Task:
- encrypt traffic from loopback addresses which represent LAN network behind routers,- use EIGRP 100 to advertise networks,
- for authentication use certificates,
- for "match" identity use isakmp profile,
- allowed traffic on ASAs (asa-1 routed, asa-3 transparent)
- R4 can't establish spoke-to-spoke tunnel (only dmvpn phase 1)
R5: (hub)
crypto isakmp policy 100 //by default authentication is rsa-sig
encr 3des
hash md5
group 2
crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co ou = cisco
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode transport //by default is tunnel mode
crypto isakmp profile DMVPN
ca trust-point IOS-CA
match certificate CERT-MAP-DMVPN
crypto ipsec profile DMVPN
set transform-set TSET
set isakmp-profile DMVPN
interface Tunnel100
ip address 100.100.100.5 255.255.255.0
no ip next-hop-self eigrp 100 //next-hop preservation is not a default
no ip split-horizon eigrp 100 //to forward and update out of the same interface it received it on
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp redirect
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 100
network 5.5.5.5 0.0.0.0 //don't add here NBMA address
network 100.100.100.0 0.0.0.255
R1: (spoke)
crypto isakmp policy 100encr 3des
hash md5
group 2
crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co ou = cisco
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode transport
crypto isakmp profile DMVPN
ca trust-point IOS-CA
match certificate CERT-MAP-DMVPN
crypto ipsec profile DMVPN
set transform-set TSET
set isakmp-profile DMVPN
interface Tunnel100
ip address 100.100.100.1 255.255.255.0
ip nhrp authentication cisco123
ip nhrp map multicast 192.168.0.5
ip nhrp map 100.100.100.5 192.168.0.5
ip nhrp network-id 100
ip nhrp nhs 100.100.100.5
ip nhrp shortcut
tunnel source GigabitEthernet0/0.43
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 100
network 1.1.1.1 0.0.0.0
network 100.100.100.0 0.0.0.255
R2: (spoke)
crypto isakmp policy 100encr 3des
hash md5
group 2
crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co ou = cisco
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode transport
crypto isakmp profile DMVPN
ca trust-point IOS-CA
match certificate CERT-MAP-DMVPN
crypto ipsec profile DMVPN
set transform-set TSET
set isakmp-profile DMVPN
interface Tunnel100
ip address 100.100.100.2 255.255.255.0
ip nhrp authentication cisco123
ip nhrp map multicast 192.168.0.5
ip nhrp map 100.100.100.5 192.168.0.5
ip nhrp network-id 100
ip nhrp nhs 100.100.100.5
ip nhrp shortcut
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 100
network 2.2.2.2 0.0.0.0
network 100.100.100.0 0.0.0.255
R4: (spoke)
crypto isakmp policy 100encr 3des
hash md5
group 2
crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co ou = cisco
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode transport
crypto isakmp profile DMVPN
ca trust-point IOS-CA
match certificate CERT-MAP-DMVPN
crypto ipsec profile DMVPN
set transform-set TSET
set isakmp-profile DMVPN
interface Tunnel100
ip address 100.100.100.4 255.255.255.0
ip nhrp authentication cisco123
ip nhrp map multicast 192.168.0.5
ip nhrp map 100.100.100.5 192.168.0.5
ip nhrp network-id 100
ip nhrp nhs 100.100.100.5
ip nhrp shortcut
ip nhrp server-only
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 100
network 4.4.4.4 0.0.0.0
network 100.100.100.0 0.0.0.255
asa-3/T:
access-list OUT-IN extended permit esp host 30.30.30.4 host 20.20.20.12
access-list OUT-IN extended permit esp host 30.30.30.4 host 10.10.10.11
access-list OUT-IN extended permit esp host 30.30.30.4 host 192.168.0.5
access-list OUT-IN extended permit udp any any eq isakmp
access-group OUT-IN in interface outside