Cisco CCNP Security 300-730 SVPN – Site-to-Site Virtual Private Networks on Routers and Firewalls Part 7

12. What is FlexVPN

Very nice. So flexvpn. What is flexvpn? Just a cool name. Let’s figure it out. Well, what is flexvpn? Well, flex, flexible. VPN is a common umbrella for all IC. Version two, IPsec VPN deployed on iOS routers. Okay, remember that only on iOS routers, it is not for ASA. It is only a way of how to deploy all IQ. Version two, IPsec VPN tunnel on iOS routers. It has the technical benefits, but also it’s more like a marketing term, right? And what Cisco did was they came out with a common configuration template for all VPN types, which is really nice. You don’t have to remember a different VPN configuration for every single one out there. So you don’t have to remember like a different one. Forget VPN DMVPN SVT dvti and all of them and SSL and all of them So it is just a common configuration template for all VPN types. That’s what flexvpn is. So you no longer need 50 plus templates for VPN configurations.

A feature parity between all VPN types. So there’s no more restrictions and they are based on each VPN type. So there’s like an additional extra configuration templates that are required for different ones. But it is not as big as configuring as having 50 different templates for each VPN configuration. Okay, so that is what Flexvpn is. The first time I was doing my research on it, I’m like, okay, I have to learn another way to another configuration, another VPN configuration. But now it is just like a template for all the VPN types, only for icon version two and only on iOS router.

So remember that for the XM. So now I’m going to go through how this flexibility works and how it is all put together. And I’m calling this the building blocks. And the first one is a proposal. And in Ike version two, proposal, it is mandatory. In Egg version one, this was the Isaacam policy. So basically the proposal just the Isaac and policy. It is defined with a name and not a number, which is better because that way you can differentiate. So if you have three different tones on one router, now you can differentiate these tunnels going to router three. This tunnel is going to router four.

So you can have a name and not a number. And there’s a default that exists. And the configuration that I’m going to do next, I’m going to be keeping the default and I can show you how to edit it and all that good stuff as well.

The aggression to proposal configuration. So this is how it is. You have to configure the encryption. This way you can figure out on the aggregation to proposal, you need to configure the encryption, which you can use. Multiple entries can be configured so you can have one entry. The first entry that you should have, if you’re going to edit or you’re going to create your own proposal, you want to have it from the highest encryption to the lower encryption.

So you want to have AES and then three desk and then desk. So you can have multiple entries. And for integrity, you can have shot two, shot one, and MD five for Dippy home. And you can have all the group numbers from higher to lower. Because what’s going to happen is, since you have different entries, what’s going to happen is that if this router has multiple entries and it wants to make or create a tunnel with the other router, and the other router does not have the highest encryption, it’s going to use the other one, the second highest. And for integrity, the same thing for hashing algorithms. If it’s the highest not there, then it’s going to use the second one, the second highest one. And I’m going to show you guys when I do the configuration so you guys can see what I’m talking about better.

And for act two, proposal no longer contains the authentication method. So we don’t need to do a preset key or tell or whatever. If you are going to use a certificate, we’re not going to use that there. And the Security Association lifetime is not there either. We also need to create a policy. I work on Tunisia, a proposal attached to this policy and a default one exists.

So if you do not edit the proposal and the default proposal and the default policy, it is already attached with one another. So you can create your own one if you want, or you can leave the default there, which is fine as well. And the scope is to control which proposal is used. For the IPsec. VPN Tono. So the policy is the one that mandates which proposal we are going to be using. And for the IC version two policy configuration, you do need to have the Ike version two proposal attached.

Like I said before, there is an option for the terminating local address for the IPC VPN. Optional, you could have the I believe this is called the Fvrf, which is the front door, I think it’s front VRF. And this is when we are isolating the transport network, usually internet facing. And this allows us to configure the default route that won’t interfere with the routine in our global table. And the proposals are attached to the policy.

