Lab - Configure Secure DMVPN Tunnels (Instructor Version)

Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

Topology

Addressing Table
Device Interface IPv4 Address

R1 G0/0/1 192.0.2.1/24

R1
Tunnel 1 100.100.100.1/29
R2 G0/0/1 198.51.100.2/24

R2
Loopback 0 192.168.1.1/24

R2
Loopback 1 172.16.1.1/24

R2
Tunnel 1 100.100.100.2/29
R3 G0/0/1 203.0.113.2/24

R3
Loopback 0 192.168.3.1/24

R3
Loopback 1 172.16.3.1/24

R3
Tunnel 1 100.100.100.3/29

Objectives
Part 1: Build the Network and Verify DMVPN Phase 3 Operation
Part 2: Secure DMVPN Phase 3 Tunnels

Background / Scenario

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

In previous labs, you have configured DMVPN Phase 1 and Phase 3 networks, including configuration of
DMVPN Phase 3 with IPv6. However, in those labs, IPsec was not used to encrypt and protect data travelling
on the tunnels. IPsec functionality is essential to DMVPN implementation. In this lab, you will work with the
DMVPN Phase 3 implementation from the Implement a DMVPN Phase 3 Spoke-to-Spoke Topology lab. You
will start with a working configuration and then apply IPsec to the spoke-to-hub and spoke-to-spoke tunnels.
Finally, you will verify the operation of the secured tunnels.
Note: The routers used with CCNA hands-on labs are Cisco 4221 with Cisco IOS XE Release 16.9.4
(universalk9 image). The switch used is a Cisco Catalyst 3650 with Cisco IOS XE Release 16.9.4
(universalk9 image). Other routers, Layer 3 switches, and Cisco IOS versions can be used. Depending on the
model and Cisco IOS version, the commands available and the output produced might vary from what is
shown in the labs. Refer to the Router Interface Summary Table at the end of the lab for the correct interface
identifiers.

Required Resources
 3 Routers (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable)
 1 Switch (Cisco 3560 with Cisco IOS XE Release 16.9.4 universal image or comparable)
 1 PC (Choice of operating system with a terminal emulation program installed)
 Console cables to configure the Cisco IOS devices via the console ports
 Ethernet cables as shown in the topology

Initial Configurations
Students will use the answer configurations from the lab Implement a DMVPN Phase 3 Spoke-to-Spoke
Topology. If they do not have the preconfigured devices, they could benefit by practicing configuration of
DMVPN Phase 3 from that lab. Otherwise, they could paste the initial configurations into the devices. Initial
configurations are provided here.
R1 hub router
hostname R1
no ip domain lookup
banner motd # R1, Implement DMVPN Hub #
line con 0
exec-timeout 0 0
logging synchronous
exit
line vty 0 4
privilege level 15
password cisco123
exec-timeout 0 0
logging synchronous
login
exit
interface g0/0/1
ip address 192.0.2.1 255.255.255.252
no shutdown
exit
interface tunnel 1
tunnel mode gre multipoint
tunnel source g0/0/1

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

tunnel key 999

ip address 100.100.100.1 255.255.255.248
ip nhrp network-id 1
ip nhrp authentication NHRPauth
ip nhrp map multicast dynamic
ip nhrp redirect
bandwidth 4000
ip mtu 1400
ip tcp adjust-mss 1360
exit
router eigrp DMVPN_TUNNEL_NET
address-family ipv4 unicast autonomous-system 68
eigrp router-id 1.1.1.1
network 100.100.100.0 255.255.255.248
af-interface tunnel 1
no split-horizon
router eigrp DMVPN_TRANS_NET
address-family ipv4 unicast autonomous-system 168
eigrp router-id 10.1.1.1
network 192.0.2.0 255.255.255.252
end

R2 spoke router 1
hostname R2
no ip domain lookup
banner motd # R2, Implement DMVPN Spoke 1 #
line con 0
exec-timeout 0 0
logging synchronous
exit
line vty 0 4
privilege level 15
password cisco123
exec-timeout 0 0
logging synchronous
login
exit
interface g0/0/1
ip address 198.51.100.2 255.255.255.252
no shutdown
exit
interface loopback 0
ip address 192.168.2.1 255.255.255.0
no shutdown
exit
interface loopback 1
ip address 172.16.2.1 255.255.255.0

