E-Mail Security
and Spam Terminology
Sample VPN configurations
A Dynamic Multipoint Virtual Private Network is an enhancement of the virtual private network (VPN)  DMVPN prevents the need for pre-configured (static) IPsec  peers in crypto-map configurations and ISAKMP  peer statements. This feature of Cisco IOS allows greater scalability over previous IPsec configurations. An IPsec tunnel between two Cisco routers may be created on an as needed basis. Tunnels may be created between a spoke router and a hub router (VPN headend), or between spokes. This greatly alleviates the need for the hub to route data between spoke networks, as was common in a non-fully meshed frame relay topology.
It combiles mGRE tunnels, IPsec encryption, and NHRP routing to provide users an ease of configuration via crypti profiles.

DMVPN relies on
           


Benifits


DMVPN Topologies


DMVPN deployment model



Hub and spoke Model


            In this model each hub contains an mGRE interface and each branch contains point0to-point GRE interfaces. In this model no tunnel connect to another branch. Traffic between branches passes through HUB.

Spoke-to-spoke model

            In this deployment model branches dynamically create tunnel between other branches within the same DMVPN cloud for intercommunication. This is deployment model is fully meshed and requires  mGRE interface and both ends.



Spoke-to-Spoke operation

  1. Each spoke has a permanent IPSec tunnel to the hub, and register as client of NHRP server.
  3. It a spoke  needs to send a packet to another  spoke it queries the NHRP server for the real addrss of spoke.

  1. After getting the addredd of the spke it can initiate dynamic IPSec tunnel to the target host.
  2. The tunnel is build using mGRE.

  1. It will tear down the connection after a preconfigured amound of inactivity

  1. on the spoke-to-spoke tunnels.


mGRE

    It is introduced in DMVPN.

    it serves as one to many interface.

    A tunnel destination is not needed.

    An mGRE interface reduce the configuration on each hub router.


NHRP (Next hope resolution Protocol)

    NHRP is a protocol used for address resolution.

    NHRP map a tunnel IP address to an NBMA IP address.

    NHRP insist the mGRE interface where to tunnel a packet to reach a destination.

    Hub and spoke routers should be cofigured with an NHRP hold time, for which  the routers instruct other                 routers to keep their NHRP info.

    Defaul NHRP hold time is 2 Hrs recomended time 10 min

    Its cache is populate with dynamic or static entries.

    Branch router are configured with NHRP NHS ip address.


DMVPN Configutarion Task


                    - IPsec Profiles

                    - mGRE configuration
                    - NHRP configuration




              
DMVPN  (Dynamic Multipoint VPN)
Here U can see three location connected through WAN
The below configuratons show you how to configure a basic DMVPN

Here R3 is the hub router , R4 and R5 are spoke routers.


10.0.0.0/24 is the public IP address
the mGRE tunnel is created using the ip range 150.1.1.0/24

R3 Configuration

        #crypto isakmp policy 10
                encr 3des
                Hash md5
                authen pre-share

        #crypto iskmp key CISCO address 0.0.0.0 0.0.0.0

        #crypto ipsec transform-set NETSET esp-3des esp-md5-hmac

        #crypto ipsec profile NETPROFILE
                set transform-set NETSET

        #int tunnel 0
                ip add    15.1.1.3 255.255.255.0
                tunnel source F0/0
                tunnel mode gre mulipoint
                tunnel key 123
                ip nhrp network-id 123
                ip nhrp authentication CISCO
                ip nhrp map multicast dynamic
                tunnel protection ipsec profile NETPROFILE


R4 Configuration

        #crpto isakmp policy 10
                encr 3des
                hash md5
                auth pre-share

        #crypto iskmp key CISCO address 0.0.0.0 0.0.0.0

        #crypto ipsec transform-set NETSET esp-3des esp-md5-hmac

        #crpto ipsec profile NETPROFILE
                set transform-set NETSET

        #int tunnel 0
                ip address 150.1.1.4 255.255.255.0
                tunne source f0/0
                tunnel mode gre multipoint
                tunnel key cisco
                ip nhrp networl-id 123
                ip nhrp authentication CISCO
                ip nhrp map 150.1.1.3 10.0.0.3
                ip nhrp map multicat 10.0.0.3
                ip nhrp nhs 150.1.1.3
                tunnel protection ipsec profile NETPROFILE

R5 Configuration

#crpto isakmp policy 10
                encr 3des
                hash md5
                auth pre-share

        #crypto iskmp key CISCO address 0.0.0.0 0.0.0.0

        #crypto ipsec transform-set NETSET esp-3des esp-md5-hmac

        #crpto ipsec profile NETPROFILE
                set transform-set NETSET

        #int tunnel 0
                ip address 150.1.1.5 255.255.255.0
                tunne source f0/0
                tunnel mode gre multipoint
                tunnel key cisco
                ip nhrp networl-id 123
                ip nhrp authentication CISCO
                ip nhrp map 150.1.1.3 10.0.0.3
                ip nhrp map multicat 10.0.0.3
                ip nhrp nhs 150.1.1.3
                tunnel protection ipsec profile NETPROFILE