Thursday, December 17, 2009

Cisco DMVPN sample spoke script

Now that you have the hub script lets set up a spoke. This configuration will get the remote site up and connected to the hub via ipsec/gre/eigrp so you can actually see your routing neighbor peers with commands like:
show ip eigrp neighbor

!#####
! - DMVPN Spoke script - sample 2811 router running 12.2.x ios code
!
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname {router hostname}
!
logging count
logging message-counter syslog
logging buffered 4096
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
!
no ip source-route
!
ip cef
!
no ip domain lookup
ip domain name {example.com}
no ipv6 cef
!
username {name} privilege 15 secret {some super secret password}
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key {some long preshared key} address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto ipsec transform-set {some string like companyname-tset} esp-aes esp-sha-hmac
!
crypto ipsec profile {some string like companyname-prof}
set transform-set {same string like companyname-tset}
!
interface Loopback0
ip address {loopback IP} 255.255.255.255
no shut
!
interface Tunnel0
description - DMVPN Tunnel Interface - Spoke configuration
bandwidth {set to the same as the internet bw - like 1544}
ip address 10.100.100.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication {some string - has to match on the spokes}
ip nhrp map multicast {Public IP of Hub}
ip nhrp map 10.100.100.1 {Public IP of Hub}
ip nhrp network-id {some id - match it to the eigrp AS}
ip nhrp holdtime 300
ip nhrp nhs 10.100.100.1
ip virtual-reassembly
ip tcp adjust-mss 1360
no ip mroute-cache
load-interval 60
delay 400
keepalive 5 4
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key {some number - needs to match the hub}
tunnel protection ipsec profile {same string like companyname-prof}
no shut
!
interface FastEthernet0/0
description ***Internal LAN connection to switching core***
ip address {LAN IP} 255.255.255.0
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no shut
!
interface FastEthernet0/1
description ***External Internet connection to outside switch***
ip address {Public IP of Spoke} {Subnet of Public IP}
ip access-group inet in
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no shut
!
router eigrp {eigrp AS number}
redistribute connected route-map redistribute-connected-rm
network 10.100.100.0 0.0.0.255
network {LAN IP} 0.0.0.255
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 {DG of Public IP}
no ip http server
no ip http secure-server
!
ip access-list standard redistribute-connected
permit {Lookback IP}
!
ip access-list standard vty_access
! - permit remote IP's
permit {public ip} {inverse public subnet} log
! - permit internal IP's
permit 10.0.0.0 0.255.255.255 log
!
ip access-list extended inet
remark Access list for Internet interface - permits DMVPN
permit udp any host {public IP of spoke} eq non500-isakmp
permit udp any host {public IP of spoke} eq isakmp
permit esp any host {public IP of spoke}
permit ahp any host {public IP of spoke}
permit gre any host {public IP of spoke}
! allow ssh to the public interface
permit tcp {remote public ip} {inverse public subnet} host {public IP of spoke} eq 22
! allow icmp if you want
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any
!
snmp-server community {some string} RO
snmp-server location {some location}
snmp-server contact {some contact and number}
!
route-map redistribute-connected-rm permit 10
match ip address redistribute-connected
!
banner login ^

--------------------------------------------------------------------------


{Some Company Name}

{some threatening statement telling people to go away}

{some statement claiming everything is being logged}


----------------------------------------------------------------------------
^
!
alias exec st sh ip int brief
!
line con 0
login local
line aux 0
line vty 0 4
access-class vty_access in
exec-timeout 10 0
login local
transport input ssh
line vty 5 15
access-class vty_access in
exec-timeout 10 0
login local
transport input ssh
!
ntp server {public NTP server IP}
end
!
!#####

As with the previous hub script this doesn't have any CBAC or Zone Based firewalling in the script for the same rational. This is also using preshared keys and the router has to do an enrollment process to do certificates which I will cover in a later post. As before,
this is provided as is, it isn't perfect but should get you started in getting something up and running with minimal effort.
- Ed

No comments: