Cisco DMVPN (Spoke) Configuration

Hey don’t know if this is the correct sub board to post on, when i first joined my intention was to enhance cisco documentation i.e. DMVPN and make more for other features like GRE over IPSEC BGP so on. I’m posting my first Cisco DMVPN (Spoke) configuration here. I’ll just keep adding others under this same thread unless advised by VyOS team. You can change the whole config to fit ur needs it’s already using aes 256 sha256 as hash DH group 21 surely you can further harden it.
Production Tested & Dumped from Cisco ISR 4431 running XE 17.03.03 Latest.
Thanks

crypto keyring DMVPN
pre-shared-key address (Hubs WAN IP) key (IPSEC PSK)
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 21
crypto isakmp key (same password as cisco auth or different when setting the IPSEC PSK) address (Hubs WAN IP)
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set DMVPN-Strong esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec fragmentation after-encryption
crypto ipsec profile DMVPN
set security-association idle-time 86400
set transform-set DMVPN-Strong
set pfs group21
interface Tunnel10
ip address 10.10.10.2 255.255.255.252
no ip redirects
ip mtu 1410
ip nhrp authentication (Cisco Auth Password)
ip nhrp map (Tunnel IP) (Hub WAN IP)
ip nhrp map multicast (Hub WAN IP)
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs (Hubs Tunnel IP)
ip nhrp registration no-unique
ip nhrp registration timeout 75
tunnel source (Spoke WAN Interface i.e GigabitEthernet0/0/0)
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN

2 Likes