IPsec Dynamic Multipoint VPN Configuration.

Posted: Sunday, August 10, 2014 by Mahmoud Ramadan Ali in Labels:
0

Dynamic Multipoint VPN (DMVPN) is a great way to set up full-mesh connectivity dynamically between VPN peers with simple configuration of hub and spoke design. In this article, I will explain to you the core pieces that make up DMVPNs, including Next Hop Resolution Protocol (NHRP), multipoint GRE tunnel interfaces, dynamic routing protocols, and more. The configuration of IPsec to protect the DMVPN tunnel also is included in this article.

DMVPN is combination of the following technologies:
Next-Hop Resolution Protocol (NHRP): Very similar to the Address Resolution Protocol (ARP), while ARP is responsible for the resolution of layer 3 IP addresses to layer 2 MAC addresses. NHRP is responsible for resolving the Non Broadcast Multi Access (NBMA) IP addresses to their corresponding tunnel IP address to form dynamic tunneling with VPN peers when recalled.

NHRP is a Client-Server protocol, usually the DMVPN hub will play the role of the NHRP Server (NHS) to perform the Tunnel IP address to NBMA IP address resolution process and the DMVPN spokes will register themselves to the NHS as NHRP clients with a mapping of their tunnel IP addresses to their NBMA IP addresses.

Multipoint GRE (mGRE) Tunnel Interfaces: Classic GRE tunnel is point-to-point, but mGRE generalizes this idea by allowing a tunnel to have “multiple” destinations. The destination IP address will be resolved from the mapping present in the NHRP table to setup on demand full mesh connectivity.

Dynamic Routing Protocol (EIGRP, RIP, OSPF, and BGP): Adding a routing protocol is necessary to advertise the remote networks to the VPN peers. The tunnel interface should has split horizon disabled to advertise routes received from the VPN spokes to other VPN spokes using the same interface also you need to configure the DMVPN hub to preserve the source IP address of the routes being advertised by disabling the next-hop-self feature.

Dynamic IPsec encryption: IPsec is not a required piece but recommended to add a layer of security to your environment. IPsec can be added to the DMVPN topology (and usually is) to provide encryption, authentication, and data integrity services for the packets traveling between the mGRE interfaces.

“Make the configuration process modular as possible. First, configure the mGRE tunnel followed by the NHRP protocol. Once you have the tunnel up verify the NHRP resolution then add a routing protocol to advertise remote networks and encrypt the DMVPN traffic using IPsec as the last step"

"You can download the topology used in this scenario and the configuration files from here

DMVPN Hub Configuration.
mGRE tunnel interface configuration.
-Configure a tunnel interface and configure the tunnel IP address, the tunnel source NBMA interface and interface tunnel mode should be multipoint to allow multiple destinations using the same interface also it is recommended to secure the tunnel with a key that should be the same on all the peers participating in the DMVPN network.
DMVPN-HUB(config)#interface Tunnel 3                                                                    
DMVPN-HUB(config-if)#ip address 192.168.10.3 255.255.255.0
DMVPN-HUB(config-if)#tunnel source FastEthernet0/0
DMVPN-HUB(config-if)#tunnel mode gre multipoint
DMVPN-HUB(config-if)#tunnel key 1122

Next Hop Resolution Protocol ( NHRP ) Configuration.
-Configure DMVPN hub to learn the VPN tunnel IP-to-NBMA IP address mapping dynamically from the NHRP clients using multicast. This command sets the DMVPN-HUB as the NHS sever.
-Secure the NHRP network by configuring a network ID that should be the same on all the DMVPN peers also restrict the NHRP client registration to only clients authenticated using the “NHRP-KEY” authentication key.
-The “shortcut” and “redirect” commands will cause the NHS server to send a redirect message to the NHRP client containing the NBMA IP address of the destination it want to reach to be used as a shortcut path for future communication instead of passing through the DMVPN hub when sending subsequent packets.
DMVPN-HUB(config)#interface Tunnel 3
DMVPN-HUB(config-if)#ip nhrp map multicast dynamic
DMVPN-HUB(config-if)#ip nhrp authentication NHRP-KEY
DMVPN-HUB(config-if)#ip nhrp network-id 1
DMVPN-HUB(config-if)#ip nhrp shortcut
DMVPN-HUB(config-if)#ip nhrp redirect                                                      

Routing Protocol Configuration.
-Configure the EIGRP autonomous system number and the routes to advertise.
DMVPN-HUB(config)#router eigrp 1
DMVPN-HUB(config-router)#network 0.0.0.0

