Академический Документы
Профессиональный Документы
Культура Документы
Contents
1
Introduction .......................................................................................................................................... 4
1.1
Outline........................................................................................................................................... 4
1.2
Assumptions .................................................................................................................................. 4
1.3
Corrections .................................................................................................................................... 4
Version .................................................................................................................................................. 4
Scenario................................................................................................................................................. 5
4.1
4.2
4.3
4.4
4.5
Add a route to the remote Digi TransPort LAN subnet via Tunnel 0 .......................................... 10
4.6
5.2
5.3
5.4
5.5
Add a route to the remote Digi TransPort LAN subnet via Tunnel 0 .......................................... 16
5.6
6.1.1
6.1.2
6.2
6.3
6.4
6.5
6.5.1
6.6
6.7
confirm ipsec & gre is up and ping test the connection ..................................................................... 29
7.1
7.1.1
7.1.2
7.1.3
Ping the LAN interface of the Primary Cisco (sv9-2) or the Spoke (sv9-3) .......................... 29
7.2
7.2.1
7.2.2
7.2.3
8.1.1
9
9.2
9.3
Figures
Figure 1-1: Overview Diagram ...................................................................................................................... 5
1 INTRODUCTION
1.1 Outline
This document describes how to configure a Dynamic Multipoint VPN (DMVPN) using a GRE tunnel
within an IPSec tunnel and Next Hop Resolution Protocol (NHRP). This allows multipoint secure
communications between two Cisco routers and a Digi TransPort with dynamic discovery of tunnel
endpoints.
1.2 Assumptions
This guide has been written for use by technically competent personnel with a good understanding of
the communications technologies used in the product and of the requirements for their specific
application. It also assumes a basic ability to access and navigate a Digi TransPort router and configure it
with basic routing functions.
This application note applies only to:
Model: Digi TransPort WR44
Other Compatible Models: Digi TransPort VC7400 VPN Concentrator, WR, SR or DR.
Firmware versions: 5.162 or newer. Cisco 12.4 or newer
Configuration: This Application Note assumes the devices are set to their factory default configurations.
Most configuration commands are only shown if they differ from the factory default.
Please note: This application note has been specifically rewritten for firmware release 5.212 and later; earlier
versions of firmware will not work. Please contact tech.support@digi.com if your require assistance in upgrading
the firmware of the TransPort router.
1.3 Corrections
Requests for corrections or amendments to this application note are welcome and should be addressed
to: tech.support@digi.com
Requests for new application notes can be sent to the same address.
2 VERSION
Version Number
1.0
1.1
Status
Published
Updates
Page | 4
3 SCENARIO
For the purposes of this application note, the following scenario will be used:
GRE Tunnel
Tun0
192.168.1.1/24
Primary
Fa0/0
10.1.51.92/24
Fa0/1
1.1.1.1/24
Tunnel 0
192.168.1.3/24
Cisco 2621
sv9-2
Tun0
192.168.1.2/24
Fa0/1
2.2.2.2/24
Internet
Eth0
10.1.100.211/24
Spoke
Eth1
3.3.3.3/24
Transport WR44
sv9-4
Fa0/0
10.1.51.93/24
Cisco 2621
sv9-3
Digi WR44
WAN = Eth0 = 10.1.100.211/24
LAN = Eth1 = 3.3.3.3/24
GRE = Tunnel 0 = 192.168.1.3/24
Cisco 2621 sv9-2
WAN = Fa0/0 = 10.1.51.92/24
LAN = Fa0/1 = 1.1.1.1/24
GRE = Tun0 = 192.168.1.1/24
Cisco 2621 sv9-3
WAN = Fa0/0 = 10.1.51.92/24
LAN = Fa0/1 = 1.1.1.1/24
GRE = Tun0 = 192.168.1.1/24
IPSec parameters:
Page | 5
Page | 6
Page | 7
Page | 8
Page | 9
tunnel
tunnel
tunnel
tunnel
source FastEthernet0/0
mode gre multipoint
key 0
protection ipsec profile cisco shared
!
!
router eigrp 90
network 1.1.1.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.2.100 254
ip route 3.3.3.0 255.255.255.0 Tunnel0 192.168.1.3
!