So let’s say that if you have one proposal, if you have proposal one is attached to policy one and the peer choose policy one, the appeal will use the proposal one because it is the one attached to the policy. So this is how it works. The policy mandates which proposal you are going to be using. So remember that. And now for the curing, that’s another block that you need to configure. And this one, you need to do it manually. There’s not a default for the keyring because you need to create your own curing, right? And it is mandatory if you’re going to use a pre shared key authentication in IC version one. This was the Isaac M carrying and it is used to define the preshare keys. Simple enough. And here’s the aggregation keyering configuration. You need to configure the two keys. Remember like I said on my video before, that you could do the commander pressure key used by the Local peer and also the preschool key used by the remote peer because for Iverson two you could have IC metric keys and for the Local it’s going to have a different pre shared key as the remote. So we are going to use asymmetric keys because we’re using two different keys. And if the Local is ABC and the remote is one to three, on the other side you need to have the Local one to three and the remote ABC. So you just need to switch it so they can authenticate with IC version two. And another one is the IC version two profile and this is also mandatory in IC version one. This was the I second profile and it’s used to define Local remote IC version two identities.

Actually it’s used to define both of them, the Local and the remote IC version two identities and it needs the IC version two curing attached. So this curing whenever we configure the preacher here for the Local peer and for the remote peer, then we are going to attach this to the IC version two profile. And the way that you configure this, you first to attach the IC version two clearing if pressure key is used, not sealed but used. And you are going to define the PKI trust point if a PKI notification is used here. So either if you use a preschool key, you’re going to attach the curing here. But if you are going to use a PKI, we are going to define the PKI trust point and also we are going to configure the Local remote, the Local and the remote peer authentication type which is mandatory. And we are also going to configure the Local and the remote IQ version two, ID or identities like we said before.

And this is how you do it. So you’re going to do from the configuration command on your Cisco iOS, because Flexvpn is only for iOS routers. You’re going to issue the crypto I correction to curing and then you’re going to give it a name as you can see right here, right here. And then you’re going to say that you’re going to configure peer router two, which is going to be the remote router and you’re going to give it the address of the remote router that you’re going to configure. The pre shared key, the local preserve key, which is the local of this router that we are configuring, which is router one and then the pre shared key for the remote router and we are going to give it this key, which is R two. And then on the other side. You’re going to configure peer router one and you’re going to give it the IP address of router one. The preserve key is going to be R two key and the remote key is going to be R one key. So you just need to switch those names and then to configure the IG version two profile, this is how you do it. You need to issue the crypto key, the crypto IQ version two profile and then you give it a name and the name is per Ipseg VPN Tono.

For every IPsec VP and Tonal you need to create your own ignorance two profile. But you could keep using the same aggression two key ring for any IC version two profile. And then after you do that, after you create the profile, you need to do authentication local pressure key and authentication remote going to the same pressure key. And then you’re going to attach the key ring local which is called I questioned two underscore curing. You can give it any name. You can see right here, this one was the key ring that we created. So we attach it over here to the IQ version two profile and then we are going to say a match identity remote address which is going to be the remote address of that iOS router for the one that two. And then we are going to do identity a local address which is the identity of our local iOS router. And also the IPsec configuration remains almost the same. Just like in the case of IC version one IPsec VPN, it is identical. The only main difference between IG version one and I version two is that you have to attach the IC version two profile at the crypto map or the IPsec profile level.

And we are going to be using IPsec profile level because that’s what Cisco tells you to do. They don’t want you to be using crypto map unless you are going to be configuring a router with the ASA. If it is between two routers you want to use the IPsec profile and if you want ESP with integrity or encryption, you have algorithms that you can use like in aggregation one where you could use triple desk or as. You could also use regular hashing algorithms. Use MD Five, shar One and Shar Two. And you could also use next generation algorithms. So if you want to use ESP with integrity or encryption you can use this next generation algorithms like AES GMC. GMC stands for the lowest counter mode and it has a built in integrity and data authentication. Or if you want to use the other algorithm which is AES Gmax, you could also do that with Icraft Two and Gmax stands for Global Message Authentication Code and it only offers integrity and data authentication. And here is how you can create the IPsec profile and there’s a default one, so you can use the default one which we are going to be using on the next video that I’m going to be configuring at SVTI VPN IPsec tunnel.

And this is how you do it. You just issue this command which is Crypto IPsec profile default. Since we are going to edit the default, all we’re going to do is to attach the I version two profile, which is router one, to router two, which was the one that we created over here with the Crypto IQ version two profile, router one two, router two. There it is. And here are some show commands that you could do. So if you want to verify the Aggression Two configuration verification, what you could do is you could do the Show Crypto policy. You could also do the show Crypto Aggression two proposal. So you can see the policy where you have configured there to see the verification and the proposal. And also if you want to see the verification, if you want to verify the curing configuration, what you could do is you can do a show running config section crypto I could be two curing. If you want to see the verification for the profile configuration, you could do the Show Crypto I version Two profile.

And for IPsec configuration verification, you can use the same one for the one that we use in IC version one which is Show Crypto IPsec transform sets and Show Crypto IPsec profile. And to verify I version two sessions, all you have to do is replace the Isaac amp and put IC version two right here. So you want to do a showcrypto IC version two SA or show Crypto Aggression two satellite. And there are more commands that you can use. So if you want to see the IPsec session, you could do a Showcrypto IPsec essay, show Crypto IPsec essay detail. And if you want to verify both of them I version two and Ipsag essay, you could issue one of these two commands, either Show Crypto I version two session, Show Crypto version two, or ICV Two Sassion detail, not detail but detail. And if you want to troubleshoot the ICV two SA, you could do a debug crypto IQB two or debug crypto IQB two package. And if you want to troubleshoot the IPsec essay, you could issue the debug command of Debug Crypto IPsec or Debug Crypto IPsec estate. And this is all for this video guys. I hope you guys enjoyed this video on Flexvpn and how Flexvpn works and how you could configure it. And I also show you some show commands and also show you some configuration commands how to configure this flexibn.

13. FlexVPN Spoke-Spoke DVTI vs DMVPN phase 3

Hello guys. Welcome to another video. And in this video we are going to configure two types of VPNs and they are both our hope to spoke and spoke to spoke. One is going to be DMVPN, which is using ID version one over here. And of course we also are going to be using NhRP because without NhRP we are not able to form spoke to spoke communication and that’s going to be the VPN. And then we have Flexvpn, which is with it. Version two, they also call it Flexvpn spoke to spoke or they call it Flexvpn Dvti. It depends who you’re talking to. So this flexvpn spoke to spoke is going to have a hook to spoke communication, also spoke to spoke communication using IG two, which is a lot better than I version one. As you know, Cisco does not recommend to configure Ike version one at all. I believe they have that disabled on the routers and firewalls as well. So we are going to have both configuration done and we are going to start with the DMVPN configuration and this one’s going to be DMVPN based version three, which is the one that have spoke to spoke communication and it has redirect and all that good stuff. So let’s go and start with that. So here we are.

Let’s see if we can move this over here so we can see our topology, at least half of it. There we go. And we are going to start with the hub like we always do. Okay? So the first thing that we want to do is configure Ike version one. First one, we want to do a crypto Isaacamp policy. And here in this policy you want to do that. You want to specify what encryption method you want to be using. Predess what hashing algorithm. We’re going to choose an MD five give. We have a good number. We are going to use two and the encryption method on that encryption, how are we going to authenticate using a pressure key. And the pressure key is going to be defined on the other iteration one. First one doing a crypto isacam key not keep a lot live crypto Isaacamp key GCMP GCMP SEC. And then you want to give it the address. And with this wildcard, I’m saying that I want anybody, any IP address that has this key. So I’m going to be able to authenticate to any router but whoever has this key though, but to any IP address. If you want to specify an IP address, you can do it.

So right here but I’m just going to leave it like that since I’m going to authenticate with two different routers and it’s a little bit easier to manipulate. Then after that we are done with aggression. One, phase one and we’re going to configure IC version two. Ike version one, phase two. I’m sorry. So Ike version one, phase two. Let’s go ahead and do that. And that intake takes IPsec. So crypto IPsec transform set you’re just going to call it TSET ESPAS 26 with ESPN and also HMAC included exit. Then we do a crypto IPsec profile. IPsec profile and inside here all we need to do is attach the transform set which we call TSET over here. Okay so I version one is going to create the tunnel. It’s going to create a secure tunnel so we can then send traffic using ipset. Okay, so I version one place one secures one place two basically. Okay, so we are done with that. Now after that is done, let me do an IP. Let’s see, we’re going to do interface interface actually we have to do for face one is the tunnel. So IP address is going to one 6810 one and router four is going to have that four.