-In this scenario I will use EIGRP to advertise the remote networks, it is important to know that EIGRP as a hybrid protocol is very close to be a distance vector protocols and as a result of this it uses the same loop prevention mechanisms that distance vector protocols uses in particular the split horizon rule. Disable split horizon on the tunnel interface to advertise routes received from EIGRP neighbors to other EIGRP neighbors using the same interface.
-Also disable the “next-hop-self “feature to preserve the source IP address of the received EIGRP routes. If you didn’t disable this feature the DMVPN hub will change the source IP address of the advertised routes to its tunnel IP address and as a result of this the DMVPN spokes will use the DMVPN hub as a tandem hop to communicate with each other instead of communicating directly.
DMVPN-HUB(config)#interface Tunnel 3
DMVPN-HUB(config-if)#no ip split-horizon eigrp 1
DMVPN-HUB(config-if)#no ip next-hop-self eigrp 1                                

IPsec Protection Configuration:
IKE Phase One / Internet Security and Key Management Protocol (ISAKMP) Configuration.
-Create an IKE phase 1 policy and define the encryption, authentication and Diffie-Hellman group to negotiate a security association with the VPN peers.
-Configure the IKE phase one keys of each peer. It is important to match the keys configured on the spokes otherwise you will break the security association.
DMVPN-HUB(config)#crypto isakmp policy 1
DMVPN-HUB(config-isakmp)#encr aes 256
DMVPN-HUB(config-isakmp)#authentication pre-share
DMVPN-HUB(config-isakmp)#group 5
DMVPN-HUB(config)#crypto isakmp key R1-ISAKMP-KEY address 192.168.1.1
DMVPN-HUB(config)#crypto isakmp key R2-ISAKMP-KEY address 192.168.1.2

IKE Phase Two / IPsec Configuration.
-Configure a transform set and define the security parameters to negotiate a security association to be used for data encryption and integrity during IKE phase 2 / IPsec phase.
-Nest the transform set into an IPsec profile as a prerequisite to apply it to the tunnel interface as a protection profile.
DMVPN-HUB(config)#crypto ipsec transform-set IPSEC-Transform-Set esp-aes
DMVPN-HUB(cfg-crypto-trans)#crypto ipsec profile IPSE-Profile
DMVPN-HUB(ipsec-profile)#set transform-set IPSEC-Transform-Set

Apply the IPsec profile to the tunnel interface
-In the tunnel configuration mode, enable IPsec protection using the security parameters configured in IPsec Profile.
DMVPN-HUB(config)#interface Tunnel 3           
DMVPN-HUB(config-if)#tunnel protection ipsec profile IPSE-Profile

DMVPN Spoke Configuration(DMVPN-SPOKE-1).
mGRE tunnel interface configuration.
-Very similar to the DMVPN hub tunnel interface configuration. Configure a tunnel interface and configure the tunnel IP address, the tunnel source NBMA interface and interface tunnel mode should be multipoint to allow multiple destinations using the same interface also it is recommended to secure the tunnel with a key that should be the same on all the peers participating in the DMVPN network.
Note: The source of the tunnel interface is identified by the NBMA interface name not the IP address. This allows dynamic addressing on the NBMA interface without interrupting the tunnel operation after IP address changes.
DMVPN-SPOKE-1(config-if)#tunnel source FastEthernet0/0
DMVPN-SPOKE-1(config-if)#tunnel mode gre multipoint
DMVPN-SPOKE-1(config-if)#tunnel key 1122

NHRP Configuration.
-Configure DMVPN spoke to register with the NHS using its tunnel IP address and since the NHRP client cannot reach the NHS server directly using its tunnel IP address you need to create a static NHRP map to resolve the NHS tunnel IP Address to the NBMA IP address.
-Configure the NHRP client to send any multicast traffic to the NHS server.
-Configure the network ID and the authentication key to match configuration on the NHS server.
-Enable shortcut on all the NHRP clients to use the shortcut path received from the NHS server.
DMVPN-SPOKE-1(config)#interface Tunnel 1
DMVPN-SPOKE-1(config-if)#ip nhrp nhs 192.168.10.3
DMVPN-SPOKE-1(config-if)#ip nhrp map 192.168.10.3 192.168.1.3
DMVPN-SPOKE-1(config-if)#ip nhrp map multicast 192.168.1.3
DMVPN-SPOKE-1(config-if)#ip nhrp authentication NHRP-KEY
DMVPN-SPOKE-1(config-if)#ip nhrp network-id 1
DMVPN-SPOKE-1(config-if)#ip nhrp shortcut

Routing Protocol Configuration.
-Configure the EIGRP autonomous system number to match the number configured on the DMVPN hub to establish a neighborship and the routes to advertise.
DMVPN-SPOKE-1(config)#router eigrp 1                   
DMVPN-SPOKE-1(config-router)#network 0.0.0.0

IPsec Configuration:
IKE Phase One / Internet Security and Key Management Protocol (ISAKMP) Configuration.
-Create an IKE phase 1 policy and define the encryption, authentication and Diffie-Hellman group to negotiate a security association with the VPN peers.
-Configure the IKE phase 1 keys of each peer. It is important to match the keys configured on the DMVPN hub and spokes.
DMVPN-SPOKE-1(config)#crypto isakmp policy 1
DMVPN-SPOKE-1(config-isakmp)#encr aes 256
DMVPN-SPOKE-1(config-isakmp)#authentication pre-share
DMVPN-SPOKE-1(config-isakmp)#group 5
DMVPN-SPOKE-1(config-isakmp)#exit
DMVPN-SPOKE-1(config)#crypto isakmp key R3-ISAKMP-KEY address 192.168.1.3
DMVPN-SPOKE-1(config)#crypto isakmp key R2-ISAKMP-KEY address 192.168.1.2

IKE Phase Two / IPsec Configuration.
-Configure a transform set and define then security parameters to negotiate a security association to be used for data encryption and integrity during IKE phase 2/ IPsec phase.
-Nest the transform set into an IPsec profile as a prerequisite to apply it to the tunnel interface as a protection profile as we did before on the DMVPN hub.
DMVPN-SPOKE-1(config)#crypto ipsec transform-set IPSEC-Transform-Set esp-aes
DMVPN-SPOKE-1(cfg-crypto-trans)#crypto ipsec profile IPSE-Profile
DMVPN-SPOKE-1(ipsec-profile)#set transform-set IPSEC-Transform-Set

Apply the IPsec profile to the tunnel interface
-In the tunnel configuration mode, enable IPsec protection using the security parameters configured in IPsec Profile.
DMVPN-SPOKE-1(config)#interface Tunnel 1               
DMVPN-SPOKE-1(config-if)#tunnel protection ipsec profile IPSE-Profile

DMVPN Spoke Configuration(DMVPN-SPOKE-2).
mGRE tunnel interface configuration.
-The configuration of DMVPN-SPOKE-2 will be virtually identical to the DMVPN-SPOKE-1 configuration. Configure a tunnel interface and configure the tunnel IP address, the tunnel source NBMA interface and interface tunnel mode should be multipoint to allow multiple destinations using the same interface also it is recommended to secure the tunnel with a key that should be the same on all the peers participating in the DMVPN network.
DMVPN-SPOKE-1(config)#interface Tunnel 2
DMVPN-SPOKE-1(config-if)# ip address 192.168.10.2 255.255.255.0
DMVPN-SPOKE-1(config-if)#tunnel source FastEthernet0/0
DMVPN-SPOKE-1(config-if)#tunnel mode gre multipoint
DMVPN-SPOKE-1(config-if)#tunnel key 1122

NHRP Configuration.
-Configure DMVPN spoke to register with the NHS using its tunnel IP address and since the NHRP client cannot reach the NHS server directly using its tunnel IP address you need to create a static NHRP map to resolve the NHS tunnel IP Address to the NBMA IP address.
-Configure the NHRP client to send any multicast traffic to the NHS server.
-Configure the network ID and the authentication key to match configuration on the NHS server.
-Enable shortcut on all the NHRP clients to use the shortcut path received from the NHS server.
DMVPN-SPOKE-2(config)#interface tunnel 2
DMVPN-SPOKE-2(config-if)#ip nhrp nhs 192.168.10.3
DMVPN-SPOKE-2(config-if)#ip nhrp map 192.168.10.3 192.168.1.3
DMVPN-SPOKE-2(config-if)#ip nhrp map multicast 192.168.1.3
DMVPN-SPOKE-2(config-if)#ip nhrp authentication NHRP-KEY
DMVPN-SPOKE-2(config-if)#ip nhrp network-id 1
DMVPN-SPOKE-2(config-if)#ip nhrp shortcut

Routing Protocol Configuration.
-Configure the EIGRP autonomous system number to match the number configure on the DMVPN hub and spokes to establish a neighborship and the routes to advertise.
DMVPN-SPOKE-2(config)#router eigrp 1                      
DMVPN-SPOKE-2(config-router)#network 0.0.0.0

