- DMVPN Single Hub with EIGRP and Pre-Shared Key Authentication
- DMVPN with Single Hub and OSPF Using Pre-Shared Keys (PSK)
- DMVPN with Dual Hubs and EIGRP Using Pre-Shared Keys
- DMVPN with Dual Hubs Using OSPF and Pre-Shared Keys
- DMVPN with Key Ring and ISAKMP Profile Authentication Using Pre-Shared Keys
- DMVPN Phase 1 Deployment with Certificate Authority (CA)
- DMVPN Phase 2 Deployment Using Certificate Authority (CA)
- DMVPN Phase 3 Deployment Using Certificate Authority (CA)
- DMVPN with an IOS-Based Certificate Authority (CA)
- DMVPN Deployment Using IKEv2 and Pre-Shared Key Authentication
- DMVPN with NAT-T and Pre-Shared Key Authentication
- DMVPN Deployment with Dynamic IP Addressing for Spokes
- DMVPN with Hub Behind Static NAT and Spoke Behind Dynamic NAT
- DMVPN over IPv6 with IPsec and EIGRPv6
- DMVPN Through a Firewall: Configuration Guide with NAT-T Support
- DMVPN Without IPsec: Simplified GRE Tunnels for Trusted Networks
DMVPN Single Hub with EIGRP and Pre-Shared Key Authentication
In this lab scenario, we are building a Dynamic Multipoint VPN (DMVPN) topology using a single hub-and-spoke model. The routing protocol used is EIGRP, and IPsec is employed for encryption, utilizing pre-shared keys (PSKs) for authentication. This guide walks through the key steps to configure both the hub and spoke routers.
Topology Overview
The topology includes one hub router (R6) and five spoke routers (R1 through R5). Each router has a tunnel interface configured and connects to R6, which acts as the central hub. All routers run EIGRP AS 100 over the DMVPN tunnels.
Step 1: IPsec Configuration on R1 (Spoke Example)
We begin by configuring the ISAKMP and IPsec settings on R1. This includes defining the ISAKMP policy and the transform set for IPsec.
ISAKMP Policy:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
Next, define pre-shared keys for the hub to authenticate with each spoke:
crypto isakmp key shared-key address r2-public-IP crypto isakmp key shared-key address r3-public-IP crypto isakmp key shared-key address r4-public-IP crypto isakmp key shared-key address r5-public-IP
IPsec Policy:
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile VPN-PROFILE set transform-set TSET
Step 2: IPsec Configuration on Spoke Routers (R2-R5)
Each spoke router needs to be configured similarly, but instead, the shared key is pointed toward the hub router (R1):
ISAKMP Policy:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
Pre-Shared Key (Hub IP):
crypto isakmp key shared-key address r1-public-IP
Use the same transform set and profile setup:
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile VPN-PROFILE set transform-set TSET
Step 3: EIGRP Configuration
Enable EIGRP on all routers in AS 100. This will run over the tunnel interfaces.
router eigrp 100 no auto-summary network 192.168.1.0 network 192.168.101.0
Step 4: Hub Tunnel Configuration (R6)
Now, configure the tunnel on the hub router (R6). This interface will serve as the multipoint GRE (mGRE) endpoint, allowing for dynamic connections from all spokes.
interface Tunnel0 ip address x.x.x.x mask tunnel source physical-interface tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100
Step 5: Spoke Tunnel Configuration (R1–R5)
Each spoke should have a tunnel configuration that points to the hub’s public and tunnel IP addresses. Here’s a sample configuration:
interface Tunnel0 ip address x.x.x.x mask tunnel source physical-interface tunnel mode gre multipoint tunnel key 1 ip nhrp map hub-tunnel-ip hub-public-ip ip nhrp map multicast hub-public-ip ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE ip nhrp nhs hub-tunnel-ip
DMVPN with Single Hub and OSPF Using Pre-Shared Keys (PSK)
Now we will walk through setting up a Dynamic Multipoint VPN (DMVPN) environment with a single hub using OSPF as the routing protocol and IPsec for encryption with pre-shared key authentication. This setup is ideal for securely interconnecting multiple branch offices (spokes) with a central hub router.
The goal is to configure secure GRE tunnels between the hub and spokes using NHRP, enable routing with OSPF Area 0, and protect the tunnels with IPsec encryption.
Step 1: Configure IPsec and ISAKMP on the Hub (Router 1)
Begin with setting up IKE Phase 1 by creating the ISAKMP policy and pre-shared key:
ISAKMP Configuration:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
You can use a wildcard pre-shared key to simplify configuration:
crypto isakmp key shared-key address 0.0.0.0
Next, define the IPsec transform set and profile.