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

no shutdown
exit
interface tunnel 1
tunnel mode gre multipoint
tunnel source loopback 0
no tunnel destination
tunnel key 999
ip address 100.100.100.2 255.255.255.248
ip nhrp network-id 1
ip nhrp authentication NHRPauth
ip nhrp nhs 100.100.100.1
ip nhrp map multicast 192.0.2.1
ip nhrp map 100.100.100.1 192.0.2.1
ip nhrp shortcut
ip mtu 1400
ip tcp adjust-mss 1360
router eigrp DMVPN_TUNNEL_NET
address-family ipv4 unicast autonomous-system 68
eigrp router-id 2.2.2.2
network 100.100.100.0 255.255.255.248
network 172.16.2.0 255.255.255.0
eigrp stub connected
router eigrp DMVPN_TRANS_NET
address-family ipv4 unicast autonomous-system 168
eigrp router-id 20.2.2.2
network 198.51.100.0 255.255.255.252
network 192.168.2.0 255.255.255.0
end
Router R3 spoke 2
hostname R3
no ip domain lookup
banner motd # R3, Implement DMVPN Spoke 2 #
line con 0
exec-timeout 0 0
logging synchronous
exit
line vty 0 4
privilege level 15
password cisco123
exec-timeout 0 0
logging synchronous
login
exit
interface g0/0/1
ip address 203.0.113.2 255.255.255.252

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

no shutdown
exit
interface loopback 0
ip address 192.168.3.1 255.255.255.0
no shutdown
exit
interface loopback 1
ip address 172.16.3.1 255.255.255.0
no shutdown
exit
interface tunnel 1
tunnel mode gre multipoint
tunnel source loopback 0
no tunnel destination
tunnel key 999
ip address 100.100.100.3 255.255.255.248
ip nhrp network-id 1
ip nhrp authentication NHRPauth
ip nhrp nhs 100.100.100.1
ip nhrp map multicast 192.0.2.1
ip nhrp map 100.100.100.1 192.0.2.1
ip nhrp shortcut
ip mtu 1400
ip tcp adjust-mss 1360
router eigrp DMVPN_TUNNEL_NET
address-family ipv4 unicast autonomous-system 68
eigrp router-id 3.3.3.3
network 100.100.100.0 255.255.255.248
network 172.16.3.0 255.255.255.0
eigrp stub connected
router eigrp DMVPN_TRANS_NET
address-family ipv4 unicast autonomous-system 168
eigrp router-id 30.3.3.3
network 203.0.113.0 255.255.255.252
network 192.168.3.0 255.255.255.0
eigrp stub connected
end
Layer 3 Switch DMVPN
hostname DMVPN
no ip domain lookup
ip routing
banner motd # DMVPN, DMVPN cloud switch #
line con 0
exec-timeout 0 0
logging synchronous

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

exit
line vty 0 4
privilege level 15
password cisco123
exec-timeout 0 0
logging synchronous
login
interface g1/0/11
no switchport
ip address 192.0.2.2 255.255.255.252
no shutdown
exit
interface g1/0/12
no switchport
ip address 198.51.100.1 255.255.255.252
no shutdown
exit
interface g1/0/13
no switchport
ip address 203.0.113.1 255.255.255.252
no shutdown
exit
router eigrp DMVPN_TRANS_NET
address-family ipv4 unicast autonomous-system 168
eigrp router-id 40.4.4.4
network 192.0.2.0 255.255.255.252
network 198.51.100.0 255.255.255.252
network 203.0.113.0 255.255.255.252
end

Instructions

Part 1: Build the Network and Verify DMVPN Phase 3 Operation

In Part 1, you will set up the network topology and configure basic settings if the network is not already
configured. This lab uses the same topology and final configurations from the Implement a DMVPN Phase 3
Spoke-to-Spoke Topology lab.

Step 1: Cable the network as shown in the topology.

Connect the devices as shown in the topology diagram.

