Cisco DMVPN configuration | mGRE | GRE Tunnel | IPSEC
ฝัง
- เผยแพร่เมื่อ 20 ก.ย. 2024
- * Please add this configuration on Spoke 2 and Spoke 1, it was skipped during the lab --
when you show run int tunnel 5 on Spoke 1 and 2 you might see its missing the command #tunnel protection ipsec profile "........." (means whatever you use as your profile name ) in my case it was fasty, so please add this to the tunnel configuration, so that you do not get the log of messages on HUB, receiving a NOT an IPSEC packet from both spokes
"Spoke2(config-if)#tunnel protection ipsec profile fasty
Spoke1(config-if)#tunnel protection ipsec profile fasty"
Then
HUB(config)#show crypto ipsec sa
to confirm the configuration
***
If this configuration is not applied , you will continously get a log message that looks like this
-
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /172.10.1.2, src_addr= 172.10.3.2,(Address of spoke2) prot= 47
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /172.10.1.2, src_addr= 172.10.2.2,(Address of spoke1) prot= 47
Moments in video
-The use of public ips from ISP to form mGRE tunnel between Hub to spoke and Spoke to Spoke
-Securing tunnels with IPsec
-Carrying of Multi-site traffic over the mGRE tunnels
Tracing remote site traffic paths
03:00 Introduction of dynamic multiple VPN
07:00 deconfiguration of underlay router interfaces
26:13 configuration of routing protocols on underlay network
28:53 Creating Tunnels on routers
29:00 Testing reachability to overlay tunnels formed
58:10 Applying Ipsec profile to Tunnel
1:10:10 forming internal bgp over the overlay tunnels
1:18:12 advertising remote site network over bgp formed on the tunnels
1:22:00 Verifying connections to the remote site
1:25:21 Tracing path to destination over tunnel and also checking Spoke to Hub and spoke to spoke connection