Easy DMVPN Phase 1 with IKEv1 and IPsec Network Configuration

DMVPN stands for Dynamic Multipoint VPN. It is a technique where we can build a VPN network on hub-spoke topologies dynamically without having the need to configure the devices statically.

How does the Spoke build IPsec Tunnels?

  • IPsec profile has only transform-set configured
  • For spoke-to-hub static tunnel
  • Spokes know the IPsec peer (hub) from static NHRP mappings
  • Proxy-acl is dynamic, GRE between spoke and hub NBMAs

For spoke-to-spoke dynamic tunnel

  • Spokes learns the IPsec peer (remote-spoke) from NHRP resolution request which is routed via hub
  • Proxy-acl is dynamic: GRE between spokes NBMAS

How does the Hub build IPsec Tunnels?

  • IPsec Profile has only transform-set configured
  • And IPsec has to come up first, before NHRP

IPsec profile is like a dynamic crypto-map

  • Hub will just accept any IKEv1 request inbound on the NBMA address of the GRE tunnel
  • Proxy-acl is dynamic: GRE between hub and spoke NBMAs

Show crypto isakmp sa phase 1
Show crypto ipsec sa phase 2
Show dmvpn detail
Show dmvpn
Show ip nhrp

