Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
27 views3 pages

Site-to-Site VPNs: Routers & Firewalls

Uploaded by

ha33yp0tt3r69
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views3 pages

Site-to-Site VPNs: Routers & Firewalls

Uploaded by

ha33yp0tt3r69
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Site-to-Site Virtual Private Networks on Routers and

Firewalls
Site-to-Site VPN Overview

Site-to-Site VPN (Virtual Private Network) is a technology that connects networks across
different locations over the internet or a private network. It enables secure communication
between remote networks using tunneling and encryption protocols.

Key Benefits:

1. Cost-Effective: Eliminates the need for expensive private leased lines.


2. Security: Provides encryption, ensuring confidentiality and integrity of data.
3. Scalability: Supports growing networks with flexible deployments.
4. Easy Deployment: Utilizes existing internet connections for communication.

Key Protocols:

• IPsec: The most widely used protocol suite for encrypting data in VPNs.
• GRE: Generic Routing Encapsulation for IP packet tunneling.
• IKEv2: Internet Key Exchange version 2 for secure key management.

Implementing DMVPN (Dynamic Multipoint VPN)

DMVPN (Dynamic Multipoint Virtual Private Network) is a Cisco solution that simplifies
VPN deployments for sites requiring dynamic, scalable connectivity. It is ideal for hub-and-
spoke topologies where branches need direct communication.

Components of DMVPN:

1. Hub Router: The central router that manages connections between spokes.
2. Spoke Routers: Remote routers that establish dynamic tunnels to the hub and other
spokes.
3. NHRP (Next Hop Resolution Protocol): Resolves private IP addresses to public IPs
dynamically for spoke-to-spoke communication.
4. IPsec: Ensures security and encryption over the tunnels.

DMVPN Phases:

1. Phase 1 (Hub-and-Spoke):
o All traffic flows through the hub router.
o Static IPsec tunnels are created between hub and spokes.
2. Phase 2 (Spoke-to-Spoke Communication):
o Dynamic tunnels can be established between spoke routers.
o The hub acts as a control plane to provide the spoke IP addresses.
3. Phase 3 (Optimized Spoke-to-Spoke Communication):
o Traffic starts at the hub but can be rerouted dynamically between spokes.
o Supports routing protocols like EIGRP, OSPF, and BGP.

Configuration Steps for DMVPN

Step 1: Configure the Hub Router

1. Enable NHRP:
2. interface tunnel 0
3. ip address 10.0.0.1 255.255.255.0
4. tunnel source <Hub-Interface>
5. tunnel mode gre multipoint
ip nhrp network-id 1

6. Define IPsec Protection:


7. crypto ipsec transform-set DMVPN-SET esp-aes esp-sha-hmac
8. crypto map DMVPN-MAP 1 ipsec-isakmp
9. set peer dynamic
set transform-set DMVPN-SET

10. Enable the Tunnel Interface for IPsec:

tunnel protection ipsec profile DMVPN-PROFILE

Step 2: Configure the Spoke Routers

1. Enable the Tunnel Interface:


2. interface tunnel 0
3. ip address 10.0.0.2 255.255.255.0
4. tunnel source <Spoke-Interface>
5. tunnel mode gre multipoint
6. ip nhrp network-id 1
ip nhrp nhs 10.0.0.1

7. Define IPsec Protection:


8. crypto ipsec transform-set DMVPN-SET esp-aes esp-sha-hmac
9. crypto map DMVPN-MAP 1 ipsec-isakmp
10. set peer 10.0.0.1
set transform-set DMVPN-SET

11. Enable the Tunnel Interface for IPsec:

tunnel protection ipsec profile DMVPN-PROFILE

Step 3: Verify DMVPN

Use the following commands to verify:

• show dmvpn: Verify NHRP mappings and tunnel status.


• show crypto ipsec sa: Verify IPsec security associations.
• ping: Test connectivity between spokes and the hub.
Summary

DMVPN simplifies site-to-site VPN deployments by allowing dynamic tunnel creation


between remote sites while leveraging IPsec for secure communication. By using phases,
organizations can choose the best topology for their needs, starting with basic hub-and-spoke
(Phase 1) and progressing to full-mesh communications (Phase 3).

You might also like