Cisco DMVPN Dynamic Multipoint VPN with RIP Routing

DMVPN is a cheap and simple way to connect multiple sites up across the internet without spending lots of $$ on dedicated circuits.
This is a tested and working configuration over ADSL connections.
When I setup DMVPN I found there is not a lot of examples on the internet showing DMVPN working with RIP Routing so here I share mine. I am using Cisco 857 and 877 Routers. Cisco 827 Routers do not work as they will not accept the "ip nhrp" commands.  
This is a configuration dump of a Hub site and 2 Spoke sites. DMVPN is working between each spoke site. 
 

Notes:

  • Routers have been setup for NAT with access-lists, conventional NAT without ACL's will not work as well when DMVPN is enabled as all VPN traffic will the NATed.
  • CDP has been enabled for easy diagnostics, it does not need to be enabled
  • All networks have been enabled for VPN access - Networks hanging off the VPN will be able to communicate also. (i.e. Loopback 0)
  • Dialer 0 interface not shown in configuration.
  • "crypto isakmp key somerandomkey address 0.0.0.0 0.0.0.0" (key must be kept the same on all sites)
  • "ip nhrp network-id 1234" (key must be kept the same on all sites)
  • "tunnel key 123456" (key must be kept the same on all sites)
  • "tunnel mode gre multipoint" (must be enabled on all sites for direct communication between spokes otherwise it will route through the Hub site with "tunnel mode gre ip" and "tunnel destination 123.123.1.1" commands)
 

HUB Router:

Hostname HUB
!
crypto key generate rsa general-keys modulus 2048
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key somerandomkey address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
 mode transport
!
interface Tunnel0
 description VPN Site 2 Site Tunnel
 ip address 172.18.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication Key1
 ip nhrp map multicast dynamic
 ip nhrp network-id 1234
 ip nhrp holdtime 600
 ip inspect firewall out
 no ip split-horizon
 cdp enable
 tunnel source Dialer0
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel path-mtu-discovery
 tunnel protection ipsec profile vpnprof
 no shutdown
!
interface vlan1
 ip address 10.1.0.1 255.255.0.0
 ip nat inside
 no ip directed-broadcast
 exit
!
interface Loopback1
 ip address 172.17.1.1 255.255.255.0
!
interface Tunnel0
router rip
 version 2
 network 10.0.0.0
 network 172.17.0.0
 network 172.18.0.0
 default-information originate
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip nat inside source route-map NONAT interface Dialer0 overload
!
route-map NONAT permit 1
 match ip address 105
!
access-list 105 remark Traffic to NAT
access-list 105 deny   ip 10.1.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 105 deny   ip 10.20.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 105 deny   ip 10.22.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 105 deny   ip 172.17.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 105 deny   ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 105 deny   ip 10.1.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 105 deny   ip 10.20.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 105 deny   ip 10.22.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 105 deny   ip 172.17.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 105 deny   ip 172.18.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 105 deny   ip 10.1.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 105 deny   ip 10.20.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 105 deny   ip 10.22.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 105 deny   ip 172.17.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 105 deny   ip 172.18.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 105 deny   ip 10.1.0.0 0.0.255.255 10.22.0.0 0.0.255.255
access-list 105 deny   ip 10.20.0.0 0.0.255.255 10.22.0.0 0.0.255.255
access-list 105 deny   ip 10.22.0.0 0.0.255.255 10.22.0.0 0.0.255.255
access-list 105 deny   ip 172.17.0.0 0.0.255.255 10.22.0.0 0.0.255.255
access-list 105 deny   ip 172.18.0.0 0.0.255.255 10.22.0.0 0.0.255.255
access-list 105 permit ip 10.0.0.0 0.255.255.255 any
access-list 105 permit ip 172.17.0.0 0.0.255.255 any
access-list 105 permit ip 172.18.0.0 0.0.255.255 any
 
 
Dialer 0 has the external IP address of 123.123.1.1/24 for this example
Vlan 1 has the IP address of 10.1.0.1/16
 

SpokeA Router:

Hostname SpokeA
!
crypto key generate rsa general-keys modulus 2048
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key somerandomkey address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
 mode transport
!
interface Tunnel0
 ip address 172.18.1.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip inspect firewall out
 ip nhrp authentication Key1 
 ip nhrp map 172.18.1.1 123.123.1.1
 ip nhrp map multicast 123.123.1.1
 ip nhrp network-id 1234
 ip nhrp holdtime 300
 ip nhrp nhs 172.18.1.1
 cdp enable
 tunnel source Dialer0
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel path-mtu-discovery
 tunnel protection ipsec profile vpnprof
 no shutdown
!
interface vlan1
 ip address 10.20.0.1 255.255.0.0
 ip nat inside
 no ip directed-broadcast
 exit
!
router rip
 version 2
 network 10.0.0.0
 network 172.18.0.0
 default-information originate
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.0.0 255.255.0.0 Tunnel0
!
ip nat inside source route-map NONAT interface Dialer0 overload
!
route-map NONAT permit 1
 match ip address 105
!
access-list 105 remark Traffic to NAT to Internet Only
access-list 105 deny   ip 10.20.0.0 0.0.255.255 10.1.0.0 0.0.255.255
access-list 105 deny   ip 10.20.0.0 0.0.255.255 10.22.0.0 0.0.255.255
access-list 105 deny   ip 10.20.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 105 permit ip 10.20.0.0 0.0.255.255 any


Dialer 0 has the external IP address of 123.123.2.1/24 for this example
Vlan 1 has the IP address of 10.20.0.1/16   

 

 

 


SpokeB Router:

Hostname SpokeB
!
crypto key generate rsa general-keys modulus 2048
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key somerandomkey address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
 mode transport
!
interface Tunnel0
 ip address 172.18.1.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip inspect firewall out
 ip nhrp authentication Key1
 ip nhrp map 172.18.1.1 123.123.1.1
 ip nhrp map multicast 123.123.1.1
 ip nhrp network-id 1234
 ip nhrp holdtime 300
 ip nhrp nhs 172.18.1.1
 cdp enable
 tunnel source Dialer0
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel path-mtu-discovery
 tunnel protection ipsec profile vpnprof
 no shutdown
!
interface vlan1
 ip address 10.22.0.1 255.255.0.0
 ip nat inside
 no ip directed-broadcast
 exit
!
router rip
 version 2
 network 10.0.0.0
 network 172.18.0.0
 default-information originate
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.0.0 255.255.0.0 Tunnel0
!
ip nat inside source route-map NONAT interface Dialer0 overload
!
route-map NONAT permit 1
 match ip address 105
!
access-list 105 remark Traffic to NAT to Internet Only
access-list 105 deny   ip 10.22.0.0 0.0.255.255 10.1.0.0 0.0.255.255
access-list 105 deny   ip 10.22.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 105 deny   ip 10.22.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 105 permit ip 10.22.0.0 0.0.255.255 any

 

Dialer 0 has the external IP address of 123.123.3.1/24
Vlan 1 has the IP address of 10.22.0.1/16