IPsec Configuration:
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile VPN-PROFILE set transform-set TSET
Step 2: Configure the Spokes’ IPsec and ISAKMP
On each spoke router (e.g., R2–R5), configure a similar ISAKMP policy:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
Specify the key pointing to the hub’s public IP:
crypto isakmp key shared-key address r1-public-IP
And replicate the transform set and profile:
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile VPN-PROFILE set transform-set TSET
Step 3: Configure the Hub Tunnel Interface (R1)
Now configure the hub’s Tunnel0 interface with mGRE and NHRP to support dynamic spoke connections:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE ip ospf 100 area 0 ip ospf network broadcast ip ospf priority 255
To ensure full OSPF reachability from internal networks, advertise the LAN interface as well:
interface Loopback0 ip ospf 100 area 0
Step 4: Configure the Spokes’ Tunnel Interface
Each spoke router will have a similar Tunnel0 interface, but with additional static NHRP mappings pointing to the hub:
interface Tunnel0
ip address x.x.x.x mask
tunnel source interface
tunnel mode gre multipoint
tunnel key 1
ip nhrp map hub-tunnel-ip hub-public-ip
ip nhrp map multicast hub-public-ip
ip nhrp authentication key
ip nhrp network-id 1
ip nhrp holdtime 300
tunnel-protection ipsec profile VPN-PROFILE
ip nhrp nhs hub-tunnel-ip
ip ospf 100 area 0
ip ospf network broadcast
DMVPN with Dual Hubs and EIGRP Using Pre-Shared Keys
For organizations that require increased redundancy and fault tolerance, a Dual-Hub DMVPN design using EIGRP and IPsec with Pre-Shared Key (PSK) authentication is a scalable and secure solution. We will configure a dual-hub DMVPN topology where multiple spokes are connected to two separate hubs using mGRE, IPsec encryption, and EIGRP routing.
Step 1: Configure ISAKMP and IPsec Policies on All Routers
All routers (both hubs and spokes) should use the same ISAKMP and IPsec policies to establish Phase 1 and Phase 2 IPsec tunnels.
ISAKMP Policy (IKE Phase 1):
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
A wildcard key can be used for simplicity in the lab:
crypto isakmp key shared-key address 0.0.0.0
IPsec Transform Set and Profile (IKE Phase 2):
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile VPN-PROFILE set transform-set TSET
Step 2: Configure EIGRP on All Routers
Enable and configure EIGRP routing on each device. Use AS 100 and include all internal and tunnel subnets.
router eigrp 100 no auto-summary network 192.168.1.0 network 192.168.101.0
Step 3: Configure Tunnel Interface on the Hub Routers
Each hub router (Hub1 and Hub2) must be configured with a multipoint GRE (mGRE) tunnel to allow dynamic NHRP mappings from spokes.
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100
The no ip next-hop-self and no ip split-horizon commands are important to ensure proper EIGRP route propagation between spokes.
Step 4: Configure Tunnel Interface on the Spokes
Each spoke should point to both hubs using static NHRP mappings. This allows for redundancy in case one hub goes down, enabling traffic to reroute through the other.
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map hub1-tunnel-ip hub1-public-ip ip nhrp map hub2-tunnel-ip hub2-public-ip ip nhrp map multicast hub1-public-ip ip nhrp map multicast hub2-public-ip ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel-protection ipsec profile VPN-PROFILE ip nhrp nhs hub1-tunnel-ip ip nhrp nhs hub2-tunnel-ip
Each spoke router is configured to recognize both hubs as NHRP Next Hop Servers (NHS), enabling it to register with both hubs for failover and redundancy.
DMVPN with Dual Hubs Using OSPF and Pre-Shared Keys
For enterprises seeking resiliency and dynamic routing across multiple branch sites, a Dual-Hub DMVPN deployment using OSPF and IPsec with pre-shared keys is a scalable and secure architecture. In this tutorial, we walk through configuring such a topology using two hubs and multiple spokes. The key technologies in play are GRE multipoint tunnels, NHRP for dynamic resolution, IPsec transport mode for encryption, and OSPF Area 0 for routing.
Step 1: ISAKMP and IPsec Configuration on All Routers
Begin by configuring the ISAKMP Phase 1 policy and pre-shared key setup, followed by IPsec Phase 2 transform sets and profiles.
ISAKMP Configuration:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
To simplify configuration across spokes and hubs, a wildcard pre-shared key can be used:
crypto isakmp key shared-key address 0.0.0.0
IPsec Configuration:
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile VPN-PROFILE set transform-set TSET
On the remaining routers, configure the same ISAKMP and IPsec parameters, replacing 0.0.0.0 with the public IP of the peer hub or spoke if a stricter policy is desired.
Step 2: Tunnel Configuration on the Hub Routers
Hub1 Configuration:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE ip ospf 100 area 0 ip ospf network broadcast ip ospf priority 255
Hub2 Configuration:
Hub2 uses the same configuration as Hub1, but with a slightly lower OSPF priority to serve as a backup designated router (DR):
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE ip ospf 100 area 0 ip ospf network broadcast ip ospf priority 254
Step 3: OSPF LAN Advertisement on Hubs
To include internal LANs in OSPF, advertise the Loopback interface:
interface Loopback0 ip ospf 100 area 0
Step 4: Spoke Tunnel Configuration
Each spoke must be configured to point to both Hub1 and Hub2. This ensures high availability and redundancy.
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map hub1-tunnel-ip hub1-public-ip ip nhrp map hub2-tunnel-ip hub2-public-ip ip nhrp map multicast hub1-public-ip ip nhrp map multicast hub2-public-ip ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel-protection ipsec profile VPN-PROFILE ip nhrp nhs hub1-tunnel-ip ip nhrp nhs hub2-tunnel-ip ip ospf 100 area 0 ip ospf network broadcast
DMVPN with Key Ring and ISAKMP Profile Authentication Using Pre-Shared Keys
When building scalable and flexible DMVPN deployments, using ISAKMP profiles with key rings provides enhanced control over authentication. This method allows for dynamic peer matching and better profile-based configurations, which is particularly useful in multipoint DMVPN environments.
We will configure DMVPN using a key ring and ISAKMP profile-based approach with PSK authentication, paired with IPsec transport mode encryption and EIGRP routing.
Step 1: Configure ISAKMP and IPsec Policies on All Routers
Begin by setting a consistent IKE Phase 1 and Phase 2 policy across all routers.
ISAKMP Policy:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
IPsec Transform Set:
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport
Step 2: Create the ISAKMP Keyring and Profile
Next, define the keyring that holds the pre-shared key and tie it to an ISAKMP profile. This allows dynamic matching of peers via identity.
Keyring Configuration:
crypto keyring MY-KEYRING pre-shared-key address 0.0.0.0 key MY-PSK
ISAKMP Profile:
crypto isakmp profile DMVPN-ISAKMP match identity address 0.0.0.0 keyring MY-KEYRING exit
The wildcard 0.0.0.0 allows any IP to match the profile, useful in dynamic or NATed environments.
Step 3: Create the IPsec Profile
Tie together the transform set and ISAKMP profile inside the IPsec profile, which will be applied to the tunnel interfaces.
crypto ipsec profile DMVPN-PROFILE set transform-set TSET set isakmp-profile DMVPN-ISAKMP
Step 4: Configure EIGRP
Enable EIGRP across the internal subnets and tunnel networks:
router eigrp 100 no auto-summary network 192.168.1.0 network 192.168.101.0
Step 5: Hub Tunnel Interface Configuration
Now configure the hub’s Tunnel0 interface to use mGRE and NHRP for dynamic endpoint resolution:
interface Tunnel0 ip address <x.x.x.x> <mask> tunnel source <interface> tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic ip nhrp authentication MY-PSK ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile DMVPN-PROFILE no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100
Step 6: Spoke Tunnel Interface Configuration
Each spoke should be configured to statically map to the hub’s tunnel and public IPs. Here’s a sample configuration:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map hub-tunnel-ip hub-public-ip ip nhrp map multicast hub-public-ip ip nhrp authentication MY-PSK ip nhrp network-id 1 ip nhrp holdtime 300 tunnel-protection ipsec profile DMVPN-PROFILE ip nhrp nhs hub-tunnel-ip
DMVPN Phase 1 Deployment with Certificate Authority (CA)
As organizations seek more scalable and secure VPN architectures, deploying DMVPN with a Certificate Authority (CA) becomes an ideal solution for automating authentication without relying on pre-shared keys. This approach leverages RSA signatures and digital certificates for IKE Phase 1 authentication, ensuring robust security and easier certificate management across devices.
This configuration walks through configuring a Phase 1 DMVPN deployment using CA-based authentication, IPsec transport mode, and EIGRP for dynamic routing.
Step 1: Configure RSA and Domain Name
To begin, each router participating in DMVPN must be configured with a domain name and RSA key pair generation. These are prerequisites for certificate enrollment and authentication.
ip domain-name your-domain-name crypto key generate rsa modulus 1024
The RSA key is essential for signing certificate requests and for later use in the IKE Phase 1 authentication process.
Step 2: Configure the CA Trustpoint
Define the CA trustpoint, specify the enrollment URL, authenticate the CA, and then enroll the router to obtain a signed certificate:
crypto pki trustpoint pki-name enrollment url http://CA-IP crypto pki authenticate pki-name crypto pki enroll pki-name
Once the router is enrolled successfully, it will hold a valid certificate issued by the CA, which will be used during ISAKMP negotiations.
Step 3: Define ISAKMP and IPsec Policies
ISAKMP Policy Using RSA Signatures – Configure IKE Phase 1 to use RSA signature authentication:
crypto isakmp policy 1 authentication rsa-sig encryption aes hash sha group 5 lifetime 1800 exit
IPsec Transform Set and Profile Define an IPsec transform set using AES and SHA for encryption and integrity, and create an IPsec profile for later use on tunnel interfaces:
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile VPN-PROFILE set transform-set TSET
Step 4: Configure EIGRP
Enable EIGRP to dynamically advertise tunnel and internal LAN routes:
router eigrp 100 no auto-summary network tunnel-subnet network LAN-subnet
Step 5: Hub Tunnel Configuration
On the hub router, configure Tunnel0 with mGRE and NHRP settings to support dynamic spoke connections:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp network-id 1 ip nhrp map multicast dynamic ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE no ip split-horizon eigrp 100 ip nhrp authentication key
This allows the hub to dynamically learn and communicate with spokes using NHRP mappings.
Step 6: Spoke Tunnel Configuration
Each spoke must statically map to the hub’s tunnel and public IPs, while supporting dynamic GRE and IPsec:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel destination hub-public-ip tunnel key 1 ip nhrp map hub-tunnel-ip hub-public-ip ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE ip nhrp nhs hub-tunnel-ip tunnel mode gre multipoint
The tunnel destination command is required in Phase 1 DMVPN to manually point the GRE tunnel to the hub. This is what differentiates Phase 1 from the dynamic nature of Phase 2.
DMVPN Phase 2 Deployment Using Certificate Authority (CA)
Dynamic Multipoint VPN (DMVPN) Phase 2 enhances the scalability of your WAN by enabling spoke-to-spoke communication while still using a hub as the NHRP server. When paired with a Certificate Authority (CA) and RSA signature-based authentication, this deployment becomes both secure and scalable. Here we will walk through the configuration of a DMVPN Phase 2 topology using digital certificates, IPsec transport mode, and EIGRP.
Step 1: Prepare for Certificate Enrollment
Each router must be configured with a domain name and RSA key pair before certificate enrollment.
ip domain-name yourdomain.com crypto key generate rsa modulus 1024
Step 2: Configure the CA Trustpoint and Enroll Certificates
Each router must authenticate and enroll with the CA to receive a signed identity certificate.
crypto pki trustpoint MY-CA enrollment url http://CA-IP crypto pki authenticate MY-CA crypto pki enroll MY-CA
Once enrollment completes, the router will have a valid certificate to authenticate IKE sessions using RSA signatures.
Step 3: Define ISAKMP and IPsec Policies
ISAKMP Policy Using RSA Signatures:
crypto isakmp policy 1 authentication rsa-sig encryption aes hash sha group 5 lifetime 1800 exit
IPsec Transform Set and Profile:
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile VPN-PROFILE set transform-set TSET
Step 4: Configure EIGRP for Routing
Use EIGRP for dynamic routing across the tunnel and internal LAN segments
router eigrp 100 no auto-summary network tunnel-subnet network LAN-subnet
Step 5: Hub Tunnel Interface Configuration
Configure the hub with mGRE and NHRP to support dynamic mappings for multiple spokes. This is crucial for DMVPN Phase 2, where spokes may also communicate directly.
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp network-id 1 ip nhrp map multicast dynamic ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100 ip nhrp authentication key
The no ip next-hop-self and no ip split-horizon commands are essential to allow proper route advertisement between spokes.
Step 6: Spoke Tunnel Interface Configuration
Spokes in Phase 2 must still register with the hub via NHRP, but will form direct tunnels with each other as needed.
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel destination hub-public-ip tunnel key 1 ip nhrp map hub-tunnel-ip hub-public-ip ip nhrp map multicast hub-public-ip ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE ip nhrp nhs hub-tunnel-ip tunnel mode gre multipoint
The tunnel destination ensures initial registration with the hub, while the multipoint mode allows the tunnel to dynamically adjust for spoke-to-spoke paths.
DMVPN Phase 3 Deployment Using Certificate Authority (CA)
DMVPN Phase 3 introduces a highly optimized and scalable VPN architecture by enabling dynamic spoke-to-spoke tunnels based on on-demand NHRP redirection. When combined with RSA certificate-based authentication via a Certificate Authority (CA), it ensures secure identity verification without relying on pre-shared keys. This guide walks through configuring a Phase 3 DMVPN topology using CA, IPsec in transport mode, and EIGRP for routing.
Step 1: Initial Setup – Domain Name and RSA Keys
Begin by configuring the domain name and generating the RSA key pair on all routers:
ip domain-name yourdomain.com crypto key generate rsa modulus 1024
These are prerequisites for certificate enrollment.
Step 2: Enroll with the Certificate Authority
Configure the trustpoint and enroll the router with the CA:
crypto pki trustpoint MY-CA enrollment url http://CA-IP crypto pki authenticate MY-CA crypto pki enroll MY-CA
Each router will now have a signed certificate issued by the CA, enabling secure, scalable IKE RSA authentication.
