Lab guide nº 2.

1 – IPSec and DMVPN

1 Objectives
The aim of this laboratory work is to study IPSec and DMVPN.

2 Preparation
This topic is partially covered in module 18 “VPNs” and module 19 “Implementing Site-to-
Site IPSec VPNs” of NetAcad’s Network Security course. See also the slides “IPSec and
DMVPN” and the videos recommended in the SAAR roadmap.

3 Equipment
These exercises are performed using GNS3, equipped with Cisco routers (3725, 7200, and
IOSv).

4 GRE tunneling
Consider the network of Figure 1, comprising a public network connecting two sites of one
organization. The public network (representing the Internet) includes subnets 200.1.1.0/24
and 200.2.2.0/24. The organization has subnets 192.168.1.0/24 and 192.168.2.0/24 on the
left site, and subnets 192.168.3.0/24 and 192.168.4.0/24 on the right site. Both the
organization and the public networks use OSPF as the routing protocol. The goal of this
exercise is to establish a GRE tunnel between the two organization sites, i.e., between R1
and R2.
Routers R1 and R2 must be IOSv Cisco routers, router RA must be a 7200 Cisco router, and
routers R3 and R4 must be 3725 Cisco routers. For the PCs we suggest the use of Alpine
Linux containers since they are very lightweight; another good alternative is to use 3725
routers configured as hosts (with the no ip routing option).

Rui Valadas, 12-May-2025 1

 200.1.1.0/24 200.2.2.0/24
R1 R2
g0/0 f0/0 f0/1 g0/0
g0/1 .10 .10 .2 g0/1
.1 RA
.1 .2
.3 .4
192.168.2.0/24 192.168.3.0/24
f0/0 f0/0

R3 R4
f0/1 f0/1
.3 192.168.1.0/24 192.168.4.0/24 .4

f0/0 f0/0
.100 .100

PC1 PC2

Figure 1: Network topology with 4 subnets at private network.

The configuration of R1 is the following:

hostname R1
int g0/1
ip add 192.168.2.1 255.255.255.0
ip ospf 2 area 0
no shut
int g0/0
ip add 200.1.1.1 255.255.255.0
ip ospf 1 area 0
no shut
int l0
ip add 1.1.1.1 255.255.255.255
ip ospf 1 area 0

int Tunnel0
ip unnumbered g0/1
tunnel source l0
tunnel destination 2.2.2.2
ip ospf 2 area 0

Note that this configuration includes loopback interfaces. Configure the remaining network
elements using the information above. To test the network, ping from PC1 to PC2. You can
use show ip interface brief to check the state of all interfaces and show interfaces tunnel 0
to have a detailed view of the tunnel 0 state.
1. View the routing tables of R3 and R4. Explain why these tables include all four
subnets of the organization network but none of the public network.
2. View the routing table of RA. Explain why this table includes the two subnets of the
public network but none of the organization network.
3. While performing ping from PC1 and PC2, capture and analyze an ICMP Echo
Request packet at the public network. In this packet, identify the IP protocol type,
the addresses of the outer and inner IP headers, and the GRE field. Based on this
information, explain the operation of GRE tunneling.

Rui Valadas, 12-May-2025 2

 4. Analyze the OSPF Hello packets at one of the links of the public network. You will
recognize two types of packets. Explain the role of each type of packet, considering
their outer destination and whether they include a GRE field.
5. Provoke a change in the organization’s OSPF network that triggers the flooding of an
OSPF LS Update packet and capture this packet at the public network. Based on this
experiment, explain how a change in one site is reflected on the other.
6. Analyze the OSPF LSDB (Link State DataBase) of the organization’s network. Notice
that it is formed by Router-LSAs and Network-LSAs. Explain the role of each LSA.
How does OSPF characterize the tunnel between R1 and R2, i.e., what type of OSPF
link is it considered to be?
Summary of what is to be explained:

• Explain the operation of GRE tunneling using Wireshark captures and Cisco IOS show
commands.

• Explain the contents of the OSPF Link State Database at the various routers. Why
was there the need to configure two different OSPF processes at R1 and R2? What
are the processes used in the underlay and the overlay?
• Does GRE support multitenancy?

