GET VPN for DMVPN Traffic Encryption

CCIE Security
1

I am labbing to Encrypt traffic over DMVPN by Using GETVPN . so GETVPN requires a pre-requisite - Full reachability.

I did some modifications on KB DMVPN Lab by adding a key Server and connect it to R1 then advertise the subnet to EIGRP. I apply DMVPN Phasee-3

the issue :

when I try to make Ping from R2 ( loopback 2.2.2.2 ) to R5 ( Loopback 5.5.5.5 )- it is pingaable and traceroute work as expected BUT.
when do Show Crypto IPSec Sa:

There is NO PKT shown

I will post the Diagram and Configuration of KEY SERVER- R1 ( HUB ) - R2(Spoke)-R5(Spoke)

image

image

image

2

image

GM are R2 and R5

Configuration :

KEY-Server :

interface Ethernet0/0

ip address 192.168.70.7 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.70.1

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0

!

!

crypto ipsec transform-set ABC esp-3des esp-md5-hmac

mode tunnel

!

crypto ipsec profile IPPROF

set transform-set ABC

!

!

crypto gdoi group SERVER

identity number 1

server local

sa ipsec 10

profile IPPROF

match address ipv4 101

replay counter window-size 64

no tag

address ipv4 192.168.70.7

R1

interface Ethernet0/0

ip address 192.1.10.1 255.255.255.0

!

interface Ethernet0/1

ip address 192.168.70.1 255.255.255.0

interface Tunnel1

ip address 192.168.1.10 255.255.255.0

no ip redirects

no ip split-horizon eigrp 100

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp redirect

tunnel source Ethernet0/0

tunnel mode gre multipoint

no ip split-horizon eigrp 100

!

router eigrp 100

network 192.168.1.0

network 192.168.70.0

R2

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address 192.168.70.7

!

!

!

!

crypto gdoi group CLIENTS

identity number 1

server address ipv4 192.168.70.7

!

!

crypto map MAP 10 gdoi

set group CLIENTS

!

!

!

!

!

interface Loopback1

ip address 2.2.2.2 255.255.255.255

!

interface Tunnel1

ip address 192.168.1.20 255.255.255.0

no ip redirects

ip nhrp map multicast 192.1.10.1

ip nhrp map 192.168.1.10 192.1.10.1

ip nhrp network-id 1

ip nhrp nhs 192.168.1.10

ip nhrp shortcut

tunnel source Ethernet0/0

tunnel mode gre multipoint

!

interface Ethernet0/0

ip address 192.1.20.2 255.255.255.0

crypto map MAP

router eigrp 100

network 2.0.0.0

network 192.168.1.0

R5

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address 192.168.70.7

!

!

!

!

crypto gdoi group CLIENTS

identity number 1

server address ipv4 192.168.70.7

!

!

crypto map MAP 10 gdoi

set group CLIENTS

!

!

!

!

!

interface Loopback0

ip address 5.5.5.5 255.255.255.255

!

interface Tunnel1

ip address 192.168.1.5 255.255.255.0

no ip redirects

ip nhrp map 192.168.1.10 192.1.10.1

ip nhrp map multicast 192.1.10.1

ip nhrp network-id 1

ip nhrp nhs 192.168.1.10

ip nhrp shortcut

tunnel source Ethernet0/0

tunnel mode gre multipoint

!

interface Ethernet0/0

ip address 192.1.50.5 255.255.255.0

crypto map MAP

!

router eigrp 100

network 5.0.0.0

network 192.168.1.0

3

Remember the packets get encapsulated when you are using gre as tunnel mode. Everything is good but the reason that nothing gets encrypted is because the access list does not catch any traffic with that source as the source and destination changes. This is why in this kind of a setup mostly the entire tunnel is protected.

I hope that helps.

4

When R2 tries to ping for R5 loopback it looks at its routing table. From the routing table it knows that to reach 5.5.5.5 i need to go through tunnel, then it checks the tunnel parameters and encapsulates the packet. So when the packet leaves from R2 loopback to R5 loopback

Outer Header------Inner header

|192.168.1.5 | 192.168.1.2| 5.5.5.5| 2.2.2.2|

Hence your access list does not see source and destination as the loopback.

5

Thank you for reply-