Step 3: Configure ISAKMP and IPsec Policies
Define the ISAKMP (IKE Phase 1) policy using RSA signatures and AES/SHA encryption:
crypto isakmp policy 1 authentication rsa-sig encryption aes hash sha group 5 lifetime 1800 exit
Define the IPsec transform set and profile (IKE Phase 2):
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile VPN-PROFILE set transform-set TSET
Step 4: Enable EIGRP on All Routers
Set up dynamic routing with EIGRP over both tunnel and LAN subnets:
router eigrp 100 no auto-summary network tunnel-subnet network LAN-subnet
Step 5: Hub Tunnel Configuration (mGRE with NHRP Redirects)
The hub router should support multiple spoke connections with multipoint GRE and NHRP redirection:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp network-id 1 ip nhrp map multicast dynamic ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100 ip nhrp authentication key ip nhrp redirect
The ip nhrp redirect command is essential in Phase 3—it enables the hub to inform spokes of more efficient routing paths between each other.
Step 6: Spoke Tunnel Configuration (Dynamic Spoke-to-Spoke)
Each spoke sets up its tunnel to the hub and enables NHRP shortcut support to allow direct peer tunnels when signaled by the hub:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel destination hub-public-ip tunnel key 1 tunnel mode gre multipoint ip nhrp map hub-tunnel-ip hub-public-ip ip nhrp map multicast hub-public-ip ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE ip nhrp nhs hub-tunnel-ip ip nhrp shortcut
The ip nhrp shortcut command allows the spoke to dynamically form GRE tunnels to other spokes without relying solely on the hub after the initial path is established.
DMVPN with an IOS-Based Certificate Authority (CA)
In environments where you want to avoid relying on external public key infrastructure, Cisco IOS routers can act as their own internal Certificate Authority (CA). This blog post outlines how to deploy a DMVPN network secured with RSA certificates issued by an IOS-based Certificate Authority (CA). We’ll use IPsec for encryption, EIGRP for routing, and RSA signature authentication to establish secure and scalable VPN tunnels.
Step 1: Configure the IOS Router as a Certificate Authority
Before your IOS router can function as a CA, ensure that the system clock is set correctly or that NTP is configured.
On the designated IOS CA router, configure the following:
crypto key generate rsa general-keys exportable label name modulus 1024 crypto key export rsa <name> pem url nvram: 3des key ip http server crypto pki server name database level minimum database url nvram: issuer-name cn=name l=location c=country lifetime certificate days grant auto no shutdown set a password when prompted
This setup creates a basic functioning local CA capable of issuing and signing certificates for other routers in your DMVPN topology.
Step 2: Enroll Spoke and Hub Routers with the CA
On each DMVPN router (hub and spokes), configure the trustpoint and enroll the router to retrieve a certificate:
crypto pki trustpoint name enrollment url http://CA-IP exit crypto pki authenticate name crypto pki enroll name
After enrolling, the router will receive a valid certificate signed by the IOS CA.
Step 3: Configure ISAKMP and IPsec Policies
Define IKE Phase 1 with RSA signature authentication:
crypto isakmp policy 1 authentication rsa-sig encryption aes hash sha group 5 lifetime 1800 exit
Define IKE Phase 2 using transport mode IPsec:
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile VPN-PROFILE set transform-set TSET
Step 4: Configure EIGRP on All Routers
Enable dynamic routing with EIGRP over the tunnel and LAN networks:
router eigrp 100 no auto-summary network lan-subnet network tunnel-subnet
Step 5: Configure the Hub Tunnel Interface
The hub router will use mGRE to support multiple spokes. Configure the tunnel with NHRP and IPsec protection:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100
The use of no ip next-hop-self and no ip split-horizon ensures proper route advertisement between spokes.
Step 6: Configure the Spoke Tunnel Interfaces
Each spoke router should statically map to the hub’s tunnel and public IP, and authenticate via the certificate:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map hub-tunnel-ip hub-public-ip ip nhrp authentication key ip nhrp map multicast hub-public-ip ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE ip nhrp nhs hub-tunnel-ip
This allows the spoke to register dynamically with the hub and form encrypted GRE tunnels for communication.
DMVPN Deployment Using IKEv2 and Pre-Shared Key Authentication
For modern, scalable VPN architectures, IKEv2 offers significant advantages over IKEv1, including simplified negotiation, native support for mobility, and more robust crypto flexibility. In this post, we’ll walk through deploying a Dynamic Multipoint VPN (DMVPN) solution using IKEv2 with pre-shared key (PSK) authentication, EIGRP for dynamic routing, and IPsec for data encryption.
Step 1: Configure EIGRP on All Routers
Begin by enabling EIGRP for both the tunnel and internal LAN segments. This ensures dynamic route propagation between all nodes.
router eigrp 100 no auto-summary network lan-subnet network tunnel-subnet
Step 2: Define IKEv2 Proposal and Policy
Set up the encryption, integrity, and DH group parameters that will be used during IKEv2 negotiations.
crypto ikev2 proposal 1 encryption aes-cbc-256 integrity sha512 group 5 exit crypto ikev2 policy 1 proposal 1 exit
Step 3: Configure the Keyring and IKEv2 Profile
Define the keyring that will hold the pre-shared key and bind it to the IKEv2 profile.
crypto ikev2 keyring MY-KEYRING peer any address 0.0.0.0 pre-shared-key key exit crypto ikev2 profile MY-PROFILE match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring local MY-KEYRING exit
Step 4: Configure IPsec Transform Set and Profile
Specify the IPsec settings for encrypting GRE tunnel traffic. Transport mode is used to avoid adding unnecessary headers.
