ccnpcryptorouting

Como Configurar DMVPN

Hola colegas, abajo estan las configs de las rutas.

Configuracion de Ruta1 Hub Distribucion
interface Tunnel0
 description TUNEL
 ip address 172.16.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 1
 no ip split-horizon eigrp 1
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 6783
!
interface GigabitEthernet0/0
 description INTERNET
 ip address 1.1.1.1 255.255.255.252
!
interface GigabitEthernet0/1
 description LAN
 ip address 10.10.10.1 255.255.255.0
!
router eigrp 100
 network 1.0.0.0
 eigrp stub connected summary
!
router eigrp 1
 network 10.0.0.0
 network 172.16.0.0
Configuracion de Ruta2 Enlace
interface Tunnel0
 ip address 172.16.0.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco123
 ip nhrp map multicast 1.1.1.1
 ip nhrp map 172.16.0.1 1.1.1.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 6783
!
interface GigabitEthernet0/0
 ip address 2.2.2.1 255.255.255.252
!
interface GigabitEthernet0/1
 ip address 10.20.20.1 255.255.255.0
!
router eigrp 100
 network 2.0.0.0
!
router eigrp 1
 network 10.0.0.0
 network 172.16.0.0
!
Configuracion de Ruta3 Enlace
interface Tunnel0
 ip address 172.16.0.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication cisco123
 ip nhrp map multicast 1.1.1.1
 ip nhrp map 172.16.0.1 1.1.1.1
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 6783
!
interface GigabitEthernet0/0
 ip address 3.3.3.1 255.255.255.252
!
interface GigabitEthernet0/1
 ip address 10.30.30.1 255.255.255.0
!
router eigrp 100
 network 3.0.0.0
!
!
router eigrp 1
 network 10.0.0.0
 network 172.16.0.0
!
Encripta tus Tuneles

En todas las rutas, configura esto para encriptar el trafico, especialmente si tus tuneles pasan por redes publicas (Internet). No se te olvide de cambiar las key cisco123 si utilizas esta configuracion afuera de un laboratorio.

crypto isakmp policy 10
 hash sha256
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0        
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha256-hmac 
 mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
 set security-association lifetime seconds 28800
 set transform-set TRANSFORM-SET 
!
interface Tunnel0
 tunnel protection ipsec profile IPSEC-PROFILE
!
Confirmacion de Tuneles Encriptados

Checa la Fase 1 Diga ACTIVE

Router1_Hub#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
1.1.1.1         2.2.2.1         QM_IDLE           1001 ACTIVE
1.1.1.1         3.3.3.1         QM_IDLE           1003 ACTIVE
3.3.3.1         1.1.1.1         QM_IDLE           1004 ACTIVE
2.2.2.1         1.1.1.1         QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

Checa la fase 2 y asegurate de que no tenga seros en encaps y decaps.
Router1_Hub#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (3.3.3.1/255.255.255.255/47/0)
   current_peer 3.3.3.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 263, #pkts encrypt: 263, #pkts digest: 263
    #pkts decaps: 263, #pkts decrypt: 263, #pkts verify: 263
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.1
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xCC4E37C1(3427678145)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
 --More-- 

Leave a Reply

Your email address will not be published. Required fields are marked *