Step 2: Configure initial settings for each router and the Layer 3 switch.
Console into each device, enter global configuration mode, and apply the initial settings for the lab if the
devices are not already configured.

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

Step 3: Verify connectivity in the network.

a. From R1, ping the loopback interfaces of R2 and R3. All pings should be successful. This verifies that full
connectivity exists in the underlay, or transport, network.
Open configuration window

R1# ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

R1# ping 192.168.3.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Close configuration window

Step 4: Verify DMVPN Phase 3 operation.

a. Return to R2. Initiate a traceroute to the simulated LAN interface on R3. The path will pass through R1
as it does in a DMVPN Phase 1 network.

Open configuration window

Note: The first trace may fail if the DMVPN switch CAM table is empty.
R2# traceroute 172.16.3.1
Type escape sequence to abort.
Tracing the route to 172.16.3.1
VRF info: (vrf in name/id, vrf out name/id)
1 100.100.100.1 1 msec 1 msec 1 msec
2 100.100.100.3 1 msec * 2 msec

b. Issue the traceroute command again. You will now see that R1 has enabled direct spoke-to-spoke
communication between R2 and R3. This tunnel will expire and close dynamically. The tunnel reopens
after data for the spoke router is sent again.
R2# traceroute 172.16.3.1
Type escape sequence to abort.
Tracing the route to 172.16.3.1
VRF info: (vrf in name/id, vrf out name/id)
1 100.100.100.3 1 msec * 1 msec
Close configuration window

Part 2: Secure DMVPN Phase 3 Tunnels

Now that the tunnels have been configured and DMVPN connectivity has been verified, the tunnels can be
secured with IPsec.

Step 1: Create the IKE policy.

Create an IKE policy that defines the hash algorithm, encryption type, key exchange method, Diffie-Hellman
group, and the authentication method.
Open configuration window

R1(config)# crypto isakmp policy 99

R1(config-isakmp)# hash sha384
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# group 14
R1(config-isakmp)# authentication pre-share

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

R1(config-isakmp)# exit

Step 2: Configure the ISAKMP key.

Configure the pre-shared key and peer address. Use 0.0.0.0 to match multiple peer addresses. Use a key of
DMVPN@key#.
R1(config)# crypto isakmp key DMVPN@key# address 0.0.0.0

Step 3: Create and configure the IPsec transform set.

Configure the IPsec transform set. Use DMVPN_TRANS as the transform set name. Specify esp-aes with a
256-bit key as the encryption transform and esp-sha384-hmac as the authentication transform. Configure the
transform set to use IPsec transport mode for the tunnels.
R1(config)# crypto ipsec transform-set DMVPN_TRANS esp-aes 256 esp-sha384-hmac
R1(cfg-crypto-trans)# mode transport
R1(cfg-crypto-trans)# exit

Step 4: Create the IPsec profile.

Create an IPsec profile with the name DMVPN_PROFILE. Associate the DMVPN_TRANS transform set with
the profile.
R1(config)# crypto ipsec profile DMVPN_PROFILE
R1(ipsec-profile)# set transform-set DMVPN_TRANS
R1(ipsec-profile)# exit

Step 5: Apply the IPsec profile to the tunnel interface.

Finally, apply the IPsec profile to the tunnel interface. After you apply the profile, you will see the that IPsec is
now active and you will lose adjacency with R2 and R3 until their respective ends of the tunnel are configured.
R1(config)# interface tunnel 1
R1(config-if)# tunnel protection ipsec profile DMVPN_PROFILE
R1(config-if)# exit
*Mar 30 07:39:32.398: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config)#
*Mar 30 07:39:32.963: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001
TS:00000000594132950499 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC
packet, dest_addr= 192.0.2.1, src_addr= 192.168.2.1, prot= 47
*Mar 30 07:39:43.664: %DUAL-5-NBRCHANGE: EIGRP-IPv4 68: Neighbor 100.100.100.2
(Tunnel1) is down: holding time expired
*Mar 30 07:39:44.235: %DUAL-5-NBRCHANGE: EIGRP-IPv4 68: Neighbor 100.100.100.3
(Tunnel1) is down: holding time expired
R1(config)#
Close configuration window

Step 6: Configure R2 and R3 with IPsec.

Repeat this configuration on the R2 and R3 routers.
R2(config)# crypto isakmp policy 99
R2(config-isakmp)# hash sha384
R2(config-isakmp)# encryption aes 256
R2(config-isakmp)# group 14
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# exit
R2(config)# crypto isakmp key DMVPN@key# address 0.0.0.0

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

R2(config)# crypto ipsec transform-set DMVPN_TRANS esp-aes 256 esp-sha384-hmac

R2(cfg-crypto-trans)# mode transport
R2(cfg-crypto-trans)# exit
R2(config)# crypto ipsec profile DMVPN_PROFILE
R2(ipsec-profile)# set transform-set DMVPN_TRANS
R2(ipsec-profile)# exit
R2(config)# interface tunnel 1
R2(config-if)# tunnel protection ipsec profile DMVPN_PROFILE
R2(config-if)# exit

R3(config)# crypto isakmp policy 99

R3(config-isakmp)# hash sha384
R3(config-isakmp)# encryption aes 256
R3(config-isakmp)# group 14
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# exit
R3(config)# crypto isakmp key DMVPN@key# address 0.0.0.0
R3(config)# crypto ipsec transform-set DMVPN_TRANS esp-aes 256 esp-sha384-hmac
R3(cfg-crypto-trans)# mode transport
R3(cfg-crypto-trans)# exit
R3(config)# crypto ipsec profile DMVPN_PROFILE
R3(ipsec-profile)# set transform-set DMVPN_TRANS
R3(ipsec-profile)# exit
R3(config)# interface tunnel 1
R3(config-if)# tunnel protection ipsec profile DMVPN_PROFILE
R3(config-if)# exit

Step 7: Verify DMVPN Phase 3 operation.

a. As was done previously, test the operation of the spoke-to-spoke DMVPN. Return to R2. Initiate a
traceroute to the simulated LAN interface on R3. The path will pass through R1 as it does in a DMVPN
Phase 1 network.
Open configuration window

R2# traceroute 172.16.3.1

Type escape sequence to abort.
Tracing the route to 172.16.3.1
VRF info: (vrf in name/id, vrf out name/id)
1 100.100.100.1 1 msec 1 msec 1 msec
2 100.100.100.3 1 msec * 2 msec

b. Issue the traceroute command again. You will now see that R1 has enabled direct spoke-to-spoke
communication between R2 and R3. This tunnel will expire and close dynamically. The tunnel reopens
after data for the spoke router is sent again.
R2# traceroute 172.16.3.1
Type escape sequence to abort.
Tracing the route to 172.16.3.1
VRF info: (vrf in name/id, vrf out name/id)
1 100.100.100.3 1 msec * 1 msec

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

Step 8: Verify IPsec configuration.

Note: Shut down a tunnel interface to clear its IPsec socket if you wish to explore the outputs before and after
spoke-to-spoke tunnel establishment.
a. To show information about the IPsec profiles that are configured on a device, issue the show crypto
ipsec profile command. Note that the profile that was previously configured is shown along with a default
profile.
R2# show crypto ipsec profile
IPSEC profile DMVPN_PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
DMVPN_TRANS: { esp-256-aes esp-sha384-hmac } ,
}

IPSEC profile default

Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
Close configuration window

b. It is very important to verify that tunnel traffic will be encrypted. On R1, issue the show dmvpn detail
command. As the hub router, R1 should see the spoke peers. The first part of the output shows the tunnel
interface status and the peer table. Both peers should be shown with their transport and overlay interface
addresses, as you have seen previously.
The Crypto Session Details portion of the output should contain information about the status of the
encrypted tunnels. Both of the spoke routers should appear in this output also. Note that the transform set
Open configuration window
that you configured is also displayed in the Crypto Session output.
R1# show dmvpn detail
<output omitted>
Interface Tunnel1 is up/up, Addr. is 100.100.100.1, VRF ""
Tunnel Src./Dest. addr: 192.0.2.1/Multipoint, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PROFILE"
Interface State Control: Disabled
nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 2

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 192.168.2.1 100.100.100.2 UP 00:04:25 D 100.100.100.2/32
1 192.168.3.1 100.100.100.3 UP 00:04:59 D 100.100.100.3/32

Crypto Session Details:

--------------------------------------------------------------------------------

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

Interface: Tunnel1
Session: [0x7F6E17B867D0]
Session ID: 0
IKEv1 SA: local 192.0.2.1/500 remote 192.168.2.1/500 Active
Capabilities:(none) connid:1001 lifetime:23:59:19
Session ID: 0
IKEv1 SA: local 192.0.2.1/500 remote 192.168.2.1/500 Active
Capabilities:(none) connid:1002 lifetime:23:59:28
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 192.168.2.1
IPSEC FLOW: permit 47 host 192.0.2.1 host 192.168.2.1
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 17 drop 0 life (KB/Sec) 4607998/3568
Outbound: #pkts enc'ed 16 drop 0 life (KB/Sec) 4607999/3568
Outbound SPI : 0xD2E76488, transform : esp-256-aes esp-sha384-hmac
Socket State: Open

Interface: Tunnel1
Session: [0x7F6E17B86950]
Session ID: 0
IKEv1 SA: local 192.0.2.1/500 remote 192.168.3.1/500 Active
Capabilities:(none) connid:1004 lifetime:23:59:48
Session ID: 0
IKEv1 SA: local 192.0.2.1/500 remote 192.168.3.1/500 Active
Capabilities:(none) connid:1003 lifetime:23:59:40
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 192.168.3.1
IPSEC FLOW: permit 47 host 192.0.2.1 host 192.168.3.1
Active SAs: 6, origin: crypto map
Inbound: #pkts dec'ed 11 drop 0 life (KB/Sec) 4607999/3588
Outbound: #pkts enc'ed 10 drop 0 life (KB/Sec) 4607999/3588
Outbound SPI : 0xCB3D3313, transform : esp-256-aes esp-sha384-hmac
Socket State: Open

Pending DMVPN Sessions:

Close configuration window

c. Issue the show crypto ipsec sa command on R2 to display the security associations (sa) that have been
made by R2. This output is for the spoke-to-hub tunnel between R1 and R2 prior to the establishment of
the spoke-to-spoke tunnel. This command provides additional details regarding the IPsec status of the
tunnel, encrypted and decrypted packet statistics, and other details regarding characteristics of the
Open configuration window
encrypted tunnel.
R2# show crypto ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.2.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.0.2.1/255.255.255.255/47/0)

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

current_peer 192.0.2.1 port 500

PERMIT, flags={origin_is_acl,}
#pkts encaps: 125, #pkts encrypt: 125, #pkts digest: 125
#pkts decaps: 126, #pkts decrypt: 126, #pkts verify: 126
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.2.1, remote crypto endpt.: 192.0.2.1

plaintext mtu 1458, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0x97C1D18A(2546061706)
PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xD2E76488(3538379912)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Transport, }
conn id: 2003, flow_id: ESG:3, sibling_flags FFFFFFFF80000008, crypto map:
Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607984/3047)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x97C1D18A(2546061706)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Transport, }
conn id: 2004, flow_id: ESG:4, sibling_flags FFFFFFFF80000008, crypto map:
Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607990/3047)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

The output below is for the same command after the spoke-to-spoke tunnel is open. Entries exist for both
the tunnel to R1 and the spoke-to-spoke tunnel between R2 and R3.
R2# show crypto ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.2.1

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.3.1/255.255.255.255/47/0)
current_peer 192.168.3.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.2.1, remote crypto endpt.: 192.168.3.1

plaintext mtu 1458, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0x658E8CF5(1703841013)
PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xFA8FC9F2(4203727346)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Transport, }
conn id: 2005, flow_id: ESG:5, sibling_flags FFFFFFFF80000008, crypto map:
Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3316)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x59C41A42(1506024002)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Transport, }
conn id: 2007, flow_id: ESG:7, sibling_flags FFFFFFFF80004008, crypto map:
Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3326)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x60CC6F77(1624010615)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Transport, }
conn id: 2006, flow_id: ESG:6, sibling_flags FFFFFFFF80000008, crypto map:
Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3316)
IV size: 16 bytes

