Dynamic Multipoint VPN between CradlePoint and Cisco Router Example Summary This article describes how to setup a Dynamic GRE over IPSec VPN tunnel with NHRP (more commonly referred to as Dynamic Multipoint VPN or DMVPN) between a CradlePoint and Cisco router. Configuration Configuration Difficulty: Expert Configure the IPsec Tunnel - Step 1: Log into NCOS. For help with logging in please click here. - Step 2: Click on Networking and select Tunnels and then select IPSec VPN. - Step 3: Under IPSec VPN Tunnels click Add. - Step 4: Enter a Tunnel Name. - Step 5: Place a checkmark next to Anonymous Mode. - Step 6: Remove the checkmark next to Responder Mode. - Step 7: Enter a Pre-Shared Key. - Step 8: Set the Mode drop-down to Transport. - Step 9: Click Next. 1
- Step 10: Click Next on the Local Gateway page. - Step 11: Enter the WAN IP of the Cisco into the Gateway under Remote Networks. - Step 12: Click Next. - Step 13: Set the Key Lifetime to 86400 and set the Exchange Mode to Aggressive. - Step 14: Set the IKE Phase 1 settings for your tunnel. - Step 15: Click Next. - Step 16: Set the IKE Phase 2 settings for your tunnel. - Step 17: Click Next. 2
- Step 18: Configure Dead Peer Detection (DPD) for your tunnel. - Step 19: Click Finish. - Step 20: Under Global VPN Settings check Enable VPN Service and select Save. Configure the GRE Tunnel - Step 1: Select GRE Tunnels from the left hand menu. - Step 2: Under GRE Tunnels click Add. - Step 3: Enter the Tunnel Name. - Step 4: Enter the Tunnel Key. 3
- Step 5: Enter the IP Address of the Local Tunnel Interface into the Local Network. - Step 6: Set the Remote Network to 0.0.0.0. - Step 7: Enter the Subnet Mask of the Tunnel Network. - Step 8: Set the Remote Gateway to 0.0.0.0. - Step 9: Click Next. - Step 10: Enter the Network Address of the Tunnel Network. - Step 11: Enter the Subnet Mask of the Tunnel Network. - Step 12: Click Save. - Step 13: Click Finish. Configure NHRP - Step 1: Click on NHRP in the menu. 4
- Step 2: Under NHRP Supported Interfaces click Add. - Step 3: Place a checkmark next to Enabled. - Step 4: Select the GRE Tunnel from the Name drop-down menu. - Step 5: Enter the Tunnel Authentication Key into the Peer Authentication field. - Step 6: Place a checkmark next to Non-Chaching, Shortcut and Redirect. - Step 7: Click Add under Static Peer Map. - Step 8: Enter the IP Address of the Tunnel Interface on the Hub Router/NHS. - Step 9: Enter the Subnet Mask of the Tunnel Interface on the Hub Router/NHS into the Protocol Prefix field. - Step 10: In the NBMA Address address box, enter the *Public IP of the Hub Router/NHS. - Step 11: Place a checkmark next to Register. 5
- Step 12: Click Finish. - Step 13: Click Submit. Configure Routes - Step 1: Click on Routing and then Static Routes. - Step 2: Click Add. - Step 3: Enter the Hub Routers LAN Network Address and Netmask. - Step 4: Enter the Hub Routers Tunnel Interface IP Address into the Gateway field. - Step 5: Place a checkmark next to Allow Network Access. - Step 6: Click Submit. - Step 7: Repeat Steps 3 through 7 for all networks you wish to access through the GRE Tunnel. Configure the Cisco crypto isakmp policy 10 encr aes 128 hash md5 group 1 authentication pre-share crypto isakmp key 1234 address 0.0.0.0 0.0.0.0 crypto ipsec transform-set MYSET esp-aes esp-md5-hmac mode transport 6
crypto ipsec profile MYPROFILE set transform-set MYSET set pfs group1 interface Tunnel0 ip address 192.168.100.1 255.255.255.0 no ip redirects ip nhrp authentication 1234 ip nhrp map multicast dynamic ip nhrp network-id 1 tunnel source FastEthernet0/1 tunnel mode gre multipoint tunnel key 1234 tunnel protection ipsec profile MYPROFILE interface FastEthernet0/0 description INSIDE LOCAL NETWORK ip address 10.0.0.1 255.255.255.0 duplex auto speed auto interface FastEthernet0/1 description OUTSIDE WAN NETWORK ip address 75.160.178.214 255.255.255.240 duplex auto speed auto ip route 192.168.0.0 255.255.255.0 192.168.100.5 7