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport
crypto ipsec profile DMVPN-PROFILE set transform-set TSET set ikev2-profile MY-PROFILE exit
Step 5: Configure the Hub Tunnel Interface
The hub router should use mGRE to support multiple dynamic connections. It will also act as the NHRP server.
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile DMVPN-PROFILE no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100
The commands no ip next-hop-self and no ip split-horizon ensure proper route advertisement between spokes via the hub.
Step 6: Configure the Spoke Tunnel Interfaces
Each spoke router should statically map to the hub’s public and tunnel IPs and register using NHRP.
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map hub-tunnel-ip hub-public-ip ip nhrp authentication key ip nhrp map multicast hub-public-ip ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile DMVPN-PROFILE ip nhrp nhs hub-tunnel-ip
This enables spokes to dynamically build tunnels with the hub and form secure encrypted communication paths.
DMVPN with NAT-T and Pre-Shared Key Authentication
In real-world deployments, Dynamic Multipoint VPN (DMVPN) routers are often placed behind NAT devices, especially in remote office setups. NAT-T (NAT Traversal) allows DMVPN to function even when devices are behind NAT by encapsulating IPsec traffic in UDP. This guide walks through deploying DMVPN with IPsec in transport mode, EIGRP routing, and NAT-T support on ASA firewalls.
Step 1: Configure IPsec and ISAKMP Policies
Start by creating the crypto policy on all routers. Use a wildcard pre-shared key for simplicity in NAT environments:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit crypto isakmp key key address 0.0.0.0
Define the IPsec transform set and bind it to a profile:
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile DMVPN-PROFILE set transform-set TSET
Step 2: Configure EIGRP on All Routers
EIGRP is used to dynamically advertise both LAN and tunnel networks.
router eigrp 100 no auto-summary network 192.168.1.0 network 192.168.101.0
Step 3: Configure NAT on the ASA Firewall
If your spoke is behind an ASA, configure NAT exemption to allow proper IKE and ESP traffic flow:
object network ROUTER-BEHIND-NAT host x.x.x.x exit nat (inside,outside) source static ROUTER-BEHIND-NAT interface
You’ll also need to allow NAT-T traffic by permitting UDP ports 500 and 4500 through the firewall:
access-list ACL-DMVPN permit udp host spoke-public-ip object ROUTER-BEHIND-NAT eq 500 access-list ACL-DMVPN permit udp host spoke-public-ip object ROUTER-BEHIND-NAT eq 4500 access-group ACL-DMVPN in interface outside
Step 4: Hub Tunnel Interface Configuration
On the hub router, configure Tunnel0 to support multiple spokes and dynamic mappings using mGRE and NHRP:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile DMVPN-PROFILE no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100
Step 5: Spoke Tunnel Interface Configuration
Each spoke router, especially if behind NAT, must map to the hub’s public IP (usually the firewall interface) and configure NHRP accordingly:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map hub-tunnel-ip hub-public-ip-on-firewall ip nhrp map multicast hub-public-ip-on-firewall ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile DMVPN-PROFILE ip nhrp nhs hub-tunnel-ip
This allows proper registration to the NHRP server (hub) and establishes IPsec tunnels despite NAT.
DMVPN Deployment with Dynamic IP Addressing for Spokes
In many real-world DMVPN deployments, remote spoke routers may receive their public IP addresses dynamically via DHCP—especially in home office or retail branch environments. Fortunately, DMVPN supports dynamic IP addressing for spokes while maintaining a static configuration on the hub. This guide shows how to build a DMVPN Phase 3 topology with dynamically addressed spokes, IPsec encryption, and EIGRP for routing.
Use Case
This configuration is ideal when:
- The hub router has a static public IP, and
- The spoke routers receive dynamic public IPs via DHCP (e.g., behind residential ISPs or dynamically addressed cable modems).
Step 1: Configure ISAKMP and IPsec Policies
Start by defining IKE Phase 1 and IPsec Phase 2 policies. We’ll use a wildcard pre-shared key to accommodate unknown spoke IPs.
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit crypto isakmp key key address 0.0.0.0 crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile VPN-PROFILE set transform-set TSET
Step 2: Enable EIGRP on All Routers
Configure EIGRP to dynamically advertise both LAN and tunnel networks.
router eigrp 100 no auto-summary network LAN-subnet network tunnel-subnet
Step 3: Hub Tunnel Configuration (Static IP)
The hub uses mGRE and NHRP to allow multiple spokes to dynamically register and communicate. Phase 3 enhancements like ip nhrp redirect are included.