If the tunnel is showing anything other than multi-GRE/IP, use the following command to set the tunnel
mode correctly :
interface Tunnel0
tunnel mode gre multipoint
4.5 Add a route to the remote Digi TransPort LAN subnet via Tunnel 0
Page | 10
Page | 11
Page | 12
Page | 13
Page | 14
Page | 15
If the tunnel is showing anything other than multi-GRE/IP, use the following command to set the tunnel
mode correctly:
interface Tunnel0
tunnel mode gre multipoint
5.5 Add a route to the remote Digi TransPort LAN subnet via Tunnel 0
Page | 16
Page | 17
Parameter
Setting
Description
Description
WAN
IP address
10.100.1.211
IP address
Mask
255.255.255.0
Subnet mask
Ticked
Page | 18
Parameter
Setting
Description
Description
INTERNAL
IP address
3.3.3.3
IP address
Mask
255.255.255.0
Subnet mask
Page | 19
Parameter
Setting
Description
Description
Destination Network
1.1.1.1
Mask
255.255.255.255
Subnet Mask
Interface
Tunnel 0
Metric
Page | 20
Parameter
Setting
Description
Encryption
DES
Authentication
MD5
1 (768)
Use DH group 1
No PFS
Renegotiate after
Page | 21
Parameter
Setting
Description
Username
Blank username
Password
cisco123
Pre-shared key
Pre-shared key
Access Level
None
Page | 22
Parameter
Setting
Description
Description
DMVPN
10.1.51.92
Local LAN
Page | 23
IP Address
10.100.1.211
Mask
255.255.255.255
Remote LAN
IP Address
10.1.51.92
Mask
255.255.255.255
Preshared Keys
Our ID
10.100.1.211
Our ID type
IPv4 Address
Remote ID
10.1.51.92
3DES
MD5
On demand
1hrs/4608000 Kbytes
Page | 24
click Apply
Page | 25
Parameter
Setting
Description
Description
GRE to DMVPN
IP address
192.168.1.3
Mask
255.255.255.252
Source IP Address
Use IP Address /
10.100.1.211
10.1.51.92
Ticked
Ticked
Browse to Configuration - Network > Interfaces > GRE > Tunnel 0 > Advanced
Click Apply
Page | 26
Parameter
Setting
Description
Ticked
Tunnel Key
Tunnel key
Ticked
600
Ticked
Page | 27
Page | 28
7.1.3 Ping the LAN interface of the Primary Cisco (sv9-2) or the Spoke (sv9-3)
Page | 29
Page | 30
Page | 31
8 FIRMWARE VERSIONS
Page | 32
BGP
QOS
RADIUS Client
SSH Server
SCP
CERT
LowPrio
Tunnel
OVPN
QDL
WiMax
iDigi
OK
Revision:
Revision:
Revision:
Revision:
Revision:
Revision:
Revision:
Revision:
Revision:
Revision:
Revision:
Revision:
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.2
1.2
1.0
1.0
2.0
Page | 33
Page | 34
9 CONFIGURATION FILES
Page | 35
Page | 36
user 7 access 0
user 8 access 0
user 9 access 0
local 0 transaccess 2
sslsvr 0 certfile "cert01.pem"
sslsvr 0 keyfile "privrsa.pem"
ssh 0 hostkey1 "privSSH.pem"
ssh 0 nb_listen 5
ssh 0 v1 OFF
tun 0 descr "GRE to DMVPN"
tun 0 IPaddr "192.168.1.3"
tun 0 source "10.100.1.211"
tun 0 dest "10.1.51.92"
tun 0 kadelay 3
tun 0 usekey ON
tun 0 ipanon ON
tun 0 tunanon ON
tun 0 mgre ON
tun 0 nhs "192.168.1.1"
tun 0 nhrp_auth "cisco123"
tun 0 nhrp_holdtime to 600
idigi 0 ssl ON
idigi 0 sms_optin ON
Power Up Profile: 0
OK
Page | 37
Page | 38
Page | 39
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
TransPort preferred ssh
TransPort output all
line vty 0 4
password cisco
login
TransPort preferred ssh
TransPort input all
TransPort output all
!
!
end
Page | 40
!
!
!
!
!
!
!
!
!
fax interface-type fax-mail
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
!
!
!
!
!
!
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 10.1.51.92
ip nhrp map multicast 10.1.51.92
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 192.168.1.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address 10.1.51.93 255.255.0.0
speed 100
Page | 41
full-duplex
no shut
interface FastEthernet0/1
ip address 2.2.2.2 255.255.255.0
speed 100
full-duplex
no shut
router eigrp 90
network 2.2.2.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.2.100 254
ip route 3.3.3.0 255.255.255.0 Tunnel0
ip route 3.3.3.0 255.255.255.0 Tunnel0 192.168.1.3
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
dial-peer cor custom
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
TransPort preferred ssh
TransPort output all
escape-character 27
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
TransPort preferred ssh
TransPort output all
line vty 0 4
Page | 42
password cisco
login
TransPort preferred ssh
TransPort input all
TransPort output all
!
!
end
Page | 43