DMVPN over IPsec

In our first DMVPN lesson we talked about the basics of DMVPN and its different phases. DMVPN is a “routing technique” that relies on multipoint GRE and NHRP and IPsec is not mandatory.

However since you probably use DMVPN with the Internet as the underlay network, it might be wise to encrypt your tunnels. In this lesson I’ll show you how to configure IPsec to encrypt your multipoint GRE tunnels. Here’s the topology we will use:

DMVPN Example Topology with hub, two spokes and loopback interfaces.

Above we have a hub and spoke topology which I used in all of my previous DMVPN examples. We’ll use a DMVPN phase 2 network with RIP as the routing protocol to test IPsec.


Tunnel Interfaces

Let’s start with the tunnel interfaces on all routers. This is a basic DMVPN phase 2 configuration:

Hub(config)#interface Tunnel 0
Hub(config-if)#ip address
Hub(config-if)#ip nhrp authentication DMVPN
Hub(config-if)#ip nhrp map multicast dynamic
Hub(config-if)#ip nhrp network-id 1
Hub(config-if)#tunnel source GigabitEthernet0/1
Hub(config-if)#tunnel mode gre multipoint

Here are the spoke routers:

Spoke1(config)#interface Tunnel 0
Spoke1(config-if)#ip address
Spoke1(config-if)#ip nhrp authentication DMVPN
Spoke1(config-if)#ip nhrp map
Spoke1(config-if)#ip nhrp map multicast
Spoke1(config-if)#ip nhrp network-id 1
Spoke1(config-if)#ip nhrp nhs
Spoke1(config-if)#tunnel source GigabitEthernet0/1
Spoke1(config-if)#tunnel mode gre multipoint
Spoke2(config)#interface Tunnel 0
Spoke2(config-if)#ip address
Spoke2(config-if)#ip nhrp authentication DMVPN
Spoke2(config-if)#ip nhrp map
Spoke2(config-if)#ip nhrp map multicast
Spoke2(config-if)#ip nhrp network-id 1
Spoke2(config-if)#ip nhrp nhs
Spoke2(config-if)#tunnel source GigabitEthernet0/1
Spoke2(config-if)#tunnel mode gre multipoint

Now we can configure RIP…


We will advertise all interfaces in RIP, here’s the hub router:

Hub(config)#router rip
Hub(config-router)#version 2
Hub(config-router)#no auto-summary
Hub(config)#interface Tunnel 0
Hub(config-if)#no ip split-horizon

Don’t forget to disable split horizon. Here are the spoke routers:

Spoke2(config)#router rip
Spoke2(config-router)#version 2
Spoke2(config-router)#no auto-summary
Spoke1(config)#router rip
Spoke1(config-router)#version 2
Spoke1(config-router)#no auto-summary

That should do it. Now before we start messing around with IPsec, we should check if everything is working without encryption. Let’s check if the hub router has two NHRP registrations:

Hub#show dmvpn | begin Peer
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1    UP 00:06:15     D
     1    UP 00:06:22     D

That’s looking good. Do we have some RIP routes?

Hub#show ip route rip is subnetted, 1 subnets
R [120/1] via, 00:00:02, Tunnel0 is subnetted, 1 subnets
R [120/1] via, 00:00:11, Tunnel0
Spoke1#show ip route rip is subnetted, 1 subnets
R [120/1] via, 00:00:07, Tunnel0 is subnetted, 1 subnets
R [120/2] via, 00:00:07, Tunnel0
Spoke2#show ip route rip is subnetted, 1 subnets
R [120/1] via, 00:00:28, Tunnel0 is subnetted, 1 subnets
R [120/2] via, 00:00:28, Tunnel0

Yes we do! Everything is looking good so now we can focus on encryption.


IPsec has two phases, phase 1 and 2 (don’t confuse them with the DMVPN phases).

Phase 1

We need an ISAKMP policy that matches on all our routers. Let’s pick something:

Hub, Spoke1 & Spoke 2
(config)#crypto isakmp policy 10
(config-isakmp)#authentication pre-share 
(config-isakmp)#encryption aes 128
(config-isakmp)#group 5
(config-isakmp)#hash sha256

When it comes to encryption we can choose between pre-shared keys or PKI. To keep it simple, I’ll go for the pre-shared keys:

Hub(config)#crypto isakmp key DMVPN_KEY address ?       
  A.B.C.D  Peer IP address
  ipv6     define shared key with IPv6 address

When you configure the pre-shared key you have to enter the NBMA address. Keep in mind that encryption occurs before multipoint GRE / NHRP. We also have to specify a peer address, we have two options here:

  • Configure a pre-shared key for each “router pair” you have: this means we use a unique key for hub-spoke1, hub-spoke2 and spoke1-spoke2. This is secure but it’s not a very scalable solution, the more spoke routers we add to the network, the more keys we have to configure.
  • Configure a “wildcard” pre-shared key: this allows us to use a single key for all routers. This is the most convenient but it also means that if you want to change the key, you have to do it on all your routers.

I’ll use the wildcard pre-shared key for our example:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 791 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

1682 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , , ,

Forum Replies

  1. Excellent write up. I’ll be testing this in a lab here soon!

  2. Hi Rene!
    I am to write up the lab for my upcoming CCNP Security.
    I have a question the cloud in the drawning is it also a router ?
    Or am I wrong ?

  3. Hi Oskar,

    DMVPN is often used on the Internet so the cloud represents a bunch of routers from different ISPs.


  4. Dear Rene,

    For the phase 1 if we have multiple policy, then how we can define which policy we should use.

    Your example use the crypto isakmp policy 10.


  5. Hi Davis,

    When you have multiple statements in the policy then the routers will negotiate to figure out which policy to use. You can’t configure explicitly which one to use.


64 more replies! Ask a question or join the discussion by visiting our Community Forum