4.1.d Implement and troubleshoot DMVPN [single hub]

4.1.d [ii] DMVPN with IPsec using preshared key

see 4.1.d Implement and troubleshoot DMVPN [single hub] for lab download

hub(config)#crypto isakmp policy 10
hub(config-isakmp)#

make an internet security key management protocol policy…

hub(config)#crypto isakmp policy 10
hub(config-isakmp)#hash sha
hub(config-isakmp)#encry aes
hub(config-isakmp)#authentication pre-share

use the secure hash algorithm or md5… choose the data encryption standard, des, 3des, aes (advanced encryption standard, strongest)… we’ll use a pre-shared key…

hub(config-isakmp)#authenti ?
pre-share  Pre-Shared Key
rsa-encr   Rivest-Shamir-Adleman Encryption
rsa-sig    Rivest-Shamir-Adleman Signature

define the key…

hub(config-isakmp)#crypto isakmp key MIKE address 0.0.0.0 0.0.0.0

the transform set…

hub(config)#crypto ipsec transform-set TS esp-aes

create an IPSEC profile and include the transform set just made…

hub(config)#crypto ipsec profile DMVPN
hub(ipsec-profile)#set transform-set TS
hub(ipsec-profile)#

and suffer the complaints until the other tunnels are on board…

hub(config-if)#tunnel protection ipsec profile DMVPN
hub(config-if)#
*Jan 12 05:47:49.048: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
hub(config-if)#
*Jan 12 05:47:50.204: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec’d packet not an IPSEC packet. (ip) vrf/dest_addr= /200.1.10.100, src_addr= 200.1.30.3, prot= 47

hub(config-if)#do sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
200.1.10.100    200.1.30.3      QM_IDLE           1002 ACTIVE
200.1.10.100    200.1.20.2      QM_IDLE           1001 ACTIVE
200.1.30.3      200.1.10.100    QM_IDLE           1003 ACTIVE

branch2#sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 200.1.20.2

protected vrf: (none)
local  ident (addr/mask/prot/port): (200.1.20.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (200.1.30.3/255.255.255.255/47/0)
current_peer 200.1.30.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 200.1.20.2, remote crypto endpt.: 200.1.30.3
path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0xC1043777(3238279031)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x6C037C64(1812167780)
transform: esp-aes ,
in use settings ={Tunnel, }
conn id: 3, flow_id: 3, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4239611/3409)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xC1043777(3238279031)
transform: esp-aes ,
in use settings ={Tunnel, }
conn id: 4, flow_id: 4, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4239611/3409)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local  ident (addr/mask/prot/port): (200.1.20.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (200.1.10.100/255.255.255.255/47/0)
current_peer 200.1.10.100 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 82, #pkts encrypt: 82, #pkts digest: 82
#pkts decaps: 84, #pkts decrypt: 84, #pkts verify: 84
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 200.1.20.2, remote crypto endpt.: 200.1.10.100
path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0xA4EC2503(2766939395)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x15DF9538(366974264)
transform: esp-aes ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4324852/3261)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xA4EC2503(2766939395)
transform: esp-aes ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4324852/3261)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
branch2#

check out your friendly neighborhood wireshark…

esp_wireshark_screenshot