*************

-> DMVPN
-> Flex VPN
*************

*************************
DMVPN
*************************

=================
- Phase I
=================

-> The default Phase for DMVPN Using EIGRP as a Protocol.

-> In this phase, Data Traffic uses a Hub-n-Spoke Path.

----------
R1 - NHS
----------

Interface Tunnel 1
ip address 192.168.1.1 255.255.255.0
tunnel source E 0/0
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp map multicast dynamic
no ip split-horizon eigrp 123
!
router eigrp 123
network 192.168.1.0
network 172.16.0.0
network 10.0.0.0

------------
R2 - Client
-------------

Interface Tunnel 1
ip address 192.168.1.2 255.255.255.0
tunnel source E 0/0
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp map 192.168.1.1 192.1.10.1
ip nhrp map multicast 192.1.10.1
!
router eigrp 123
network 192.168.1.0
network 172.16.0.0
network 10.0.0.0

------------
R3 - Client
-------------

Interface Tunnel 1
ip address 192.168.1.3 255.255.255.0
tunnel source E 0/0
tunnel mode gre multipoint
 ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp map 192.168.1.1 192.1.10.1
ip nhrp map multicast 192.1.10.1
!
router eigrp 123
network 192.168.1.0
network 172.16.0.0
network 10.0.0.0

------------
R4 - Client
-------------

Interface Tunnel 1
ip address 192.168.1.4 255.255.255.0
tunnel source E 0/0
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp map 192.168.1.1 192.1.10.1
ip nhrp map multicast 192.1.10.1
!
router eigrp 123
network 192.168.1.0
network 172.16.0.0
network 10.0.0.0

------------
R5 - Client
-------------

Interface Tunnel 1
ip address 192.168.1.5 255.255.255.0
tunnel source E 0/0
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp map 192.168.1.1 192.1.10.1
ip nhrp map multicast 192.1.10.1
!
router eigrp 123
network 192.168.1.0
network 172.16.0.0
network 10.0.0.0

=================
- Phase II
=================

-> In this phase, Data Traffic uses a direct path from Spoke-to-Spoke.
-> This phase is implemented by tweaking the Routing Protocol.
-> Configure the Hub not to change the Next-Hop

-----
R1
-----

Interface Tunnel 1
 no ip next-hop-self eigrp 123

=================
- Phase III
=================

-> In this phase, Data Traffic uses a direct path from Spoke-to-Spoke.
-> This phase is implemented by tweaking NHRP.
-> On the Hub, you configure it to send a redirect to the spokes when a data comes
in. In the Redirect, it will map the Destination Network to its corresponding
Public Address.
-> The spokes need to be configured to accept the redirect.

-------
R1-NHS
-------

Interface Tunnel1
ip nhrp redirect
ip summary-address eigrp 123 10.0.0.0 255.0.0.0
ip summary-address eigrp 123 172.16.0.0 255.255.0.0

-------
Spokes
-------

Interface Tunnel1
ip nhrp shortcut

=================
- Dual-Hub DMVPN
=================

---------------------------------------------------------------
1. Configure a Static Neighbor relationship between the Hubs
---------------------------------------------------------------

----
R1
----

Interface tunnel 1
ip address 192.168.1.1 255.255.255.0
tunnel source E 0/0
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp map 192.168.1.5 192.1.50.5
ip nhrp map multicast 192.1.50.5
ip nhrp map multicast dynamic
ip nhrp redirect
no ip split-horizon eigrp 123
!
router eigrp 123
network 192.168.1.0
network 10.0.0.0
network 172.16.0.0

----
R5
----

Interface tunnel 1
ip address 192.168.1.5 255.255.255.0
tunnel source E 0/0
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp map 192.168.1.1 192.1.10.1
ip nhrp map multicast 192.1.10.1
ip nhrp map multicast dynamic
ip nhrp redirect
no ip split-horizon eigrp 123
!
router eigrp 123
network 192.168.1.0
network 10.0.0.0
network 172.16.0.0

---------------------------------------------------------------
2. Configure the both Hubs as NHS on all Spokes/Clients.
---------------------------------------------------------------