5 IPSec with IKEv1

5.1 IKEv1 with Pre-Shared Keys
Use the network of Figure 1. You will now connect the two sites of the organization through
an IPSec/IKEv1 tunnel (between R1 and R2). Thus, the configurations of R1 and R2 must be
changed accordingly.
The ISAKMP policy (IKE Phase 1) must be the following: hashing based on SHA,
authentication based on Pre-Shared Keys (PSK), DH group using group 5, lifetime equal to 1
day, and encryption based on AES with 256 bits. Moreover, the IPSec policy must be to use
AH protocol in tunnel mode with SHA-HMAC for integrity protection.
The IPSec configuration at router R1 is the following:
!IKE Phase 1 - Configure ISAKMP policy
crypto isakmp policy 10
hash sha
authentication pre-share
group 5
lifetime 86400
encryption aes 256

!IKE Phase 1 - Configure pre-shared key

crypto isakmp key saar address 2.2.2.2

!IKE Phase 2 - Configure IPsec transform set

crypto ipsec transform-set myTSet

Rui Valadas, 12-May-2025 3

!Configure ipsec profile
crypto ipsec profile myIPSecProfile
set transform-set myTSet

!Configure tunnel interface

interface Tunnel0
ip unnumbered g0/1
tunnel source l0
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile myIPSecProfile
ip ospf 2 area 0

Configure R2 using the information above. If the configurations are correct, you must be
able to ping from PC1 to PC2.
The following show commands may be useful to debug the IPSec configuration: show crypto
isakmp policy, show crypto isakmp sa, show crypto ipsec sa, and show crypto engine
connection active. The show crypto isakmp sa command allows checking if the ISAKMP SA is
active. The show crypto ipsec sa command includes several statistics, e.g., number of
encrypted/decrypted packets.
1. While performing ping from PC1 and PC2, capture and analyze an ICMP Echo
Request packet at the public network. In this packet, identify the IP protocol type,
the addresses of the outer and inner IP headers, and the AH header. Is the
information cyphered? What is the role of the AH Sequence and AH ICV fields of the
Authentication Header?
2. Analyze the OSPF packets seen at the public network. Identify the two types of OSPF
Hello packets and explain their role.
3. While capturing traffic at the public network, clear the SA by running clear crypto
session. Analyze the ISAKMP messages that are exchanged to delete the tunnel and
establish a new one. What ISAKMP messages are exchanged to establish the IKE
phase 1 and IKE phase 2 tunnels? Explain the role of each message, and the role of
their most important fields. In the messages exchanged during the Diffie-Hellman
phase, what is the role of the Key Exchange payload?
4. Observe the differences in the exchanged messages when there is no agreement
between the peers, e.g., in some cryptographic algorithm or IPSec protocol (ESP
versus AH).
5. Now, change the IPSec protocol to ESP. To do that replace the transform set by
crypto ipsec transform-set myTSet esp-aes esp-sha-hmac. While performing ping
from PC1 and PC2, capture and analyze the corresponding ESP packets. Analyze also
the OSPF exchanges. What are the differences in relation to the AH protocol?
6. What is the requirement of a firewall to let an IPSec tunnel being established?

Summary of what is to be explained:

Rui Valadas, 12-May-2025 4

 • Using Wireshark captures and Cisco IOS show commands explain the operation IPSec
using ESP and AH in tunnel mode.

5.2 IKEv1 with digital signatures

In this exercise, you will configure a Certification Authority (CA) and IPSec with
authentication using digital signatures. Use the network of Figure 1. Router RA will serve as
the CA.
1. The first step is to install NTP so that the clocks of all routers get synchronized. At RA
issue ntp master and at both R1 and R2 issue ntp server 200.1.1.10. Then use show
clock to check that the clocks are indeed synchronized.
2. Configure the CA (the PKI server) with the following commands (the CA is configured
at router RA):
ip http server
crypto pki server myCA
issuer-name cn=saarCA
lifetime certificate 365
grant auto
no shutdown

3. Use show crypto pki server to view information on the PKI server. Use show crypto
ca certificate and show crypto ca certificate verbose to view information on the CA
certificate. To view the public key that was created for the CA run show crypto key
mypub rsa.
4. R1 and R2 (the PKI clients) must now be configured to obtain a certificate from the
CA. You will use SCEP-based enrollment. To view the exchange of HTTP messages
related to SCEP, install a Wireshark probe between R1 and RA before starting the
configuration. The configuration has three steps. First, configure the each router for
SCEP enrollment:
crypto pki trustpoint myTrustpoint
enrollment url http://200.1.1.10:80
exit

5. Next, at each router, fetch the CA certificate:

crypto ca authenticate myTrustpoint

Check that the certificate was installed at each router using show crypto ca
certificate.
6. Finally, at each router, fetch the router certificate:
crypto ca enroll myTrustpoint

Check that the certificate was installed at the router using show crypto pki
certificates. Additional details of the certificates can be viewed using show crypto
pki certificates verbose. Run show crypto key mypub rsa at R1 and R2 to view their
public keys.

Rui Valadas, 12-May-2025 5

 7. Using Wireshark, identify the HTTP messages that request a certificate and that carry
the requested certificate. To view the contents of a certificate, in Wireshark select
Media type in the HTTP message that carries a certificate, right click over the
selection, select Export Packet Bytes, and then save with extension .crt. This file can
now be easily decoded.
8. Configure IPSec with digital signatures, at both R1 and R2. The configuration is the
same of exercise 5.1, except for the addition of the authentication rsa-sig
instruction and the removal of the pre-shared key configuration. The configuration
at R1 is the following:
!IKE Phase 1 - Configure ISAKMP policy
crypto isakmp policy 10
hash sha
authentication rsa-sig
group 5
lifetime 86400
encryption aes 256

!IKE Phase 2 - Configure IPsec transform set

crypto ipsec transform-set myTSet esp-aes esp-sha-hmac

!Configure ipsec profile

crypto ipsec profile myIPSecProfile
set transform-set myTSet

!Configure tunnel interface

interface Tunnel0
ip unnumbered g0/1
tunnel source l0
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile myIPSecProfile
ip ospf 2 area 0

9. After configuring all network elements, you must be able to ping from PC1 to PC2.
Do that while capturing traffic at the public network. Analyze the encrypted ICMP
messages that were triggered by the ping. Are there any differences in relation to
what you observed in section 5.1?
10. While capturing traffic at the public network, clear the SA by running clear crypto
session. Now, analyze the ISAKMP messages that are exchanged to delete the SA
and establish a new one. What are the main differences in relation to IPSec with pre-
shared keys?
11. Using the command show crypto key pubkey-chain rsa name R2 at R1 view the
public key of R2.
12. Stop all nodes, then restart all nodes and, a few seconds later, install a Wireshark
probe at the public network. Analyze the HTTP messages related to SCEP exchanged
with the CA. What is the purpose of these messages?

Rui Valadas, 12-May-2025 6

 13. Let us now revoke the R1 and R2 certificates issued by the CA. At the CA, run the
command crypto pki server myCA revoke <certificate serial number> for both R1
and R2; this command should be given in privileged EXEC mode (not in configuration
mode). The certificate serial number can be checked at R1 and R2 through show
crypto pki certificates. Now restart all routers, install Wireshark probes at both R1
and R2 public interfaces, and ping from PC1 and PC2. Explain the process that
prevents the ping from being successful.

Summary of what is to be explained:

• Using IOS show commands, show that the CA and router certificates were installed
at R1 and R2. Also show the public keys of R1 and R2.

• Explain the process of SCEP-based enrollment using Wireshark captures.

• Using Wireshark, analyze the ISAKMP messages and the HTTP messages related to
SCEP. What is the role of the SCEP messages? Explain the main differences in
relation to IPSec with pre-shared keys.
• Using Wireshark, show that the ICMP messages exchanged between R1 and R2 are
indeed cyphered.
• Using IOS show commands, show that after the exchange of ISAKMP messages each
router stores the public key of the other.

• Explain the process that prevents communication after certificate revocation.

6 IPSec with IKEv2

This exercise is like exercise 5.1, but uses IKEv2 instead of IKEv1. Resort again to the network
of Figure 1.
The IPSec configuration of R1 is the following:
!IKEv2 proposal
crypto ikev2 proposal myProposal
encryption aes-cbc-256
integrity sha512
prf sha512
group 16

!IKEv2 policy
crypto ikev2 policy myIKEv2Policy
proposal myProposal

!IKEv2 keyring
crypto ikev2 keyring myKeyring
peer R2
address 2.2.2.2
pre-shared-key saar

!IKEv2 profile

Rui Valadas, 12-May-2025 7

crypto ikev2 profile myIKEv2Profile
match identity remote address 2.2.2.2
authentication local pre-share
authentication remote pre-share
keyring local myKeyring

!IPsec transform set

crypto ipsec transform-set myTSet esp-aes esp-sha-hmac

!IPSec profile
crypto ipsec profile myIPSecProfile
set transform-set myTSet
set ikev2-profile myIKEv2Profile

!Tunnel interface
interface Tunnel0
ip unnumbered g0/1
tunnel source l0
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile myIPSecProfile
ip ospf 2 area 0

With this information configure also IPSec at R2.

1. After configuring all network elements, you must be able to ping from PC1 to PC2.
Do that while capturing traffic at interface g0/0 of R1.
2. While capturing traffic at interface g0/0 of R1, clear the IKEv2 SA by running clear
crypto session. Now, analyze the messages that are exchanged to delete the SA and
establish a new one.
3. View the IPSec configuration and state using show crypto ikev2 proposal, show
crypto ikev2 policy, show crypto ikev2 sa detailed, show crypto ipsec profile, and
show crypto ipsec sa.
4. To explore the process of IKEv2 SA rekeying, set the IKEv2 SA lifetime to 180 seconds
at R2. To do this, enter the following commands at R2:
crypto ikev2 profile myIKEv2Profile
lifetime 180

Then, after saving the configuration, clear the IKEv2 SA (clear crypto session) and let
a new IKEv2 SA be created. Using Wireshark, observe the messages exchanged
during this process. Using show crypto ikev2 sa detailed, check the evolution of the
SA lifetime and of the local and remote SPIs.
5. To explore the process of IPSec SA rekeying, set the IPSec SA lifetime to 120 seconds
at R1. To do this, enter the following commands at R1:
crypto ipsec profile myIPSecProfile
set security-association lifetime seconds 120

Rui Valadas, 12-May-2025 8

 Then save the configuration and restart R1 (clearing the IKEv2 SA is not enough on
this case). Using Wireshark, observe the messages exchanged during this process.
Using show crypto ipsec sa, check the evolution of the SA lifetime and of the
inbound and outbound SPIs.

Summary of what is to be explained:

• With the help of Wireshark captures, explain the contents of the IKE_SA_INIT
messages. Identify the fields that carry the SPI, the proposals of cryptographic
algorithms, the public Diffie-Hellman value, and the nonce. What is the role of the
nonce?

• With the help of Wireshark captures, explain the contents of the IKE_AUTH
messages. Are they cyphered?
• With the help of Wireshark captures and Cisco IOS commands explain the process of
rekeying the IKEv2 and IPSec SAs. Does the process start from scratch, with an
IKE_SA_INIT exchange? What messages are exchanged in the rekeying? Do the SPIs
change? What are the main differences between the rekeying of the IKEv2 and IPSec
SAs?

7 DMVPN
Consider the network of Figure 2. Now the organization’s network includes three sites. You
will have to configure DMVPN solutions for communications between sites, and compare the
three alternatives: DMVPN Phase 1, Phase 2, and Phase 3.
In the DMVPN exercises the hub and spoke routers should be Cisco IOSv routers and the RA
router can be a Cisco 3725 or 7200.

Rui Valadas, 12-May-2025 9

 Ov: 10.10.10.2
Lo: 2.2.2.2
g0/0 R2
.2
Overlay: g0/1
10.10.10.0/24 .2

Ov: 10.10.10.1 192.168.2.0/24

Lo: 1.1.1.1 RA
200.1.1.0/24
f0/1
R1 .10
g0/0 f0/0 f0/0
g0/1 .1 .10 .100
f1/0
.1 .10
PC2
192.168.1.0/24
Ov: 10.10.10.3
Lo: 3.3.3.3
f0/0
g0/0
.100 R3
.3
PC1 g0/1
.3

192.168.3.0/24

f0/0
.100

PC3

Figure 2: Network topology for DMVPN exercise.

7.1 DMVPN Phase 1

Configure a DMVPN Phase 1 solution, i.e., configure a multipoint GRE tunnel interface at R1
(the hub router) and a point-to-point GRE tunnel interface at the spoke routers (R2 and R3).
The configuration of the tunnel interface at R1 is:
int Tunnel0
ip add 10.10.10.1 255.255.255.0
tunnel source Lo0
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp map 10.10.10.2 2.2.2.2
ip nhrp map 10.10.10.3 3.3.3.3
ip nhrp map multicast 2.2.2.2
ip nhrp map multicast 3.3.3.3
ip ospf network broadcast
ip ospf 2 area 0

The configuration of the tunnel interface at R2 is:

int Tunnel0
ip add 10.10.10.2 255.255.255.0
tunnel source Lo0
tunnel destination 1.1.1.1
tunnel mode gre ip
ip ospf network broadcast

Rui Valadas, 12-May-2025 10

ip ospf priority 0
ip ospf 2 area 0

With this information configure also the tunnel interface at R3.

1. Do a ping from PC2 to PC3 while capturing packets at each interface of the public
network. Concentrate, for example, on the ICMP Echo Request packets. Analyze the
IP addresses of the outer IP header of these packets. What is the route followed by
the packets from PC2 to PC3? This analysis can be complemented by a traceroute
from PC2 to PC3.
2. Explain the forwarding decisions of the hub router when routing packets from PC2 to
PC3 based on its routing table and its NHRP cache (the NHRP cache can be visualized
with the show dmvpn command).
3. Analyze the OSPF LSDB of the organization network. Explain the role of its LSAs. How
is the public network abstracted by OSPF?
4. Analyze the OSPF Hello packets exchanged at the overlay network, in the link
between R1 and RA. What router is the Designated Router? Identify the outer
destination IP address of each packet. Are these packets multicasted? Does R2 send
Hello packets directly to R3 (and vice-versa)? If there is a change in the network
topology of one “spoke” site, how is this information communicated to the other
“spoke” site?
5. What is the disadvantage of DMVPN Phase 1?

7.2 DMVPN Phase 2

Consider again the network of Figure 2. Now, configure a DMVPN Phase 2 solution, i.e., with
multipoint GRE tunnel interfaces in all routers. The configuration of the tunnel interface at
R1 is:
int Tunnel0
ip add 10.10.10.1 255.255.255.0
tunnel source Lo0
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp map multicast dynamic
ip ospf network broadcast
ip ospf 2 area 0

The configuration of the tunnel interface at R2 is:

int Tunnel0
ip add 10.10.10.2 255.255.255.0
tunnel source Lo0
tunnel mode gre multipoint
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp nhs 10.10.10.1
ip nhrp network-id 1
ip ospf network broadcast
ip ospf priority 0

Rui Valadas, 12-May-2025 11

ip ospf 2 area 0

With this information configure also the tunnel interface at R3.

1. Start by switching on R1 and RA. Use the show dmvpn command to check that the
NHRP cache of R1 is empty. Then, switch on R2 while capturing packets at the link
between R1 and RA. What is the role of the NHRP Registration Request message
sent from R2 to R1? Explain the role of its most important fields. Check again the
NHRP cache of R1 and explain the difference in relation to the initial situation.
Repeat this analysis while switching on R3.
2. Notice that the routing table of R2 includes an entry to 192.168.3.0/24, having as
next hop the private address 10.10.10.3 (but not the corresponding public address).
Make a simple experiment to capture the OSPF LS Update packet that advertised
this subnet.
3. Now, you will perform a ping from PC2 to PC3. Before that, install Wireshark probes
at all links of the public network. Also, you will have to analyze the routing tables
and NHRP caches of R2 and R3, before and after the ping. While doing the ping, are
all ICMP packets transmitted at link R1-RA? Why? Explain the role of the various
NHRP packets triggered by this ping, and of their most important fields. What are
the differences in the routing tables and NHRP caches of R2 and R3 before and after
the ping? Explain how ICMP Echo Request packets are sent directly to R3, without
going through R1.

7.3 DMVPN Phase 3

Consider again the network of Figure 2. Now, configure a DMVPN Phase 3 solution, i.e., with
NHRP redirects and shortcuts. In this case, the routing protocol at the organization network
must be RIPv2. The RIPv2 configuration at router R1 is:
router rip
version 2
no auto-summary
network 192.168.1.0
network 10.10.10.0

Configure now RIPv2 at the remaining routers where it should be configured. The
configuration of the tunnel interface at R1 is:
int Tunnel0
ip add 10.10.10.1 255.255.255.0
tunnel source Lo0
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp map multicast dynamic
ip nhrp redirect
ip summary-address rip 0.0.0.0 0.0.0.0

The configuration of the tunnel interface at R2 is:

int Tunnel0
ip add 10.10.10.2 255.255.255.0
tunnel source Lo0

Rui Valadas, 12-May-2025 12

tunnel mode gre multipoint
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp nhs 10.10.10.1
ip nhrp network-id 1
ip nhrp shortcut

With this information configure also the tunnel interface at R3.

1. Analyze the RIP and OSPF packets exchanged at the public network. Compare their
outer IP addresses and based on this explain their different roles (the ones of OSPF
and RIP packets).
2. Remove the command ip summary-address rip 0.0.0.0 0.0.0.0 from the tunnel
configuration of R1. Analyze the RIP packets exchanged at the public network and
the various routing tables. Based on this, explain the importance of the split horizon
feature of RIP in ensuring that a spoke’s network does not include the subnets of
other spoke networks. To better understand this issue, you may want to analyze a
configuration without split horizon; for that, you will have to run the command no ip
split-horizon in the tunnel interface.
3. Reinstall the command ip summary-address rip 0.0.0.0 0.0.0.0 and analyze again the
RIP packets exchanged at the public network and the various routing tables. What is
the role of this command? Explain the contents of the NHRP caches (which can be
visualized using the show dmvpn command).
4. Now install a Wireshark probe at each link of the public network and, afterwards, do
a ping from PC2 to PC3. Analyze the NHRP and ICMP packets at all links. Moreover,
analyze the routing tables and the NHRP caches of all routers. Explain the sequence
of NHRP messages triggered by the ICMP Echo Request sent by R2. What is the route
followed by the initial ICMP Echo Request? Is this route maintained for subsequent
packets? What entries in the routing tables of R2 and R3 allow direct communication
between these two spokes? Explain the differences in the NHRP caches of R2 and R3
in relation to the initial situation.
Summary of what is to be explained:
• Using Wireshark captures and Cisco IOS show commands explain the main
characteristics and differences of DMVPN Phase 3 in relation DMVPN Phase 2 and
DMVPN Phase 1.

• What is the role of the command ip summary-address rip?

• What is the role of RIP’s split horizon in DMVPN Phase 3?

7.3.1 Troubleshooting tips

• Commands should not be entered one-by-one, otherwise you will surely make many
mistakes. Prepare your configurations in a text file, and when they are ready, copy-
and-paste them to the CLI of each device in one shot.
• If you cannot ping between the PCs, first review the configurations of all devices
using show run. Check that (i) all interfaces are active and with correctly assigned IP

Rui Valadas, 12-May-2025 13

 addresses, (ii) all PCs have correctly configured default gateways, (iii) the no ip
routing command was inserted, if you are using Cisco routers as PCs, (iv) the hub
and the spokes have correctly configured loopback interfaces, (v) OSPF is correctly
configured at the public side of the hub and the spokes, and at router RA, (vi) RIP is
correctly configured at the private side of the hub and the spokes, (vii) the GRE
tunnels are correctly configured at the hub and the spokes (make sure that the
public and private addresses are correctly configured, pointing to where they should
point). Note that the ip nhrp shortcut instruction is only visible when the complete
configuration is displayed through show run all; try using show run all | include ip
nhrp.

• If you still cannot ping between the PCs, check the connectivity in the public
network. Nothing works if the public network doesn’t work! Ping between the
physical and the loopback interfaces of the hub and the spokes. For example, to ping
between the loopback interfaces of R2 and R3 run ping 3.3.3.3 source 2.2.2.2 at R2.
Note that, if there is connectivity between all loopback interfaces, there will surely
be between all physical interfaces.
• If you are not successful, check the routing tables of the hub, the two spokes, and of
router RA, using show ip route. For example, RA should have learned all three
loopback addresses (1.1.11/32, 2.2.2.2/32, and 3.3.3.3/32) through OSPF (and
should not have learned any of the subnets of the organization). Moreover, R1
should have learned through OSPF the loopback addresses of the spokes (2.2.2.2/32
and 3.3.3.3/32) and the subnet addresses of the links between the spokes and RA
(200.2.2.0/24 and 200.3.3.0/24).
• You can also do a Wireshark capture at the three links of the public network and
check if both sides of each link are transmitting periodic OSPF Hello packets. Using
show ip ospf neighbor check that the two sides have established neighborhood
relationships. Finally, inspect the Link State Database of the hub, the two spokes and
of router RA using show ip ospf database. Do they have all the LSAs they were
supposed to have?
• The Cisco IOS CLI signals, through a warning message, the establishment of OSPF
neighborhood relationships. Not having them indicates the existence of problems.
• If there is full connectivity in the public network, the problem may reside in the RIP
configuration. Do a Wireshark capture in the R1-RA link and check if periodic RIP
Response messages (encapsulated in GRE) are being transmitted. At this link, you
should see RIP Response messages transmitted by the loopback interfaces of the
hub and the two spokes. If one of the spokes is not sending RIP Response messages
the problem may be in that spoke.
• Check the RIP entries of the hub and of the two spokes. At R1, you should see the
subnet addresses of the two spokes (192.168.2.0/24 and 192.168.3.0/24) and at
both spokes you should see the default route 0.0.0.0/0, which was installed by the
hub.

Rui Valadas, 12-May-2025 14

 • If you still can´t ping, try to identify which device is the source of the problem. For
example, install Wireshark probes at all four links crossed by packets from PC1 to
PC2 and do a ping between these two devices. If you see no Echo Request at link
PC1-R1 there is certainly a problem with either PC1 or R1. If you see an Echo Request
at link PC1-R1 but not at link R1-RA, the problem may be caused by lack of
connectivity in the public network or a misconfiguration of R1 or R2 at the RIP level.
If the Echo Request arrives at PC2 but PC2 sends no Echo Reply, then the problem is
most certainly at PC2.
• If it still doesn’t work, send an SOS to the teacher (in the lab class or via Teams).

7.4 DMVPN over IPSec

Let us now make DMVPN secure! You just must add IPSec to the DMVPN configuration.
Make it for DMVPN Phase 3. To this end, add the following command to the configuration of
the tunnel interface of all routers:
tunnel protection ipsec profile myIPSecProfile

Moreover, the IPSec configuration of all routers must be:

!IKE Phase 1 - Configure ISAKMP policy
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5

!IKE Phase 1 - Configure pre-shared key

crypto isakmp key saar address 0.0.0.0

!IKE Phase 2 - Configure IPSec transform set

crypto ipsec transform-set myTSet ah-sha-hmac
mode transport

!IKE Phase 2 - Configure IPSec profile

crypto ipsec profile myIPSecProfile
set transform-set myTSet

The configuration is for the AH protocol. You must also analyze the ESP protocol.
1. Are there any differences in the routing tables and in the NHRP caches?
2. What packets are protected by IPSec (both ESP and AH)?
3. Why is the transport mode preferred over the tunnel mode?
4. How many SAs are there between each pair of routers?

Summary of what is to be explained:

• Explain the impact of adding IPSec to DMVPN Phase 3 in the routing tables and in
the NHRP caches.
• Indicate which packets are protected by IPSec and what is the preferred mode of
operation.

Rui Valadas, 12-May-2025 15

8 Duration
See the SAAR roadmap.

9 Report guidelines
In the report, you need only to address the following exercises:

• IPSec with IKEv1 (section 5)

• IPSec with IKEv2 (section 6)
• DMVPN Phase 3 (section 7.3)
See the SAAR roadmap for instructions on how to write the report.

10 Additional exercises
Additional exercises, related to this lab guide, that can be performed as a project are
indicated in the SAAR project guide. They are:

• Additional IKEv2 and FlexVPN

• Additional IPSec (IKEv1)
• GETVPN
• Redundant DMVPN designs

Rui Valadas, 12-May-2025 16