interfaces.

Above we have a hub and spoke topology which I used in all of my previous DMVPN examples. We’ll use a DMVPN phase 2 network with RIP as the routing protocol to test IPsec.


Tunnel Interfaces

Let’s start with the tunnel interfaces on all routers. This is a basic DMVPN phase 2 configuration:

Hub(config)#interface Tunnel 0
Hub(config-if)#ip address
Hub(config-if)#ip nhrp authentication DMVPN
Hub(config-if)#ip nhrp map multicast dynamic
Hub(config-if)#ip nhrp network-id 1
Hub(config-if)#tunnel source GigabitEthernet0/1
Hub(config-if)#tunnel mode gre multipoint

Here are the spoke routers:

Spoke1(config)#interface Tunnel 0
Spoke1(config-if)#ip address
Spoke1(config-if)#ip nhrp authentication DMVPN
Spoke1(config-if)#ip nhrp map
Spoke1(config-if)#ip nhrp map multicast
Spoke1(config-if)#ip nhrp network-id 1
Spoke1(config-if)#ip nhrp nhs
Spoke1(config-if)#tunnel source GigabitEthernet0/1
Spoke1(config-if)#tunnel mode gre multipoint
Spoke2(config)#interface Tunnel 0
Spoke2(config-if)#ip address
Spoke2(config-if)#ip nhrp authentication DMVPN
Spoke2(config-if)#ip nhrp map
Spoke2(config-if)#ip nhrp map multicast
Spoke2(config-if)#ip nhrp network-id 1
Spoke2(config-if)#ip nhrp nhs
Spoke2(config-if)#tunnel source GigabitEthernet0/1
Spoke2(config-if)#tunnel mode gre multipoint

Now we can configure RIP…


We will advertise all interfaces in RIP, here’s the hub router:

Hub(config)#router rip
Hub(config-router)#version 2
Hub(config-router)#no auto-summary
Hub(config)#interface Tunnel 0
Hub(config-if)#no ip split-horizon

Don’t forget to disable split horizon. Here are the spoke routers:

Spoke2(config)#router rip
Spoke2(config-router)#version 2
Spoke2(config-router)#no auto-summary
Spoke1(config)#router rip
Spoke1(config-router)#version 2
Spoke1(config-router)#no auto-summary

That should do it. Now before we start messing around with IPsec, we should check if everything is working without encryption. Let’s check if the hub router has two NHRP registrations:

Hub#show dmvpn | begin Peer
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1    UP 00:06:15     D
     1    UP 00:06:22     D

That’s looking good. Do we have some RIP routes?

Hub#show ip route rip is subnetted, 1 subnets
R [120/1] via, 00:00:02, Tunnel0 is subnetted, 1 subnets
R [120/1] via, 00:00:11, Tunnel0
Spoke1#show ip route rip is subnetted, 1 subnets
R [120/1] via, 00:00:07, Tunnel0 is subnetted, 1 subnets
R [120/2] via, 00:00:07, Tunnel0
Spoke2#show ip route rip is subnetted, 1 subnets
R [120/1] via, 00:00:28, Tunnel0 is subnetted, 1 subnets
R [120/2] via, 00:00:28, Tunnel0

Yes we do! Everything is looking good so now we can focus on encryption.


IPsec has two phases, phase 1 and 2 (don’t confuse them with the DMVPN phases).

Phase 1

We need an ISAKMP policy that matches on all our routers. Let’s pick something:

Hub, Spoke1 & Spoke 2
(config)#crypto isakmp policy 10
(config-isakmp)#authentication pre-share 
(config-isakmp)#encryption aes 128
(config-isakmp)#group 5
(config-isakmp)#hash sha256

When it comes to encryption we can choose between pre-shared keys or PKI. To keep it simple, I’ll go for the pre-shared keys:

Hub(config)#crypto isakmp key DMVPN_KEY address ?       
  A.B.C.D  Peer IP address
  ipv6     define shared key with IPv6 address

When you configure the pre-shared key you have to enter the NBMA address. Keep in mind that encryption occurs before multipoint GRE / NHRP. We also have to specify a peer address, we have two options here:

  • Configure a pre-shared key for each “router pair” you have: this means we use a unique key for hub-spoke1, hub-spoke2 and spoke1-spoke2. This is secure but it’s not a very scalable solution, the more spoke routers we add to the network, the more keys we have to configure.
  • Configure a “wildcard” pre-shared key: this allows us to use a single key for all routers. This is the most convenient but it also means that if you want to change the key, you have to do it on all your routers.

I’ll use the wildcard pre-shared key for our example:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

542 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , , ,

Forum Replies

  1. Hello laz,
    I have a few questions.

    1. Would you please let me know the order of operations when a packet is being sent over a DMVPN protected with IPSEC tunnel?
      My understanding is route lookup which is the tunnel interface-----GRE encapsulation-----IPSEC encapsulation—exit out of the interface. Please let me know if it is correct?
    2. If the IPSEC tunnel goes down still I should be able to send out traffic through the GRE tunnel. The only problem is the traffic will not be encrypted. Is it correct?
    3. For the sake of this conversation, let’s just say I have only one SP
    ... Continue reading in our forum

  2. Hello Azm

    For this question, Cisco has an excellent example and explanation as to the order of operations for the scenario you describe. This information can be found here.

    ... Continue reading in our forum

  3. Hello Laz,
    The config is below


    HUB#sho run inter tunnel 0
    interface Tunnel0
     ip address
     no ip redirects
     ip nhrp map multicast dynamic
     ip nhrp network-id 1
     ip nhrp redirect
     tunnel source
     tunnel mode gre multipoint
    HUB#sho run inter ethernet 0/1
    interface Ethernet0/1
     description WAN INTERFACE
     ip address
    ip route Tunnel0
    HUB#ping source tunnel 0
    Type escape sequ
    ... Continue reading in our forum

  4. Good Day,

    There seems to be alot of variations when coming to this topic. What are the benefits or even limitations of using the approach outline in your article as oppose to the approach below:

    Step 1: Configure the crypto keyring for pre-shared keys
    Step 2: Configure the IKEv2 proposal.
    Step 3: Configure the IKEv2 policy.
    Step 4: Configure the IKEv2 profile.
    Step 5: Define the IPsec transform set.
    Step 6: Configure the IPsec profile.
    Step 7: Increase the IPsec anti-replay window size.

    Step 1: Configure the c

    ... Continue reading in our forum

38 more replies! Ask a question or join the discussion by visiting our Community Forum