IPsec Configuration:
IKE Phase One / Internet Security and Key Management Protocol (ISAKMP) Configuration.
-Create an IKE phase 1 policy and define the encryption, authentication and Diffie-Hellman group to negotiate a security association with the VPN peers.
-Configure the IKE phase 1 keys of each peer. It is important to match the keys configured on the hub and spokes.
DMVPN-SPOKE-2(config)#crypto isakmp policy 1
DMVPN-SPOKE-2(config-isakmp)# encr aes 256
DMVPN-SPOKE-2(config-isakmp)# authentication pre-share
DMVPN-SPOKE-2(config-isakmp)# group 5
DMVPN-SPOKE-2(config-isakmp)#exit
DMVPN-SPOKE-2(config)#crypto isakmp key R3-ISAKMP-KEY address 192.168.1.3
DMVPN-SPOKE-2(config)#crypto isakmp key R1-ISAKMP-KEY address 192.168.1.1

IKE Phase Two /IPsec Configuration.
-Configure a transform set and define then security parameters to negotiate a security association to be used for data encryption and integrity during IKE phase 2/IPsec phase.
-Nest the transform set into an IPsec profile as a prerequisite to apply it to the tunnel interface as a protection profile.
DMVPN-SPOKE-2(config)#crypto ipsec transform-set IPSEC-Transform-Set esp-aes
DMVPN-SPOKE-2(cfg-crypto-trans)#crypto ipsec profile IPSE-Profile
DMVPN-SPOKE-2(ipsec-profile)#set transform-set IPSEC-Transform-Set

Apply the IPsec profile to the tunnel interface
-In the tunnel configuration mode, enable IPsec protection using the security parameters configured in IPsec Profile.
DMVPN-SPOKE-2(config)#interface Tunnel 2
DMVPN-SPOKE-2(config-if)#tunnel protection ipsec profile IPSE-Profile

Verification:
Tunnel status Verification.
-Use the “Show ip interface brief” to verify that the tunnel interface up and also verify the status of the NBMA interface used as the tunnel source.
DMVPN-HUB#sh ip interface brief
Interface                    IP-Address       OK?  Method     Status                Protocol
FastEthernet0/0         192.168.1.3       YES  NVRAM  up                      up
Tunnel3                        192.168.10.3     YES  NVRAM  up                      up

Next Hop Resolution Protocol (NHRP) Verification:
NHRP Verification on the NHS Server.
-If the NHRP clients have registered successfully with the NHS server, you should see their tunnel IP address to NBMA IP address mappings dynamically learned by the NHS server.
DMVPN-HUB#sh ip nhrp brief                                        
Target                      Via                    NBMA            Mode     Intfc   Claimed
192.168.10.1/32      192.168.10.1    192.168.1.1     dynamic  Tu3     <   >
192.168.10.2/32      192.168.10.2    192.168.1.2     dynamic  Tu3     <   >

NHRP Verification on the NHRP Clients.
-The same command on the NHS server but different output. Notice that on the NHRP client a static mapping to reach the NHS server will be used by the clients for registration and the dynamic destinations the NHS server has resolved.
DMVPN-SPOKE-1#sh ip nhrp brief                      
Target                      Via                    NBMA            Mode     Intfc   Claimed
192.168.10.1/32      192.168.10.1    192.168.1.1     dynamic  Tu1     <   >
192.168.10.2/32      192.168.10.2    192.168.1.2     dynamic  Tu1     <   >
192.168.10.3/32      192.168.10.3    192.168.1.3     static       Tu1     <   >

DMVPN-SPOKE-2#sh ip nhrp brief
   Target             Via            NBMA           Mode   Intfc   Claimed
192.168.10.1/32      192.168.10.1    192.168.1.1     dynamic  Tu2     <   >
192.168.10.2/32      192.168.10.2    192.168.1.2     dynamic  Tu2     <   >
192.168.10.3/32      192.168.10.3    192.168.1.3     static   Tu2     <   >

DMVPN Verification:
DMVPN Verification on the hub.
-Use the “Show dmvpn” command to list the active DMVPN tunnels.Two tunnels on the DMVPN hub one to each spoke learned via the NHRP client registration.
DMVPN-HUB#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
=================================================================

Interface: Tunnel3, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1    192.168.1.1          192.168.10.1       UP     00:19:55     D
     1    192.168.1.2          192.168.10.2       UP     00:19:50     D

DMVPN Verification on the Spokes.
-The same command on the DMVPN Hub but different output. There is a static mapping on each spoke pointing to the DMVPN Hub in addition to the dynamically learned mappings.
Notice:On DMVPN-SPOKE-1 a dynamic mapping has been resolved by the DMVPN hub to DMVPN-SPOKE-2 and vice verse on DMVPN-SPOKE2. 
DMVPN-SPOKE-1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
=================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

 # Ent  Peer NBMA Addr  Peer Tunnel Add  State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1    192.168.1.2           192.168.10.2        UP     00:08:35     D
     1    192.168.1.3           192.168.10.3        UP     00:22:09     S

DMVPN-SPOKE-2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
=================================================================

Interface: Tunnel2, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

 # Ent  Peer NBMA Addr    Peer Tunnel Add    State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 192.168.1.1                192.168.10.1         UP     00:09:53     D
     1 192.168.1.3                192.168.10.3         UP     00:23:21     S

IKE Phase One / ISAKMP Verification.
-Use the “Show crypto isakmp sa” command on the DMVPN hub to list the IKE phase 1 security associations (SA) negotiated with the DMVPN spokes.
DMVPN-HUB#sh crypto isakmp sa
DMVPN-HUB#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst                    src                   state                     conn-id  status
192.168.1.3     192.168.1.2     QM_IDLE           1002     ACTIVE
192.168.1.3     192.168.1.1     QM_IDLE           1001     ACTIVE

IPv6 Crypto ISAKMP SA            
-The same command on the hub but different output.
DMVPN-SPOKE-1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst                    src                   state                     conn-id  status
192.168.1.1     192.168.1.2     QM_IDLE           1002     ACTIVE
192.168.1.2     192.168.1.1     QM_IDLE           1003     ACTIVE
192.168.1.3     192.168.1.1     QM_IDLE           1001     ACTIVE
                                                          
IPv6 Crypto ISAKMP SA

DMVPN-SPOKE-2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst                    src                   state                     conn-id  status
192.168.1.1     192.168.1.2     QM_IDLE           1002     ACTIVE
192.168.1.2     192.168.1.1     QM_IDLE           1003     ACTIVE
192.168.1.3     192.168.1.2     QM_IDLE           1001     ACTIVE

IPv6 Crypto ISAKMP SA

IKE Phase Two/ IPsec Verification
-Use the “Show crypto ipsec sa” command on the hub and spokes to verify the incoming and outgaining IPsec tunnels used for data protection in addition to the number of IPsec packets that have been sent and received to and from each peer.

-By executing the command on the DMVPN hub we can see two peers (DMVPN-SPOKE-1 and DMVPN-SPOKE-2) on the same tunnel interface and two IPsec channels for each peer one for incoming traffic and a second for outgoing traffic.
DMVPN-HUB#sh crypto ipsec sa

interface: Tunnel3
    Crypto map tag: Tunnel3-head-0, local addr 192.168.1.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.3/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/47/0)
   current_peer 192.168.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 435, #pkts encrypt: 435, #pkts digest: 435
    #pkts decaps: 440, #pkts decrypt: 440, #pkts verify: 440
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.3, remote crypto endpt.: 192.168.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb (none)
     current outbound spi: 0x40CFEDF(67960543)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x13D4D63D(332715581)
        transform: esp-aes ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: 3, sibling_flags 80000040, crypto map: Tunnel3-head-0
        sa timing: remaining key lifetime (k/sec): (4270510/1666)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)
      spi: 0x3052AE7(50670311)
        transform: esp-aes ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: 5, sibling_flags 80000040, crypto map: Tunnel3-head-0
        sa timing: remaining key lifetime (k/sec): (4314821/1666)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x60F27B46(1626504006)
        transform: esp-aes ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: 4, sibling_flags 80000040, crypto map: Tunnel3-head-0
        sa timing: remaining key lifetime (k/sec): (4270510/1666)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)
      spi: 0x40CFEDF(67960543)
        transform: esp-aes ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: 6, sibling_flags 80000040, crypto map: Tunnel3-head-0
        sa timing: remaining key lifetime (k/sec): (4314821/1666)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.3/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/47/0)
   current_peer 192.168.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 440, #pkts encrypt: 440, #pkts digest: 440
    #pkts decaps: 440, #pkts decrypt: 440, #pkts verify: 440
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.3, remote crypto endpt.: 192.168.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb (none)
     current outbound spi: 0x691AD4EE(1763366126)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x27537935(659781941)
        transform: esp-aes ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: Tunnel3-head-0
        sa timing: remaining key lifetime (k/sec): (4344661/1659)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x691AD4EE(1763366126)
        transform: esp-aes ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: Tunnel3-head-0
        sa timing: remaining key lifetime (k/sec): (4344660/1659)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:


Summary: Forgive me! This is probably one of the longest articles on my blog but now you see how all the component of DMVPN work together including mGRE tunnel interfaces, NHRP and IPsec. We have not covered some other major topics like DMVPN redundancy with multiple hubs and NAT traversal with NHRP. Those advanced topics probably require a separate post, since this one has grown too big already.