Recommended IKEv2 Proposal

IKEv2 is an important protocol used in IPSec VPNs, it is used to securely authenticate peers by setting up security associations (SAs). Cisco IOS routers have predefined default encryption, integrity (hashing), DH group and PRF algorithms, some of these algorithms are no longer considered secure and therefore not recommended.

As of Cisco IOS-XE v16.8.1 the default IKEv2 Proposal will be updated, more information here:

As of 2018 the recommended IKEv2 Proposal ciphers are:
Integrity: SHA512 SHA384
PRF: SHA512 SHA384
DH Group: Group19 Group 14 Group21 Group5

Continue reading “Recommended IKEv2 Proposal”


Configuring DMVPN Phase 3 Dual Hub

This post details the configuration on how to configure a DMVPN Phase 3 VPN in a Dual Hub Single Cloud. I previously wrote a post on configuring DMVPN Phase 2, refer to this post for more detailed information on configuring DMVPN.

As per most previous posts GNS3 was used to lab the configuration. I had to use the Advanced Security IOS image “c7200-advsecurityk9-mz.152-4.M7” instead of my normal Advanced IP Services IOS image “c7200-advipservicesk9-mz.152-4.S4” because that version does not support NHRP redirect required for DMVPN Phase 3. The error received when configuring NHRP redirect is: % NHRP-WARNING: ‘ip nhrp redirect’ failed to initialise.

This post covers the following:

  • Front Door VRF
  • Crypto Keyring
  • Dual DMVPN Hub configuration
  • DMVPN Spoke configuration
  • DMVPN NHS Clustering (dual active Hubs and Active/Standby Hub)
  • DMVPN Phase 3

The router default ISAKMP Policy, IPSec Transform Set and IPSec Profile were used and therefore not covered in this post. This previous post covers ISAKMP and IPSec Policy/Profile creation.

The lab scenario has 6 x Cisco IOS 15.2(4) routers as represented in the diagram below.

Continue reading “Configuring DMVPN Phase 3 Dual Hub”

CCNP ROUTE 2.0: VPN Technologies

CCNP ROUTE 2.0 Exam Blueprint: VPN Technologies

  • Configure and verify GRE
  • Describe DMVPN
  • Describe Easy Virtual Networking (EVN)

Configure and Verify GRE

  • Generic Routing Encapsulation (GRE) was designed to carry multiprotocol and IP multicast traffic between sites
  • Encapsulated protocols included IP, Appletalk, DECnet or IPX
  • GRE encapsulates an inside IP address within an outside IP address
  • Is NOT encrypted by default
  • GRE tunnels can run through IPSec tunnels. When running GRE tunnel over IPSec, a packet is first encapsulated in a GRE packet and then GRE is encrypted by IPSec
  • Multicast traffic GRE tunnels do support transporting IP multicast and broadcast packets to the other end of the GRE tunnel
  • GRE tunnels add an additional 20 byte IP header and a 4 byte GRE tunnel header. 24 byte overhead in total

GRE can be configured as either point-to-point or point-to-multipoint tunnels.

Point-to-Point – simple configuration between 2 peers, does not require NHRP
Point-to-Multipoint – only one tunnel configured on a router to support multiple GRE peers (great for scalability), requires NHRP to build dynamic tunnels (allows peers with DHCP assigned public IP addresses).
Continue reading “CCNP ROUTE 2.0: VPN Technologies”

Cisco ISR G2 Router bad IPSec performance

I’ve been testing a new DMVPN with IPSec encryption utilising brand new Cisco 3945 ISR G2 routers. I performed some basic performance tests using “iperf” with just a GRE tunnel (no encryption) between 2 sites and I was consistently getting 91Mbps throughput (not bad). Upon adding the encryption (AES-128) and re-running the tests the result were erratic with the throughput ranging from 16Mbps – 52.7Mbps with an average around 30Mbps.

Continue reading “Cisco ISR G2 Router bad IPSec performance”

Configuring Dynamic Multipoint VPN (DMVPN)

The Dynamic Multipoint VPN (DMVPN) allows for a large scale IPSec VPN deployment with reduced configuration/complexity. It uses GRE, Next Hop Resolution Protocol (NHRP) and IPSec Encryption and unlike traditional IPSec VPNs DMVPN does not require Crypto ACLs, instead DMVPN requires a single mGRE tunnel interface and a single IPSec profile. In a large DMVPN environment this greatly reduces the size of configuration on the hub router.

DMVPN can be deployed using two models; Hub-and-Spoke and Spoke-to-Spoke:

Hub-and-Spoke (Phase 1) – requires each spoke have a point-to-point to GRE interface to build a tunnel to the hub router, all traffic flows through the hub router.

Spoke-to-Spoke  (Phase 2 and Phase 3) – requires each spoke to have an mGRE interface, to provide spoke-to-spoke communication in addition to Hub-and-spoke communication.

Continue reading “Configuring Dynamic Multipoint VPN (DMVPN)”