03-20-2018 07:02 PM - edited 03-07-2019 12:22 AM
Hello, I am looking for advice on updating our DMVPN hub and spoke routers with new encryption and hashing protocols. I'd like to update them to:
#crypto ipsec transform-set TSET2-new esp-aes 256 esp-sha-hmac
My main question is, is there a way to automatically have the spokes renegotiate their tunnels using the new transform set and and ipsec profile that has been added? The steps below are what I have so far:
#crypto ipsec transform-set TSET2-new esp-aes 256 esp-sha-hmac # mode tunnel
#crypto ipsec profile dmvpn-aes-new # set transform-set TSET2-new
#crypto ipsec transform-set TSET1-old esp-3des esp-sha-hmac #no crypto ipsec profile dmvpn-old
#clear dmvpn-old session interface tunnel1 #clear dmvpn-old session interface tunnel2 #clear crypto sa #clear crypto isakmp
If it's not possible to have the spokes automatically switch over, what would be the best way to update 20+ DMVPN devices?
Is there anything else I should consider when making this change? Thanks for any help!
Hub configuration:
! crypto ipsec transform-set TSET1-old esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile dmvpn-old set transform-set TSET1-old ! interface Tunnel1 ... tunnel protection ipsec profile dmvpn-old shared !
Spoke configuration:
! crypto ipsec transform-set TSET1-old esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile dmvpn-old set transform-set TSET1-old ! interface Tunnel1 ... tunnel protection ipsec profile dmvpn-old shared !
Solved! Go to Solution.
03-22-2018 06:55 PM
03-21-2018 06:30 PM
Hi
You can't remove the old profile and get the tunnel taking the new profile without configuring it.
You need by anyways to apply the new profile under the tunnel interface configuration.
Here you don't have a lot of solutions.
Do you have ssh access to all routes over the wan interface? If so, you can schedule a maintenance window and push all configs using a script.
If you have dynamic routing on all sites, you can create a new dmvpn cloud (new tunnel interfaces) using the new profile. When this new cloud is up and running, you can shutdown old tunnels. The impact will be less if all routing learned new ip addresses.
03-21-2018 07:36 PM
Thank you for the suggestion, setting up a new DMVPN cloud alongside the existing one seems to be the safest way to configure this! We do have dynamic routing enabled between all sites using EIGRP.
This seems like a really interesting idea. I guess there would be no problem setting up multiple DMVPN tunnels on single source interface? We currently have a primary and secondary tunnel for most sites so this method would add two more.
Do you know if there would be any issue with conflicting configurations on the hub or spoke after adding a second DMVPN cloud?
03-21-2018 08:43 PM
Adding a new cloud which means network of is different from the other one you won't have any issues.
You already have 2 tunnels. The second one you called backup, how is it configured?
When I'll have your config for those secondary tunnel i will validate or not if you can do the following. Depending on their config you can maybe leverage The second one as active with the new profile and when they'll be up you will change the first tunnel.
Can you share your tunnel config for hub and 1 spoke to see those 2 tunnels?
03-22-2018 11:54 AM
Ahhh that's an excellent idea too. Configs for our hub and spoke are below. We have the primary tunnel going to our main datacenter, and secondary going to out backup site.
We actually have two primary tunnels headed to our main datacenter (most locations only use one tunnel, locations with two ISP's use both I believe.)
Spoke:
! crypto ipsec transform-set TSET1-OLD esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile dmvpn-OLD set transform-set TSET1-OLD ! interface Tunnel10 description Primary Site DMVPN bandwidth 500 ip address 172.16.1.10 255.255.255.0 #Spoke private IP no ip redirects ip mtu 1400 ip nhrp authentication password ip nhrp map multicast dynamic ip nhrp map 172.16.1.1 1.1.1.1 #Hub private and public IP ip nhrp map multicast 1.1.1.1 ip nhrp network-id 100 ip nhrp holdtime 600 ip nhrp nhs 172.16.1.1 #Hub private IP ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile dmvpn-OLD shared !
interface Tunnel30
description Secondary Site DMVPN Tunnel30
bandwidth 120
ip address 172.16.3.10 255.255.255.0 #Spoke private IP
no ip redirects
ip mtu 1400
ip nhrp authentication password
ip nhrp map multicast dynamic
ip nhrp map 172.16.3.1 3.3.3.3 #Hub private and public IP
ip nhrp map multicast 3.3.3.3
ip nhrp network-id 300
ip nhrp holdtime 600
ip nhrp nhs 172.16.3.1 #Hub private IP
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 300
tunnel protection ipsec profile dmvpn-OLD shared
!
Primary Site Hub:
! crypto ipsec transform-set TSET1-OLD esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile dmvpn-OLD set transform-set TSET1-OLD ! interface Tunnel10 description Primary Site DMVPN Tunnel10 bandwidth 20480 ip address 172.16.1.1 255.255.255.0 #Hub private IP no ip redirects ip mtu 1400 no ip next-hop-self eigrp 1 no ip split-horizon eigrp 1 ip nhrp authentication password ip nhrp map multicast dynamic ip nhrp network-id 100 ip nhrp holdtime 600 ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile dmvpn-OLD shared ! interface Tunnel20 description Primary Site DMVPN Tunnel20 ip address 172.16.2.1 255.255.255.0 #Hub private IP no ip redirects ip mtu 1400 ip nhrp authentication password ip nhrp map multicast dynamic ip nhrp network-id 200 ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 200 tunnel protection ipsec profile dmvpn shared !
Secondary Site Hub:
! crypto ipsec transform-set TSET1-OLD esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile dmvpn-OLD set transform-set TSET1-OLD ! interface Tunnel10 description Secondary Site DMVPN Tunnel30 bandwidth 20480 ip address 172.16.3.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 1 no ip split-horizon eigrp 1 ip nhrp authentication password ip nhrp map multicast dynamic ip nhrp network-id 300 ip nhrp holdtime 600 ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 300 tunnel protection ipsec profile dmvpn-OLD shared !
03-22-2018 06:55 PM
03-23-2018 06:45 AM
Thanks for the suggestion! Will be trying it out. On another note, would both DMVPN clouds share the same routes? I'm wondering how I could verify that the two clouds are the same in terms of routing.
03-23-2018 05:44 PM
03-22-2018 06:01 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide