2.3 Configure and verify DMVPN (single hub)
📘CCNP Enterprise – ENARSI (300-410)
DMVPN (Dynamic Multipoint VPN) allows sites to dynamically create secure tunnels between each other without needing to preconfigure static tunnels for every site. But on its own, DMVPN doesn’t encrypt traffic. That’s where IPsec comes in. IPsec adds security—it encrypts the data traveling across the DMVPN tunnel so nobody can read it or tamper with it.
1. Why use IPsec with DMVPN?
- DMVPN by default uses GRE/mGRE for tunneling, which is not secure. Anyone who can intercept the traffic can read it.
- IPsec ensures:
- Confidentiality: Data is encrypted.
- Integrity: Data is not modified in transit.
- Authentication: The tunnel endpoints verify each other.
Think of DMVPN as a dynamic path for data, and IPsec as a lock on that path that ensures only the right sites can communicate securely.
2. IPsec Modes for DMVPN
IPsec can operate in two modes, but in DMVPN, tunnel mode is used:
- Tunnel Mode:
- Encrypts the entire IP packet.
- A new IP header is added for routing.
- Required for GRE/mGRE because GRE needs to traverse untrusted networks.
- Transport Mode:
- Encrypts only the payload of the IP packet, leaving the original header visible.
- Not suitable for DMVPN because GRE headers would remain unencrypted.
✅ For CCNP ENARSI: Always remember DMVPN + IPsec = Tunnel Mode.
3. IPsec Components in DMVPN
When configuring IPsec with DMVPN, you’ll encounter these components:
- ISAKMP (IKE) Policies
- IKE (Internet Key Exchange) establishes a secure channel for exchanging keys.
- On Cisco devices:
- Phase 1 (IKEv1): Authenticates peers and establishes a secure control channel.
- Phase 2 (IPsec): Uses the secure channel to negotiate encryption and hashing algorithms.
- Example configuration parameters:
encryption aeshash shaauthentication pre-sharegroup 5(DH group)
- IPsec Transform Set
- Defines how the data will be encrypted and authenticated.
- Example:
transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac esp-aes→ encryption algorithmesp-sha-hmac→ integrity algorithm
- Crypto Map (used for DMVPN Phase 1 or Phase 2)
- Maps the IPsec policies to an interface.
- But in DMVPN, we often use dynamic crypto maps because GRE tunnels are dynamic.
- Profiles (Optional in DMVPN Phase 3)
- In modern DMVPN, we can attach IPsec profiles directly to the tunnel interface instead of crypto maps.
- Example:
interface Tunnel0 tunnel protection ipsec profile DMVPN_PROFILE
4. DMVPN + IPsec Phases
In a single-hub DMVPN, here’s how IPsec integrates:
- Hub-to-Spoke:
- GRE tunnel is created between hub and spoke.
- IPsec encrypts the GRE tunnel.
- Only authorized spokes can establish the tunnel.
- Spoke-to-Spoke (optional, if NHRP shortcuts are used):
- Spokes dynamically create GRE tunnels to each other.
- IPsec ensures all dynamic tunnels are secure.
Key exam point: Even though spokes communicate directly, IPsec encrypts dynamically negotiated tunnels without manual configuration for each spoke.
5. Configuring DMVPN with IPsec on Cisco Routers
Here’s a simplified example:
Step 1: Create a GRE Tunnel
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
Step 2: Configure NHRP
ip nhrp network-id 1
ip nhrp map multicast dynamic
ip nhrp nhs 10.0.0.1
Step 3: Create an IPsec Transform Set
crypto ipsec transform-set DMVPN_TRANS esp-aes esp-sha-hmac
Step 4: Create a Profile
crypto ipsec profile DMVPN_PROFILE
set transform-set DMVPN_TRANS
Step 5: Apply Profile to Tunnel
interface Tunnel0
tunnel protection ipsec profile DMVPN_PROFILE
✅ This ensures all traffic on Tunnel0 is encrypted using IPsec.
6. Verification Commands
- Check IPsec SAs
show crypto ipsec sa
- Check NHRP and DMVPN Status
show dmvpn
- Check Tunnel Status
show tunnel
- Check ISAKMP (IKE)
show crypto isakmp sa
Important exam tip: You must know the difference between ISAKMP SA (control) and IPsec SA (data).
7. Exam Tips
- Remember: GRE/mGRE provides connectivity, NHRP provides dynamic mapping, IPsec provides security.
- Know the difference between transport vs tunnel mode, Phase 1 vs Phase 2, and dynamic vs static crypto maps.
- You might be asked to verify DMVPN + IPsec using
show crypto ipsec sa,show dmvpn, andshow crypto isakmp sa. - Spokes do not need pre-configured tunnels to each other; IPsec will secure dynamic tunnels if NHRP shortcuts are used.
✅ Key Points to Remember
| Feature | DMVPN Role | IPsec Role |
|---|---|---|
| GRE/mGRE | Dynamic tunneling | Encrypts the tunnel |
| NHRP | Maps spoke IPs to tunnel endpoints | No role in encryption |
| IPsec Transform Set | – | Chooses encryption & integrity algorithms |
| ISAKMP/IKE | – | Establishes secure key exchange channel |
| Tunnel Protection / Crypto Map | – | Applies IPsec to the tunnel |