----
R2
----

Interface tunnel 1
ip address 192.168.1.2 255.255.255.0
tunnel source E 0/0
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp nhs 192.168.1.5
ip nhrp map 192.168.1.1 192.1.10.1
ip nhrp map 192.168.1.5 192.1.50.5
ip nhrp map multicast 192.1.10.1
ip nhrp map multicast 192.1.50.5
ip nhrp shortcut
!
router eigrp 123
network 192.168.1.0
network 10.0.0.0
network 172.16.0.0

----
R3
----

Interface tunnel 1
ip address 192.168.1.3 255.255.255.0
tunnel source E 0/0
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp nhs 192.168.1.5
ip nhrp map 192.168.1.1 192.1.10.1
ip nhrp map 192.168.1.5 192.1.50.5
ip nhrp map multicast 192.1.10.1
ip nhrp map multicast 192.1.50.5
 ip nhrp shortcut
!
router eigrp 123
network 192.168.1.0
network 10.0.0.0
network 172.16.0.0

----
R4
----

Interface tunnel 1
ip address 192.168.1.4 255.255.255.0
tunnel source E 0/0
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp nhs 192.168.1.5
ip nhrp map 192.168.1.1 192.1.10.1
ip nhrp map 192.168.1.5 192.1.50.5
ip nhrp map multicast 192.1.10.1
ip nhrp map multicast 192.1.50.5
ip nhrp shortcut
!
router eigrp 123
network 192.168.1.0
network 10.0.0.0
network 172.16.0.0

================================
- Encrypting DMVPN using IPSec
================================

----------------
R1 - R5
----------------

! 1. Phase I - ISAKMP Policies

crypto isakmp policy 10

authentication pre-share
hash md5
encryption 3des
group 2
crypto isakmp key Cisco123 address 0.0.0.0

! 2. Phase II - IPSec Policies

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

mode transport

! 3. IPSec Profile

crypto ipsec profile IPROF

set transform-set TSET

! 4. Apply to the Tunnel Interface

Interface Tunnel1
 tunnel protection ipsec profile IPROF

*************************
Flex VPN
*************************

----------
R1
----------

! 1 - A. Configure the IKEv2 proposal

crypto ikev2 proposal PROP-1

integrity md5 sha1
encryption 3des
group 2 5

! 1 - B. Configure the IKEv2 Policy

crypto ikev2 policy POL-1

proposal PROP-1

! 1 - C. Configure an IKEv2 Keyring

crypto ikev2 keyring KR-1

peer R2
address 192.1.20.2
pre-shared-key local Cisco111
pre-shared-key remote Cisco222

! 1 - D. Configure an IKEv2 Profile

crypto ikev2 profile R2-IKEv2

match identity remote address 192.1.20.2
authentication local pre-share
authentication remote pre-share
keyring local KR-1

! 2. Phase II - IPSec Policies

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

! 3. IPSec Profile

crypto ipsec profile IPROF

set transform-set TSET
set ikev2-profile R2-IKEv2

! 4. Configure the S-VTI Tunnel Interface

Interface Tunnel 1
ip address 192.168.1.1 255.255.255.0
tunnel source 192.1.10.1
tunnel destination 192.1.20.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPROF

! 5. Configure Dynamic Routing over the Tunnel

router eigrp 123
network 192.168.1.0
network 10.0.0.0
network 172.16.0.0

----------
R2
----------

! 1 - A. Configure the IKEv2 proposal

crypto ikev2 proposal PROP-1

integrity md5 sha1
encryption 3des
group 2 5

! 1 - B. Configure the IKEv2 Policy

crypto ikev2 policy POL-1

proposal PROP-1

! 1 - C. Configure an IKEv2 Keyring

crypto ikev2 keyring KR-1

peer R1
address 192.1.10.1
pre-shared-key remote Cisco111
pre-shared-key local Cisco222

! 1 - D. Configure an IKEv2 Profile

crypto ikev2 profile R2-IKEv2

match identity remote address 192.1.10.1
authentication local pre-share
authentication remote pre-share
keyring local KR-1

! 2. Phase II - IPSec Policies

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

! 3. IPSec Profile

crypto ipsec profile IPROF

set transform-set TSET
set ikev2-profile R2-IKEv2

! 4. Configure the S-VTI Tunnel Interface

Interface Tunnel 1
ip address 192.168.1.2 255.255.255.0
tunnel source 192.1.20.2
tunnel destination 192.1.10.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPROF

! 5. Configure Dynamic Routing over the Tunnel

router eigrp 123

network 192.168.1.0
network 10.0.0.0
network 172.16.0.0