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp network-id 1 ip nhrp map multicast dynamic ip nhrp holdtime 300 ip nhrp authentication key tunnel protection ipsec profile VPN-PROFILE no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100 ip nhrp redirect
This configuration enables dynamic mappings from spoke routers regardless of their public IPs.
Step 4: Spoke Tunnel Configuration (Dynamic IP)
Spoke routers with dynamic public IPs must use a static tunnel destination pointing to the hub’s public IP. Phase 3 features like ip nhrp shortcut allow for dynamic spoke-to-spoke tunnels.
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel destination hub-public-ip tunnel key 1 tunnel mode gre multipoint ip nhrp map hub-tunnel-ip hub-public-ip ip nhrp map multicast hub-public-ip ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile VPN-PROFILE ip nhrp nhs hub-tunnel-ip ip nhrp shortcut
This configuration allows dynamic registration to the hub even if the spoke IP changes after a reboot or ISP update.
DMVPN with Hub Behind Static NAT and Spoke Behind Dynamic NAT
In complex WAN environments, it’s not uncommon to deploy DMVPN with mixed NAT conditions, where the hub is behind static NAT and spokes are behind dynamic NAT. This configuration can still support secure, scalable VPN connectivity using IPsec, GRE multipoint, and NHRP. This guide outlines the full deployment, including NAT rules, crypto configuration, and routing via EIGRP.
Scenario Overview
- The hub (DMVPN server) is behind a static NAT router.
- The spoke (DMVPN client) is behind a dynamic NAT router.
- An ISP router connects both the static and dynamic NAT boundaries.
- We’ll use EIGRP for routing and IPsec with pre-shared keys for encryption.
Step 1: Configure Static NAT (Hub Side)
On the router performing static NAT for the hub:
interface g1 ip nat inside interface g2 ip nat outside exit ip nat source static 192.168.11.2 interface g2
This maps the inside IP (192.168.11.2) to the outside public IP on g2.
Step 2: Configure Dynamic NAT (Spoke Side)
On the router performing dynamic NAT for the spoke:
interface g1
ip nat inside
interface g2
ip nat outside
exit
ip nat pool DMVPN-POOL 102.1.1.200 102.1.1.210 netmask 255.255.255.0
ip access-list extended NAT-ACL
permit ip 192.168.12.2 0.0.0.255 any
ip nat inside source list NAT-ACL pool DMVPN-POOL
This setup dynamically translates spoke IPs to public IPs in the pool range.
Step 3: Create ISAKMP and IPsec Policies
Define IKE Phase 1 and 2 parameters to secure GRE tunnels:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit crypto isakmp key key address 0.0.0.0 crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile DMVPN-PROFILE set transform-set TSET
Step 4: Configure EIGRP on All Routers
Enable dynamic route advertisement over tunnel and LAN interfaces:
router eigrp 100 no auto-summary network 192.168.1.0 network 192.168.101.0
Step 5: Hub Tunnel Interface Configuration
The hub uses mGRE and serves as the NHRP server:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile DMVPN-PROFILE no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100
Step 6: Spoke Tunnel Configuration
The spoke must statically map to the hub’s tunnel IP and public IP (as NATed by the firewall).
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map hub-tunnel-ip hub-public-ip-on-firewall ip nhrp map multicast hub-public-ip-on-firewall ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile DMVPN-PROFILE ip nhrp nhs hub-tunnel-ip
This enables successful NHRP registration and GRE tunnel creation through NAT.
DMVPN over IPv6 with IPsec and EIGRPv6
As the world transitions to IPv6, network engineers must ensure their VPN technologies support the next-generation protocol. Dynamic Multipoint VPN (DMVPN) is fully compatible with IPv6, allowing secure, scalable, and dynamic connectivity between routers over an IPv6 backbone. This guide details the configuration of DMVPN over IPv6 using IPsec for encryption and EIGRPv6 for routing.
Step 1: Configure IPsec and ISAKMP for IPv6
Start by defining the crypto policies used for tunnel protection. We’ll use IKEv1 with pre-shared key (PSK) and AES encryption in transport mode:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
crypto isakmp key key address 0.0.0.0 crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile DMVPN-PROFILE set transform-set TSET
Step 2: Configure EIGRPv6 on All Routers
EIGRP for IPv6 requires enabling the process per interface instead of using a network statement.
interface LAN-interface ipv6 eigrp 100 interface tunnel0 ipv6 eigrp 100
Ensure IPv6 routing is enabled globally with ipv6 unicast-routing.
Step 3: Configure the Hub Tunnel Interface
The hub is configured with multipoint GRE to support multiple spokes and uses NHRP for dynamic address resolution:
interface tunnel0 ip address x:x:x:x::x/prefix tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile DMVPN-PROFILE no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100
These last two commands prevent route feedback loops and ensure correct routing behavior in hub-and-spoke topologies.
Step 4: Configure the Spoke Tunnel Interface
Spokes dynamically map to the hub’s IPv6 public and tunnel addresses:
interface tunnel0 ip address x:x:x:x::x/prefix tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map hub-tunnel-ipv6 hub-public-ip-on-firewall ip nhrp map multicast hub-public-ip-on-firewall ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile DMVPN-PROFILE ip nhrp nhs hub-tunnel-ipv6
This allows the spoke router to securely register with the hub and participate in routing using IPv6.
DMVPN Through a Firewall: Configuration Guide with NAT-T Support
Deploying DMVPN through a firewall introduces additional considerations, particularly with NAT traversal (NAT-T). Firewalls—especially Cisco ASA—must be configured to allow critical IPsec traffic. This guide walks through the full DMVPN configuration for routers and the firewall to ensure seamless tunneling, encryption, and routing.
Step 1: Configure the Crypto Policy for All Routers
First, establish a consistent IKEv1 Phase 1 policy and Phase 2 IPsec settings:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit crypto isakmp key key address 0.0.0.0
Next, define the IPsec transform set and profile:
crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport crypto ipsec profile DMVPN-PROFILE set transform-set TSET
Step 2: Configure EIGRP on All Routers
Enable EIGRP to advertise both LAN and tunnel networks:
router eigrp 100 no auto-summary network 192.168.1.0 network 192.168.101.0
Step 3: Configure the Hub Tunnel Interface
The hub will act as the NHRP server and use mGRE to support dynamic spoke registration:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile DMVPN-PROFILE no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100
This configuration enables full dynamic spoke registration and avoids EIGRP route looping.
Step 4: Configure the Spoke Tunnel Interface
Spokes statically map to the hub’s tunnel and public IP:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map hub-tunnel-ip hub-public-ip ip nhrp map multicast hub-public-ip ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 tunnel protection ipsec profile DMVPN-PROFILE ip nhrp nhs hub-tunnel-ip
This allows the spoke to register with the hub and receive reachability updates via EIGRP.
Step 5: ASA Firewall Configuration for NAT-T
If your spokes or hubs are behind NAT (common in firewall setups), Cisco ASA must permit NAT traversal and ESP traffic. Apply the following access rules:
access-list ACL-DMVPN permit udp host spoke-public-ip host hub-public-ip eq 500
access-list ACL-DMVPN permit esp host spoke-public-ip host hub-public-ip
access-group ACL-DMVPN in interface outside
These ACL entries allow:
- UDP 500: IKE negotiation traffic
- ESP (IP Protocol 50): Encrypted payload transport (IPsec)
Without these, NAT-T will fail and the DMVPN tunnel will never establish.
DMVPN Without IPsec: Simplified GRE Tunnels for Trusted Networks
Dynamic Multipoint VPN (DMVPN) is most often deployed with IPsec encryption to provide secure tunneling across untrusted networks. However, in trusted environments—such as lab simulations or private MPLS backbones—security overhead may be unnecessary. In those cases, DMVPN can operate without IPsec, offering the same dynamic multipoint GRE (mGRE) and Next Hop Resolution Protocol (NHRP) functionality without encryption.
This guide details how to configure DMVPN without IPsec, keeping the setup lightweight while still leveraging the scalability and flexibility of multipoint GRE and dynamic spoke registration.
Hub Configuration
Begin by configuring the DMVPN hub. The Tunnel0 interface must be set to use multipoint GRE to allow dynamic peer connections:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map multicast dynamic ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 no ip next-hop-self eigrp 100 no ip split-horizon eigrp 100
Here’s a breakdown of key directives:
- ip nhrp map multicast dynamic: Enables dynamic mapping of multicast traffic (like routing protocols) to registered spokes.
- no ip next-hop-self and no ip split-horizon: Ensure EIGRP routes from spokes are correctly forwarded to other spokes.
- No IPsec profile is used—this tunnel remains unencrypted.
Spoke Configuration
Each spoke also uses an mGRE tunnel to communicate with the hub and other spokes. Here’s the configuration for a spoke router:
interface Tunnel0 ip address x.x.x.x mask tunnel source interface tunnel mode gre multipoint tunnel key 1 ip nhrp map hub-tunnel-ip hub-public-ip ip nhrp map multicast hub-public-ip ip nhrp authentication key ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs hub-tunnel-ip
In this setup:
- ip nhrp map lines define how the spoke reaches the hub.
- ip nhrp nhs sets the Next Hop Server (i.e., the hub).
- The configuration mirrors traditional DMVPN, but without any tunnel protection or crypto configuration.
When to Use DMVPN Without IPsec
Deploying DMVPN without IPsec makes sense in:
- Trusted WAN/MAN environments (e.g., leased fiber or MPLS)
- Lab environments where simplicity and performance are preferred
- Low-resource routers that lack encryption acceleration
However, be cautious. Without IPsec, the traffic is unencrypted and vulnerable to interception if run over public networks.
