Phase 2 ・Hub and Spokes make multipoint GRE tunnels each other. ・Spokes have other spoke's address as Next-Hop. ・Spokes can transit traffic to other spoke directly.

R1 : HUB interface Tunnel0 ip address 10.0.0.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 123

ip ospf network broadcast ip ospf priority 255

tunnel source FastEthernet0/0 tunnel mode gre multipoint interface FastEthernet0/0 ip address 155.0.0.1 255.255.255.0 speed auto duplex auto interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 speed auto duplex auto

R2 : SPOKE

interface Tunnel0 ip address 10.0.0.2 255.255.255.0 no ip redirects ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1 ip ospf network broadcast ip ospf priority 0 tunnel source FastEthernet0/0 tunnel mode gre multipoint

interface FastEthernet0/0 ip address 155.0.0.2 255.255.255.0

interface FastEthernet0/1 ip address 192.168.2.2 255.255.255.0

router ospf 123 router-id 2.2.2.2 network 10.0.0.2 0.0.0.0 area 0 network 192.168.2.2 0.0.0.0 area 0

R3 : SPOKE

interface Tunnel0 ip address 10.0.0.3 255.255.255.0 no ip redirects ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1 ip ospf network broadcast ip ospf priority 0 tunnel source FastEthernet0/0 tunnel mode gre multipoint

interface FastEthernet0/0 ip address 155.0.0.3 255.255.255.0

interface FastEthernet0/1 ip address 192.168.3.3 255.255.255.0

router ospf 123 router-id 3.3.3.3 network 10.0.0.3 0.0.0.0 area 0 network 192.168.3.3 0.0.0.0 area 0

In order to do the correct route calculation,

it is necessary to ensure that the HUB is elected to DR.

R1#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface 2.2.2.2 0 FULL/DROTHER 00:00:33 10.0.0.2 Tunnel0 3.3.3.3 0 FULL/DROTHER 00:00:31 10.0.0.3 Tunnel0

R2#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 255 FULL/DR 00:00:36 10.0.0.1 Tunnel0

R3#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 255 FULL/DR 00:00:39 10.0.0.1 Tunnel0

R1#sh ip route ospf (omit) Gateway of last resort is not set

O 192.168.2.0/24 [110/1001] via 10.0.0.2, 00:02:42, Tunnel0 O 192.168.3.0/24 [110/1001] via 10.0.0.3, 00:02:52, Tunnel0

R2#sh ip route ospf (omit) Gateway of last resort is not set

O 192.168.1.0/24 [110/1001] via 10.0.0.1, 00:03:13, Tunnel0 O 192.168.3.0/24 [110/1001] via 10.0.0.3, 00:03:13, Tunnel0

R3#sh ip route ospf (omit) Gateway of last resort is not set

O 192.168.1.0/24 [110/1001] via 10.0.0.1, 00:03:50, Tunnel0 O 192.168.2.0/24 [110/1001] via 10.0.0.2, 00:03:40, Tunnel0

Spokes have other spoke's address as Next-Hop.

R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:11:53, never expire Type: static, Flags: used NBMA address: 155.0.0.1

R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 124/140/160 ms

Initially, the packet is being sent to the HUB.

However, an NHRP Resolution Request is sent to the HUB,

When NHRP Resolution Reply is returned from another SPOKE,

After that, we send packet directly to other SPOKE.

R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:41:24, never expire Type: static, Flags: used NBMA address: 155.0.0.1

10.0.0.3/32 via 10.0.0.3 Tunnel0 created 00:26:09, expire 01:33:49 Type: dynamic, Flags: router NBMA address: 155.0.0.3

R2#traceroute 192.168.3.3 source f0/1 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.3 172 msec 168 msec 188 msec

Spokes can transit traffic to other spoke directly.

Eneble IPsec Protection.

R1/R2/R3 crypto isakmp policy 123 encr 3des hash sha256 authentication pre-share group 2

crypto isakmp key CCIE address 0.0.0.0

crypto ipsec transform-set TRANS esp-3des esp-sha256-hmac mode transport

crypto ipsec profile PROFILE set transform-set TRANS

interface Tunnel0 tunnel protection ipsec profile PROFILE

R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 00:40:13, never expire Type: static, Flags: used NBMA address: 155.0.0.1

R2#ping 192.168.3.3 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !.!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 212/369/728 ms

An IPsec tunnel is created between R2 and R3.

R2#sh ip nhrp 10.0.0.1/32 via 10.0.0.1 Tunnel0 created 01:27:57, never expire Type: static, Flags: used NBMA address: 155.0.0.1

10.0.0.3/32 via 10.0.0.3 Tunnel0 created 00:00:42, expire 01:59:19 Type: dynamic, Flags: router used NBMA address: 155.0.0.3

R2#traceroute 192.168.3.3 source f0/1 Type escape sequence to abort. Tracing the route to 192.168.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.3 308 msec 264 msec

R2#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 255 FULL/DR 00:00:38 10.0.0.1 Tunnel0

Between R2 and R3, the OSPF neighbor relationship is not configured.

R2#sh crypto engine connections active Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 1 IPsec 3DES+SHA256 0 0 0 155.0.0.2 2 IPsec 3DES+SHA256 1 0 0 155.0.0.2 3 IPsec 3DES+SHA256 0 42 43 155.0.0.2 4 IPsec 3DES+SHA256 51 0 0 155.0.0.2 5 IPsec 3DES+SHA256 0 4 4 155.0.0.2 6 IPsec 3DES+SHA256 3 0 0 155.0.0.2 1001 IKE SHA256+3DES 0 0 0 155.0.0.2 1002 IKE SHA256+3DES 0 0 0 155.0.0.2

2#sh crypto session Crypto session current status

Interface: Tunnel0 Session status: UP-ACTIVE Peer: 155.0.0.3 port 500 IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.3/500 Active IPSEC FLOW: permit 47 host 155.0.0.2 host 155.0.0.3 Active SAs: 2, origin: crypto map

Interface: Tunnel0 Session status: UP-ACTIVE Peer: 155.0.0.1 port 500 IKEv1 SA: local 155.0.0.2/500 remote 155.0.0.1/500 Active IPSEC FLOW: permit 47 host 155.0.0.2 host 155.0.0.1 Active SAs: 4, origin: crypto map

R2#sh crypto ipsec sa

interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 155.0.0.2

protected vrf: (none) local ident (addr/mask/prot/port): (155.0.0.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (155.0.0.3/255.255.255.255/47/0) current_peer 155.0.0.3 port 500

PERMIT, flags={origin_is_acl,} #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 1

local crypto endpt.: 155.0.0.2, remote crypto endpt.: 155.0.0.3 path mtu 1500, ip mtu 1500, ip mtu idb (none) ~~~~~~~~~ current outbound spi: 0xD2719EA8(3530661544) PFS (Y/N): N, DH group: none

inbound esp sas: spi: 0x66F1D3A1(1727124385) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 5, flow_id: 5, sibling_flags 80000000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4267145/3411) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0xD2719EA8(3530661544) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 6, flow_id: 6, sibling_flags 80000000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4267145/3411) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none) local ident (addr/mask/prot/port): (155.0.0.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (155.0.0.1/255.255.255.255/47/0) current_peer 155.0.0.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 69, #pkts encrypt: 69, #pkts digest: 69 #pkts decaps: 57, #pkts decrypt: 57, #pkts verify: 57 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 3

local crypto endpt.: 155.0.0.2, remote crypto endpt.: 155.0.0.1 path mtu 1500, ip mtu 1500, ip mtu idb (none) current outbound spi: 0x8334488F(2201241743) PFS (Y/N): N, DH group: none

inbound esp sas: spi: 0x33841C77(864296055) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 1, flow_id: 1, sibling_flags 80004000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4204442/3165) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) spi: 0x70501362(1884296034) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 3, flow_id: 3, sibling_flags 80000000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4224360/3166) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x4A4146B7(1245791927) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 2, flow_id: 2, sibling_flags 80004000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4204442/3165) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) spi: 0x8334488F(2201241743) transform: esp-3des esp-sha256-hmac , in use settings ={Transport, } conn id: 4, flow_id: 4, sibling_flags 80000000, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4224359/3166) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

SPOKE creat IPsec tunnel not only with HUB but also with other SPOKE.

#IPsec #DMVPN #OSPF #NHRP