And router five over here it’s going to have that five for the tunnel. Okay so that is good. Then we’re going to do a no IP redirect. Then we’re going to do no IP next app ten and this is that the help doesn’t list itself has the next apps for the routing updates of the spokes. Then we’re going to do no IP split horizon URP autonomous system ten. Then we do IP NhRP map multicast going to be dynamic IP NhRP network ID let’s just say ten total source kilobyte that’s the source of the hub. So that’s good. Then we want to specify the IPN SRP shortcut command shortcut is also going to be configured on the spokes which is responsible to rewrite the CAES entry after getting the redirect message. So we need to do IPN SRP redirect message.

So what that’s going to do is whenever four communicates with router five over here what’s going to happen. The first packet is going to be sent to the Hub and then the Hub is going to be, hey, there is a better way or a faster way or a more direct way to get to Router Five. And it’s going to send it because it’s going to be triggered by redirect message and it’s going to send to Router Four. And then router four is going to catch it with the it shortcut and it’s going to add it to its routing table and it’s going to create a spoke to spoke communication with router four. You guys are going to see that whenever we configure everything I want to show you whenever it’s done. Then we want to do a ton of mode and it’s going to a GRE a multi point one so tonal mode grey multi point and then you want to do a toner protection using IPsec profile that we created and we name it IPsec profile. I said I should come up. Now we want to do a router ERP ten and we want to see do show IP interface please. So we want to add my loop back address and also this tunnel IP address. Do not auto summary then network nine nine nine actually for walkart and then network one and two h 100 two five exit. Let’s just go ahead and end it and then let’s do a showrun. Let’s do a section of crypto and over here we are going to copy we’re going to copy Igorge one face one and Iwitch one face two. And we’re going to put it on a notepad, right? Because it’s going to be the same configuration.

So all we have to do is just copy and paste it into the other two routers. Good. And then let’s also copy show section EIGRP. They can copy this. Paste it right here. Let’s go to router four. And router four is going to have a different tonal configuration. So in the tunnel let’s go ahead and just create it right now. Interface tono zero the IP address of it provider four is going to be one and two h one or that ten four and then it’s going to have an IPN SRP NHS. NHS means the next app server. We need to identify the next app server which is one and two one 6810 one the IP address of the tunnel interface of the hub and then we’re going to say the MBMA IP address one. What is it? Then we do NSRP map multicast. This means that all the multicast traffic I wanted to send it to 182 191, which is the MVM IP address of the hub. And multicast traffic is the traffic of the dynamic routing which is for ERP or SPF or any of that. Since we’re using ERP we need to put multicast because we’re using a dynamic routing interface or dynamic routing.

Then you want to do a ton of source let me see what’s the source of it. Right? And then we want to do an IP and SRP IP and SRP network ID and we set it ten which needs to match the same as the hub. Then we do IP or not your IP and SRP short shortcut. I forgot to P right here. So Ipnsrp shortcut and then you want to do a ton of mode GRE multi point and after that you want to do a ton of protection IPsec profile IPsec profile which is going to be configured right here. Let’s go ahead and move this one over here and it’s going to be paste down here. And for this one let’s do a do show IP interface brief. We want to have look back zero. So this one’s going to be four and the rest is going to be the same. Okay, so let’s go ahead and everything has been configured. It looks like it’s good. Go ahead and copy all of this and paste it into four. Okay. You can see ice camp came up. ERP has a new neighbor which is the hub. You can see we have a new adjacency and we also receive those crypto. So the IP section is up. If you do a Show IP JRP neighbors, we have a new neighbor.

One and two. That one four, which is what are four. We do a show crypto. Isaac camp SA. We should have an isocampus a up and running show. IP interface. Breathe. The tunnel is up, so that’s good. If you want to see show crypto engine connections active, you can see the active connections that we have right now. So that’s good. Everything is working. So if we do a show IP, DMVPN VPN or show DMVPN, you can see we have a DMVPN configure. Also show IP and SRP. You can see that we have an SRP created which was dynamically learned the Tonal IP address. 1921 street, ten four, the IP address of router four and then the MBMA IP address of router four as well. Router four, you also have the same. There we go. But this one was statically configured because we manually entered it when we set that IPN SRP NHS. This right here says that it will statically configure and since we did not do it for the mVPN, it was learned dynamically. You can say we heard type dynamically. Now let’s go ahead and configure router five. And all we have to do right here is change this to file five, which is a loop pack IP address. The source interface is gigabyte two. The IP address is going to be five and then the rest is history. So the rest is the same. The rest is going to be the same.

So you can just go ahead and copy this and paste it into router five. Let’s go into config mode first. There you go. I can be signed. Your RGB is up. So now we can see we have a new narrative relationship. When we have a new IPsec toner created, we do a Show crypto. I can per say. You see, now that we have 251 41 working good, we can also do the Show IP and SRP both dynamically learn the 50 and the 45 and the four show the mVPN. We have two connections. We have all those connections, the mVPN. So all is good. So now what’s going to happen? Let’s go into router four. Let’s do a Show IP route and you can see that we have a route to the five network. And we have let me see we have these router four, right? We’re saying that to reach router five, you have to go via one and two 1810 five and let’s go ahead and do a Show IP and SRP. We only have learned one. So we only have one tonal created. So if we do Show crypto isaac Amp Assay you’re going to see that we only have one tonal created. I hope you spoke communication and only one NhRP tone over here.

So now if you do a choice route to file a file five you’re going to see that the first packet went through the hub within the hub since it has configured with the IP and SRP redirect it sent. A packet or to Router Four, telling it that there’s the best way to get to Router Five and it is via if you go ahead and do Ipnsrp. You can see now that we have more NhRP in here and what the hub did send it because it has the IP SRP redirect in here and this one has a shortcut. So it sends it right here, it send the shortcut to router four and router four saved it in their database and what it did was that it sent information about how to reach router five directly. So now you can see over here that we learn anyway and it will dynamically learn if we do a trace route to router five. It goes now straight to router five because now it form a spoke to spoke communication with router five.

So that’s how DMVPN works with aggregation one. So now we are going to configure flexvn with Dvti flexvn VN ike, version two. So let’s go ahead and configure that we can go ahead and close all this. Let’s go ahead and go to the hub, order one, order two and order three and let’s go ahead and configure all that good stuff. Enable. So from the hub interface is brief config t. So the first steps that we need to do is we need to go ahead and enable a new matter for AAA because we’re going to use AAA authorization. We’re going to say AAA authorization. We are going to use the network and it’s going to be called Flexvpn list and we’re going to use the local router to authenticate because we’re not going to be using you could either use a group and a group will give you the radius tactics or LDAP. So since we’re not using that, we’re going to use the local you can just go ahead and choose local. Then you want to go ahead and do it permit access list. It’s going to be standard and we’re going to be called this Flex ACL and here we’re going to what we want to permit, we want to permit any because we need to permit traffic coming from order three, router two and router one. So let’s just go ahead and do permit any so we can allow any traffic.

Then after that is done, you want to do and do a crypto aggression two authorization policy. We’re going to use the default policy and inside this default policy we want to route set interface, then we want to do a route set access list and we want to add the access list that we just created which says to just permit any. All right, after that is done, we want to do a crypto IQB two caring, we’re going to call it IQB two caring. And inside of here we want to do the peer, it’s going to be any peer, the address. We are going to do a Walker mask to any IP address and the pre shared key you’re going to call your CCMP security and that’s going to be the key that is going to be used by router three, router two and router one to access or to authenticate. With that I version two, phase one. Okay, after that is done, we need to go ahead and create a crypto agbi two profile. We’re going to call this aggregate profile. And inside right here, we need to do a match identity of the remote address Walcar mask again.

Then you want to do a yes match identity remote to any IP address. Then you want to authenticate remotes going to the preshirt key because you’re using the key ring and the key ring has a preserve key configured to it and then local also using a pressure key. Then you want to attach the ICB two local hearing, which we call IQB two keyring, I believe. Where is it? Where is the ICB two caring? Right here. IB two caring. ICB two caring. Good. Then after that is done, we are going to attach a virtual template which is going to a virtual template eight that we have not created yet, but we are going to create an X. Then we need to add the authorization that we created and it was a group using the pressure key. The list. We call the list if I can find it. Here we go.

Flexibility in list place it right here. And then the authorization, the aggravated authorization that we used was the default. Let’s see if I can find that in here. There we go. The aggregate authorization policy was the default. So we need to add the default at the end. Done. We are done with aggregate to profile the aggregate aggregate authorization policy. Now we need to do the crypto IPsec transfer set and the crypto IPsec profile. So crypto IPsec Transfer Set We are going to call this TSET. We’re going to use Espasmac exit. We do the crypto. IPsec IPsec Profile We’re going to name this IPsec profile. We’re going to set the transform set and we name the transform set Tseet. And then we’re going to set the IQB two profile which we call ICB two profile. Okay, then let’s go ahead and configure the template interface virtual template name, which is eight type tonal, which was the same one that we attached to the IQB two profile. Okay, there we go. And then after that is done, we want to do the tonal source and then the IP address is going to be a number.

And I believe if we do show IP interface brief, we want to use loop back eight so IP a number, loopback eight. After that it’s done. It’s doing an IPN SRP redirect and IPN SRP network ID one toner protection, IPsec profile rename the IPsec profile. IPsec profile. Good. So since most of the configuration is going to be the same. We are also going to be using Liftpad for that. So we can just copy and paste my configuration in here. So let’s go ahead and do a show. Go ahead and cancel that show run section crypto. We want to go ahead and copy all of this because it’s going to be identical to what we have done. Also let’s go all the way over here. You want to get the first AAA new model and then AAA Authorization, then Triple Authorization Flex list and it was a local one copy paste it right here. Then we create an IP access list, select VPN and we want to permit the IP address of the loopback of other one. So if we get that information, enable Show IP interface brief which is 101. So we want to permit there we go. And after that we configure the Crypto ID two authorization policy, copy it, paste it in here and inside this policy we just set the router route set to interface and then we added the access list so I could be an ACL. And then after that we did the aggregate which is not in here. Let’s go ahead and do Show crypto agree two kieran. No, it doesn’t show it.

Okay, let’s do a Showrun section kieran and here’s the key ring. You want to go ahead and copy all this? Paste it in here and in the query we need to just say that the peer and we need to connect to the server or the hub. Let’s just go ahead and call it Hub and the hub is this one over here and we need to specify the IP address of the hub which is 192. Let me see 109, 218181, CCMP security and then you want to do another pier which is going to be for all the spokes. So for router two, router three we are going to authenticate. Let’s just go and do spokes. And this one here, we’re going to just set a Walker mask. There you go. So that’s good kieran. Let’s see what else we did. And then after the kirin we did the IPsec profile match kirin. The template is going to be one. So we’re going to over here, default Flexvpn list is good, IPsec is going to stay the same. So for now, over here from router one we need to create a tonal interface and the tone interface is going to connect to the hub and then we need to create a template which is going to connect with router two and router three spokes. Okay, so let’s go ahead and do that. So I can just go ahead and configure over here the interface tunnel. You’re going to say tunnel zero to make some space. You want to do the IP address.

We are going to get the IP address of router one. We are going to slope back zero for that. Let’s go and bring up IP address or IP on number loop back zero. Then we want to do a ton of mode GRE over IPV four tonal source for router 10. Then we do tonal destination because it’s going to be spoke to spoke destination. It’s going to be 192 181, which is the MBA IP address of the Hub. Good. Then we do IP and SRP shortcut. And we want to say that we’re going to use virtual template one, which we’re going to configure next. Then the toner protection protection is going to use Ibsec profile and we name that ibsec profile IPsec profile. Then we create the interface virtual template one. We specify right here it’s going to be type tono. And inside right here we’re going to use IP on Number and we’re going to use tono zero. Let’s go ahead and make this tunnel one. Let’s make all the same numbers. IP. Network ID. I believe it was one for the Hub. Let me verify it.

Let’s do a showrun. It also needs to be in here. So ipnsrp Network One. That’s how it needs to be. It also needs to be in here somewhere. So we do the shortcut to the template. Then we do the tunnel protection, which is the same. So on number IP and SRP network ID, you could also do the IP and SRP shortcut, which needs to be the same. There we go. So we had configured everything. So what’s going to happen is that this tunnel is going to create a tunnel with the Hub and then this template is going to create a toner with the spokes. Okay? And that’s why whenever the Hub sends an IP and SRP redirect message to the router one, router one is going to create a spoke to spoke on vacation, router two and router three using the virtual template. So that’s good. Let’s go ahead and just copy and paste everything two, router 150. And I want to do it this half first, make sure I don’t get any errors. I did not see any errors. That’s good. Now let’s go ahead and create ike version two, profile and IPsec profile and the T set as well. The transform set. No errors. That’s good.

Now let’s go ahead and copy this interface, which is the one that’s going to create a ton of with the Hub. And now we’re to see I have an error tonal and it is with the tonnamo Gerno. There we go. It is not IP before, it is just IP. And then I did not add the ton of protection at the end. So let’s go ahead and add that ton of protection. Protection. There we go. Let’s go ahead and change that protection and turner mode GRE IP. You can see that access camp is up. We have a virtual interface, so IP interface brief. We have a virtual access show. IP interface briefly do show and the interface is down for this tunnel. So let’s see what we miss. Shell run code back on number ID shortcut source destination protection. That looks good to me. So disable. Okay, I believe I know why this is it. So what we need to do is since we do a Show IP route, you can see that I have a static route default route. So we need to go ahead and delete that. So it’s going to and do no IP route to this and it’s sending it to one and two, one two. And we can do IP route, we can do just one static route to 192 180 interface. Let’s go ahead and shut it down and then do no shut down. It’s changed to up and there we go. So now it is up.

So we also need to delete it from router two and router three and do the same so we don’t get that error. No IP route 1921, 221-921-8501 and 2122 need to do it for router three config noiproute two make to delay my depot, route 32. Then do I p route two, one and 2181 and 2132 and that should be good for all that. So now you can see that we have those that Dvti working. So if we do a Show IP interface brief you’re going to see that template created virtual Access tool. These here is the IP address. We do a show crypto SA. You can see the essay in here. So it is working. So now router one created a tono via toner one with the hub. So now we need to go ahead and create this virtual template that’s going to create a spoke to spoke communication. We write a two out of three. So we copy everything and paste it in here. Let’s go ahead and protection. There we go. Let’s go ahead and remove that from over here. So that’s good. So now we do show IP interface brief. We have not virtual templates. It’s not a sign that is not assigned that you cannot use interface.

Okay so let’s go ahead and use the loop back then. So we’re going to use loopback zero. So this one is going to be loopback zero which is basically the same IP address are we going to borrow? Okay, we do show IP interface brief. You can see right here, one by one by one. Good. So now we need to go ahead and configure router two. Router three. Router two do is do show IP interface brief. Want to verify that we use the loopback zero. So that’s good. So all we need to change right here, let me see. Let’s just go ahead and say we want to use tonal two, number 81, template two, template two, template two. Anything else that we got to change, we got to change this one needs to say two kieran the same. So everything stays the same over here, virtual two. So everything is going to stay the same for router two. So let’s go ahead and copy this first. No errors. Let’s go ahead and do the other half. No errors. Good turnout. Two template, two destinations.

Source is the same. Go ahead and copy it paste. Good. So now you can see as a campus up toner interface is up if we go head to the Hub. If we do Show Crypto aggression, two essay. Now we have two essays over here. We do show IP interface brief. We have access one, virtual access One and virtual access two. So that’s good. So now let’s go ahead and go to Router two and finish with this one right here. Good. And it’s down because we don’t have any spoke to spoke communication right now. So that is fine. If you go ahead to the Hub and do Show IP route, you’re going to see a couple of routes to the One network, which is router one, and to the Two network, which is router two. We don’t see router three because we have not configured yet and we’re going to configure. Now let’s go ahead and change this to three. Three. Three. What else? Three. And also the access list to three. And also let’s verify from other three to Show IP interface brief. Loop back zero three or three. Or three or three. Good. So now we can just go ahead and copy all of this and paste it because we have verified that everything works with no errors. Copy. Okay, paste everything. And there we go.

We know errors. Let’s go ahead and go to the Hub. You can see that we have another virtual interface up Show IP route. You can see the three network right here. And if you do a Show IP interface brief, you have access one, two and three using the same IP address. So if we do a Show Crypto, I do two essays, which you have three essays over here, three security associations. There we go. One is for Router one, router Three and then we have Router two. Okay, so that’s good. So now let’s see what happens. Whenever we try to for Router One, we try to reach router Two. Let’s see what’s going to happen. And what I believe or what should happen is that if we do Show Crypto, I agree with two essays, you see that we only have one, which is with the Hub. So now whenever I ping Router Two, we are going to create another essay or another security association with Water Two. And that’s going to be a spoke to spoke communication. If we do a Show IPN SRP, we do not have any. So let’s go ahead and do a trace route Two. And I believe you froze. There we go.

There we go. And there we go. So now since it sent it to the Hub and the Hub send that redirect message to Router One, it told router One how to get directly to Router Two. So let’s see if I can do a show at the NhRP. Now you can see that we have NhRP traffic. We see a route to Router Two and a router to yourself and another route to Router Two. Dynamically learned. Everything was dynamically learned. This one is still incomplete. I think that one fell. So this one is the correct one. So let’s go ahead and try to ping. Do we want a ping or we want to do a trace route again? Let’s go ahead and do a trace route again. You see right here that you form another essay. So if you do a Show Crypto SA, you see that we have two essays, one for the Hub, one and Two, that 180. And the other one, which is a spoke to spoke communication directly to Router One. So that’s good. You can see now that we did not go to the Hub. As you can see right here, first we went to the Hub.

Now we go straight to Router Two, which is via Two. If we do a Show IP route, you’re going to see that we have a route to Two or two. And this sign right here means that it is the most direct hub, right? It is the next half override. Okay, so that’s what it’s saying. It is saying, do not send it to the Hub. Send it directly to Router Two. Now let’s go ahead and do another trace route and let’s do it to the Router Three so we can form a spoke to spoke communication with it. And we don’t see any Route Two three because we have not formed a spoke to spoke communication yet, because the Hub right now it is going to send me that information and there we go. And if we go to Router Three, you’re also going to see that that will receive that. So if you do Show Crypto IP two essay, we should see two essays, one for the Hub and the other one for Router One router. Once you have. Now router two and Router Three we do show NhRP. You can see everything over here.

Oshaw crypto. I agree. Two SA, you see it right here. So we have one toner for router three and four. Router Two, which I spoke to spoke and one for the Hub, which is a hub to spoke communication. Okay, but Router Two only have two assays or should only have two essays. One for router for the remote route for the remote router or router One and then another one for the Hub. So if you do a trace route two, three or even a ping or anything like that, it should send it to the Hub the first time, and then the Hub is going to send it to rotter three and then it’s going to send that information to her. Two, saying that, hey, here’s another way that you can make sure that three and it’s going to send it to me.

And then if I do another trace route, since now we build that spoke to spot communication if we do a shell crypto equity USA. Now we have three tunnels, one, two, router three, two out of one, and the hub and rotate three should have the same, the hub, router one and router two. So that’s how you can build a Flexvpn Dvti or Flexvpn spoke to spoke communication or Flexvpn spoke to Flexvpn help to spoke and spoke to spoke communication with Ike version two or Aka Flexvpn. Right? And we also learned how to create a hub to spoke communication and spoke to spell communication with DMVPN.

And it was all thanks to NSRP. So NSRP is the protocol that lets us create that spoke to spot communication. So we don’t need to go straight to the hub and then to a spoke. Therefore, if the hub goes down, we still have that route in there so we know how to get to water two and router three. And also that the hub does not need to be as powerful because it doesn’t have to route all the packets to router three anymore. So router one is able to go directly to route three. So all the traffic doesn’t now go through to the hub. Okay, so if the hub goes down, we still have that communication. So this is it for this video, guys. I hope you guys enjoyed this video. And if you guys enjoy this video.

• Category: Uncategorized