Dynamic Multipoint VPN (CCIE Notes)

Disclaimer: These are my rough cut notes for CCIE Security studies! Not a detailed explanation of DMVPN.

Three components that make up DMVPN:

1. Mulitpoint GRE (mGRE)

  • Tunnel interface having multiple tunnel destinations unlike a point-to-point GRE tunnel that has a single tunnel destination.

2. Next-Hop Resolution Protocol (NHRP)

  • Each router in an NHRP topology acts as either a NHC or a NHS.
  • mGRE uses NHRP for mapping logical/tunnel IP address to physical/real IP addresses.
  • NHC registers its physical-to-tunnel mapped IP address to the NHS and the NHS acts as a database agent which stores all registered mappings and replying to NHC queries.
  • If a NHS does not have a requested entry in its database, it can forward packet to another NHS to see if it has the requested association.

3. Cisco Express Forwarding (CEF)

  • Cisco Express Forwarding (CEF) is a packet-switching technique which provides the ability to switch packets through a device in a very quick efficient way while also keeping the load on the router’s processor low.
  • CEF is made up of two different main components: the Forwarding Information Base (FIB) and the CEF Adjacency Table.

Continue reading

Monitoring Site-to-Site VPNs in ASA/PIX (Syslog)

Recently I’ve got a task of monitoring our site-to-site VPNs on some PIX firewalls (yeah, I know, we still use it in some locations). After a lot of researching I’ve found a working and quite decent solution for now. Monitoring specific syslog IDs for VPN disconnections looks like the way to go.

I’m going to start off with PIX and will add the ASA config when I lab it up.

Note: You need not setup logging lists if you are already monitoring error level logs and above because the log message ID that we explicitly want to log for our VPN monitoring is a warning level log. Hence my logging list has a separate critical (level 2) logging as the VPN monitoring isn’t covered under that level.

Continue reading

Configure IOS router to initiate a VPN in Aggressive Mode

Enabling Aggressive Mode globally on an IOS router is pretty straight forward and is the default any way;

no crypto isakmp aggressive-mode disable

But the problem with this is that the router will only act as a responder to VPN requests that come in. It cannot initiate a VPN in Aggressive Mode.

Adding the Aggressive Mode option in an ISAKMP profile and attaching that profile to the crypto map of that peer will allow the IOS router to also initiate a VPN in Aggressive Mode with the peer;

Continue reading

Site-to-Site VPN tunnel with Dynamic Peer IP address |example with PSK and PKI (CCIE Notes)

PSK (Pre-Shared Key)

ASA (Static IP side has the ‘dynamic’ configuration):

crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ipsec ikev1 transform-set ESP-DES esp-des esp-sha-hmac
access-list crypto_acl_10 extended permit ip host host
crypto dynamic-map MARKETING_VPN match address crypto_acl_10 
crypto dynamic-map MARKETING_VPN 10 set ikev1 transform-set ESP-DES
crypto dynamic-map MARKETING_VPN 10 set reverse-route
crypto map out_map 10 ipsec-isakmp dynamic MARKETING_VPN
crypto map out_map interface outside
tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key cisco123


  • All phase 2 parameters need to be defined under dynamic-map.
  • Tunnel-group DefaultL2LGroup is to be used for referring the pre-shared-key that will be used by the dynamic peers.
  • Traffic cannot be initiated from the Static side of the VPN tunnel.

Continue reading

Site-to-Site VPN using PKI (CCIE Notes)

Points to remember;

1) peer-id-validate

  • Either disable this under tunnel-group (nocheck).


  • Send correct identity information from peers (crypto isakmp identity dn)

2) Using trustpoint

  • In ASA, Trustpoint needs to be referred under crypto map and tunnel-group
  • In IOS, Trustpoint does not need to be referred under any configuration commands.

3) Defining the Peer IP

  • In ASA, the peer IP needs to be specified under the crypto map as well as in the tunnel-group.
  • In IOS, for main-mode no crypto isakmp peer needs to be specified. Just the crypto map set peer command is enough for the tunnel to establish.
  • In IOS, for Aggressive Mode, crypto isakmp peer needs to be specified.

Continue reading