Cisco DMVPN (Spoke) Configuration

Hey don’t know if this is the correct sub board to post on, when i first joined my intention was to enhance cisco documentation i.e. DMVPN and make more for other features like GRE over IPSEC BGP so on. I’m posting my first Cisco DMVPN (Spoke) configuration here. I’ll just keep adding others under this same thread unless advised by VyOS team. You can change the whole config to fit ur needs it’s already using aes 256 sha256 as hash DH group 21 surely you can further harden it.
Production Tested & Dumped from Cisco ISR 4431 running XE 17.03.03 Latest.
Thanks

crypto keyring DMVPN
pre-shared-key address (Hubs WAN IP) key (IPSEC PSK)
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 21
crypto isakmp key (same password as cisco auth or different when setting the IPSEC PSK) address (Hubs WAN IP)
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set DMVPN-Strong esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec fragmentation after-encryption
crypto ipsec profile DMVPN
set security-association idle-time 86400
set transform-set DMVPN-Strong
set pfs group21
interface Tunnel10
ip address 10.10.10.2 255.255.255.252
no ip redirects
ip mtu 1410
ip nhrp authentication (Cisco Auth Password)
ip nhrp map (Tunnel IP) (Hub WAN IP)
ip nhrp map multicast (Hub WAN IP)
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs (Hubs Tunnel IP)
ip nhrp registration no-unique
ip nhrp registration timeout 75
tunnel source (Spoke WAN Interface i.e GigabitEthernet0/0/0)
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN

2 Likes

Any Chance you can post the Vyos Hub config? I’ve been wrestling with this all day.

@dinodantoni

strongswan 5.9.2 has a bug where DMVPN breaks (hopefully my versioning isn’t wrong) it got fixed in a patch 5.9.3 i think contributors fixed it? idk someone can correct me on this. However i don’t use DMVPN anymore. This config will be a bit out of date, hopefully gives you a idea.

set interfaces tunnel tun100 address ‘172.16.253.134/29’
set interfaces tunnel tun100 encapsulation gre
set interfaces tunnel tun100 mtu 1410
set interfaces tunnel tun100 source-address <pub_ip>
set interfaces tunnel tun100 multicast enable
set interfaces tunnel tun100 parameters ip key 1

set protocols nhrp tunnel tun100 cisco-authentication
set protocols nhrp tunnel tun100 holding-time 600
set protocols nhrp tunnel tun100 multicast dynamic
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut

set vpn ipsec esp-group ESP-HUB compression disable
set vpn ipsec esp-group ESP-HUB lifetime 28800
set vpn ipsec esp-group ESP-HUB mode transport
set vpn ipsec esp-group ESP-HUB pfs dh-group21
set vpn ipsec esp-group ESP-HUB proposal 1 encryption aes256
set vpn ipsec esp-group ESP-HUB proposal 1 hash sha256
set vpn ipsec esp-group ESP-HUB proposal 2 encryption aes256
set vpn ipsec esp-group ESP-HUB proposal 2 hash sha256
set vpn ipsec ike-group IKE-HUB ikev2-reauth no
set vpn ipsec ike-group IKE-HUB key-exchange ikev1
set vpn ipsec ike-group IKE-HUB lifetime 86400
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group 21
set vpn ipsec ike-group IKE-HUB proposal 1 encryption aes256
set vpn ipsec ike-group IKE-HUB proposal 1 hash sha256
set vpn ipsec ike-group IKE-HUB proposal 2 dh-group 21
set vpn ipsec ike-group IKE-HUB proposal 2 encryption aes256
set vpn ipsec ike-group IKE-HUB proposal 2 hash sha256

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
set vpn ipsec profile NHRPVPN authentication pre-shared-secret
set vpn ipsec profile NHRPVPN bind tunnel tun100
set vpn ipsec profile NHRPVPN esp-group ESP-HUB
set vpn ipsec profile NHRPVPN ike-group IKE-HUB

yes, sure. it’s possible to solve it, if you could create a case with vyos version and spoke version. we can try to replicate it and fix …

https://phabricator.vyos.net/