Previously I introduced FlexVPN IKEv2 via labs, this time is about DMVPN IKEv2. Although DMVPN works fine with IKEv2, FlexVPN adds flexibility via vir
Previously I introduced FlexVPN IKEv2 via labs, this time is about DMVPN IKEv2. Although DMVPN works fine with IKEv2, FlexVPN adds flexibility via virtual template/virtual access interface.
This lab tested dual hub single domain DMVPN with IKEv2 IPSec encryption. WAN facing interfaces are placed in FVRF (front door VRF), which is in consistent to Cisco recommended design. RED_IVRF and GREEN_IVRF (inner VRF) are configured on each WAN edge. Due to time limitation, only RED_IVRF are fully configured and GREEN_IVRF doesn’t have IPSec encryption and only single hub in single domain.
Out-of-band management is deployed with management port in MGMT vrf.
A couple of considerations are addressed in the lab as we will run OSPF (why OSPF? EIGRP+DMVPN is nothing new) across DMVPN : 1) ospf broadcast configured for tunnels; 2) HUB1 configured as DR and HUB2 configured as BDR.
In the scenario of Dual Hub Single Domain design (why dual hub single domain? dual domain is nothing new from single hub single domain just configure twice^^), HUB 2 establishes static tunnel to HUB 1 and dynamic tunnels to SPOKEs. SPOKEs points to both HUB1 and HUB2. It means HUB 2 is treated as a SPOKE to HUB 1, but functions as HUB to other SPOKEs.
It is also possible to use Dual Hub Dual Domain design, which provides better control in two DMVPN domains. (Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html#dualhubs)
The lab uses PSK for simplicity. PKI configuration is available in my previous FlexVPN labs.
The lab uses CSRv installed on Virtual Box and GNS3 to simulate WAN edge routers. Please refer to my previous blog for Virtual Box and GNS3 setup.
Topology is as below:
For the ease of troubleshooting, I would recommend configure in following phases and test for each phase. Overall tests are also required. Test examples below are for reference only and may not be sufficient.
1) Management, NTP, WAN interface connectivity, VRF etc.
HUB 1 Configuration
HUB 2 Configuration