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 13 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

replay detection support: Y

Status: ACTIVE(ACTIVE)
spi: 0x658E8CF5(1703841013)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Transport, }
conn id: 2008, flow_id: ESG:8, sibling_flags FFFFFFFF80004008, crypto map:
Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3326)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.0.2.1/255.255.255.255/47/0)
current_peer 192.0.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 67, #pkts encrypt: 67, #pkts digest: 67
#pkts decaps: 67, #pkts decrypt: 67, #pkts verify: 67
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.2.1, remote crypto endpt.: 192.0.2.1

plaintext mtu 1458, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0x97C1D18A(2546061706)
PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xD2E76488(3538379912)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Transport, }
conn id: 2003, flow_id: ESG:3, sibling_flags FFFFFFFF80000008, crypto map:
Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607991/3305)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 14 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

spi: 0x97C1D18A(2546061706)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Transport, }
conn id: 2004, flow_id: ESG:4, sibling_flags FFFFFFFF80000008, crypto map:
Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607995/3305)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

d. On R2 issue the show crypto isakmp sa command to view the Internet Security Association
Management Protocol (ISAKMP) SAs between the peers. Before the formation of the spoke-to-spoke
tunnel, SAs have been made between R2 and R3, but no further negotiations have occurred, as indicated
by the MM_NO_STATE state of the two SAs between the routers.
R2# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.0.2.1 192.168.2.1 QM_IDLE 1001 ACTIVE
192.168.2.1 192.0.2.1 QM_IDLE 1002 ACTIVE
192.168.3.1 192.168.2.1 MM_NO_STATE 1004 ACTIVE (deleted)
192.168.2.1 192.168.3.1 MM_NO_STATE 1003 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

After traffic has established the spoke-to-spoke tunnel, the SAs all show the QM_IDLE state. The SAs
have been fully negotiated and are available for further ISAKMP quick mode exchanges.
Note: ISAKMP modes are outside the scope of this course.
R2# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.0.2.1 192.168.2.1 QM_IDLE 1001 ACTIVE
192.168.2.1 192.0.2.1 QM_IDLE 1002 ACTIVE
192.168.3.1 192.168.2.1 QM_IDLE 1004 ACTIVE
192.168.2.1 192.168.3.1 QM_IDLE 1003 ACTIVE

IPv6 Crypto ISAKMP SA

e. You have successfully configured and verified IPsec on DMVPN Phase 3 tunnels.
Close configuration window

Router Interface Summary Table

Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2

Fast Ethernet 0/0 Fast Ethernet 0/1

1800 (F0/0) (F0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
1900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 15 of 16 www.netacad.com
Lab - Configure Secure DMVPN Tunnels

Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2

(G0/0) (G0/1)
Fast Ethernet 0/0 Fast Ethernet 0/1
2801 (F0/0) (F0/1) Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)
Fast Ethernet 0/0 Fast Ethernet 0/1
2811 (F0/0) (F0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
Gigabit Ethernet 0/0 Gigabit Ethernet 0/1
2900 (G0/0) (G0/1) Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
Gigabit Ethernet 0/0/0 Gigabit Ethernet 0/0/1
4221 (G0/0/0) (G0/0/1) Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)
Gigabit Ethernet 0/0/0 Gigabit Ethernet 0/0/1
4300 (G0/0/0) (G0/0/1) Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)

Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many
interfaces the router has. There is no way to effectively list all the combinations of configurations for each router
class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An example
of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in
Cisco IOS commands to represent the interface.
End of document

Device Configs – Final

Routers R1, R2, and R3

enable
configure terminal
enable
conf t
crypto isakmp policy 99
hash sha384
encryption aes 256
group 14
authentication pre-share
exit
crypto isakmp key DMVPN@key# address 0.0.0.0
crypto ipsec transform-set DMVPN_TRANS esp-aes 256 esp-sha384-hmac
mode transport
exit
crypto ipsec profile DMVPN_PROFILE
set transform-set DMVPN_TRANS
exit
interface tunnel1
tunnel protection ipsec profile DMVPN_PROFILE
exit

 2020 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 16 of 16 www.netacad.com