Dual DMVPN

Dual DMVPN

DMVPN stands for Dynamic Multipoint Virtual Private Network. It is basically a concept involving three different technologies- multipoint GRE (mGRE), Next-Hop Resolution Protocol (NHRP) and IPSec.

Traditional site-to-site IPSec VPNs require individual (point-to-point GRE or IPSec) tunnels between a pair of Hub and Branch routers. For all new branch routers, configurations need to be added on the Branch router as well as the Hub router. Also, traffic between Branch routers go through the Hub router.

Conversely, DMVPN uses mGRE tunnel which has multiple end-points and is treated as a non-broadcast multi-access (NBMA) network. DMVPN has evolved into 3 phases-

Phase 1: Hub and Spoke - mGRE at the Hub and p2p GRE at the Branch routers

Phase 2: Hub and Spoke with Spoke-to-spoke tunnels (mGRE at the Hub and Branch routers)

Phase 3: Same as Phase 2 but now Spoke routers can also respond to NHRP Requests.

This article discusses Phase 2.

DMVPN Components

1. mGRE - Multipoint GRE

mGRE serves as a one-to-many interface for the creation of multiple hub-and-spoke tunnels. The tunnel destination for an mGRE tunnel does not have to be configured. mGRE tunnel is effectively NBMA medium like Frame-Relay. A mechanism like ARP is required to map logical (tunnel) IP addresses to physical (NBMA) IP addresses. This is taken care by NHRP.

All the Hub routers are configured with mGRE tunnel interface. If Hub-and-Spoke model is to be deployed, the Branch routers are configured with p2p GRE tunnel interface only. However, if Spoke-to-Spoke model is to be deployed, the Branch routers must be configured with mGRE tunnel interface.

2. NHRP - Next-Hop Resolution Protocol

NHRP (RFC 2332) is a Layer-2 address resolution protocol like ARP and Frame-relay Inverse-ARP. NHRP is used by a Branch router connected to NBMA network to determine the IP address of the NBMA Next-Hop (physical address)- this could be the Hub router or another Branch router.

All Branch routers register their physical (NBMA) IP addresses mapped to logical (tunnel) IP addresses with the Next-Hop Server (NHS). The IP address of the NHS is pre-configured on the Branch routers. These Branch routers become Next-Hop Clients (NHC). The NHS stores all registered mappings and replies to NHRP Requests from NHCs. An NHS can be an NHC to another NHS and can forward NHRP Requests to its NHS if it cannot find a registered mapping in its database.

NHRP facilitates in building mGRE tunnels. NHRP allows mGRE tunnel endpoints to discover each other's physical IP address.

Sample Scenario - Dual DMVPN

A dual DMVPN cloud topology with spoke-to-spoke model consists of two Hub routers, each with mGRE tunnel interface(s) connecting all Branch routers. Each DMVPN cloud represents a unique subnet. One DMVPN cloud is considered Primary- this is preferred by all Branch routers to send traffic. The second DMVPN cloud is implemented to provide resiliency to the Primary DMVPN cloud.

mGRE Tunnel and IP Addressing

Tunnel 11 is the Primary tunnel while Tunnel 22 is the Backup tunnel. The tunnel mode gre multipoint command configures the tunnel as multipoint GRE tunnel. The tunnel destination is not configured; destination endpoints (Branch routers) are dynamically discovered.

All LAN subnets on all routers belong to 192.168.x.0/24 network. The Primary cloud belongs to 10.1.0.0/24 subnet and the Backup cloud belongs to 10.2.0.0/24 subnet. The WAN interfaces use public addresses.

Primary router

interface Serial 0/0
 description WAN Interface
 ip address 172.16.1.1 255.255.255.0
!
interface Fastethernet 0/0
 description LAN Interface
 ip address 192.168.0.1 255.255.255.0
!
interface Tunnel 11
 ip address 10.0.1.1 255.255.255.0
 tunnel mode gre multipoint
 tunnel source serial 0/0
 tunnel key 123
!

Backup router

interface Serial 0/0
 description WAN Interface
 ip address 172.26.1.1 255.255.255.0
!
interface Fastethernet 0/0
 description LAN Interface
 ip address 192.168.0.2 255.255.255.0
!
interface Tunnel 22
 ip address 10.0.2.1 255.255.255.0
 tunnel mode gre multipoint
 tunnel source serial 0/0
 tunnel key 456
!

Branch1 router

interface Serial 0/0
 description WAN Interface
 ip address 172.36.1.1 255.255.255.0
!
interface Fastethernet 0/0
 ip address 192.168.1.1 255.255.255.0
!
interface Tunnel 11
 ip address 10.0.1.2 255.255.255.0
 tunnel mode gre multipoint
 tunnel source serial 0/0
 tunnel key 123
!
interface Tunnel 22
 ip address 10.0.2.2 255.255.255.0
 tunnel mode gre multipoint
 tunnel source serial 0/0
 tunnel key 456
!

Branch2 router

interface Serial 0/0
 description WAN Interface
 ip address 172.46.1.1 255.255.255.0
!
interface Fastethernet 0/0
 ip address 192.168.2.1 255.255.255.0
!
interface Tunnel 11
 ip address 10.0.1.3 255.255.255.0
 tunnel mode gre multipoint
 tunnel source serial 0/0
 tunnel key 123
!
interface Tunnel 22
 ip address 10.0.2.3 255.255.255.0
 tunnel mode gre multipoint
 tunnel source serial 0/0
 tunnel key 456
!

Branch3 router

interface Serial 0/0
 description WAN Interface
 ip address 172.56.1.1 255.255.255.0
!
interface Fastethernet 0/0
 ip address 192.168.3.1 255.255.255.0
!
interface Tunnel 11
 ip address 10.0.1.4 255.255.255.0
 tunnel mode gre multipoint
 tunnel source serial 0/0
 tunnel key 123
!
interface Tunnel 22
 ip address 10.0.2.4 255.255.255.0
 tunnel mode gre multipoint
 tunnel source serial 0/0
 tunnel key 456
!

NHRP Configuration

The most basic commands to implement NHRP are as follows-

1) ip nhrp map <tunnel-ip> <physical-ip> command creates a static binding between a tunnel IP address and physical IP address. This command is usually configured on the Branch routers (who act as NHRP Clients) to provide the information to Branch routers to reach the tunnel address of the Hub.

2) ip nhrp map multicast <dynamic | static-ip> command specifies the destination(s) that will receive multicast/broadcast traffic. Spokes map multicast to the physical IP address of the Hub, and the Hub maps multicast packets to the dynamic mappings i.e. to all NHRP Clients registered to the Hub (NHRP Server). This is important for routing protocols to form adjacency and exchange routing updates.

3) ip nhrp nhs <server-ip> command specifies the NHRP Server to the Branch routers. The "Server IP Address" is the tunnel IP address.

4) ip nhrp authentication <key> command is optional. The key is in plain-text and is used to authenticate the NHRP Client. This must be same on all NHRP routers.

5) ip nhrp network-id <id> command identifies the logical network. This must be same on all NHRP routers.

6) ip nhrp holdtime <seconds> command specifies the hold-time value in registration requests. The NHS will keep the registration request cache for the hold-time period, and if no updates are received, it will flush them out.

Primary router

interface Tunnel11
 ......
 ip nhrp map multicast dynamic
 ip nhrp network-id 123
 ip nhrp holdtime 60
!

Backup router

interface Tunnel22
 .....
 ip nhrp map multicast dynamic
 ip nhrp network-id 456
 ip nhrp holdtime 60
!

The NHRP configuration on all Branch routers looks same.

All Branch routers

interface Tunnel11
 ....
 ip nhrp map 10.0.1.1 172.16.1.1    ! Statically mapping Primary Hub Tunnel IP and Physical IP Addresses
 ip nhrp map multicast 172.16.1.1
 ip nhrp nhs 10.0.1.1               ! Pre-configured NHRP Server- Primary Hub
 ip nhrp network-id 123
 ip nhrp holdtime 60
!
interface Tunnel22
 ....
 ip nhrp map 10.0.2.1 172.26.1.1    ! Statically mapping Backup Hub Tunnel IP and Physical IP Addresses
 ip nhrp map multicast 172.26.1.1
 ip nhrp nhs 10.0.2.1               ! Pre-configured NHRP Server- Backup Hub
 ip nhrp network-id 456
 ip nhrp holdtime 60
!

Routing Instances

We will use two separate instance of routing protocol on Hub and Branch routers- one for WAN domain (OSPF) and another for VPN domain (EIGRP).

For EIGRP, we need to disable split-horizon on Hub mGRE tunnel interface to ensure optimal forwarding. We also need to disable the default EIGRP behavior to overwrite the next-hop as itself. And lastly, we also need to tweak the metric in EIGRP for tunnels to prefer Primary over Backup.

Primary router

router ospf 1
 ! WAN domain
 !
 network 172.16.1.0 0.0.0.255 area 0
!
router eigrp 1
 ! VPN domain
 !
 no auto-summary
 network 10.0.0.0
 network 192.168.0.0
!
interface Tunnel11
 ....

no ip split-horizon eigrp 1

 no ip next-hop-self eigrp 1    ! This command is not required in DMVPN Phase 1
 delay 5
!

Backup router

router ospf 1
 ! WAN domain
 !
 network 172.26.1.0 0.0.0.255 area 0
!
router eigrp 1
 ! VPN domain
 !
 no auto-summary
 network 10.0.0.0
 network 192.168.0.0
!
interface Tunnel22
 ....
 delay 10
 no ip split-horizon eigrp 1

no ip next-hop-self eigrp 1 ! This command is not required in DMVPN Phase 1

!

Branch routers

Branch1 router:
router ospf 1
 network 172.36.1.0 0.0.0.255 area 0
!
router eigrp 1
 no auto-summary
 network 10.0.0.0
 network 192.168.1.0
!
interface Tunnel11
 ....
 delay 5
!
interface Tunnel22
 ....
 delay 10
!
Branch2 router:
router ospf 1
 network 172.46.1.0 0.0.0.255 area 0
!
router eigrp 1
 no auto-summary
 network 10.0.0.0
 network 192.168.2.0
!
interface Tunnel11
 ....
 delay 5
!
interface Tunnel22
 ....
 delay 10
!
Branch3 router:
router ospf 1
 network 172.56.1.0 0.0.0.255 area 0
!
router eigrp 1
 no auto-summary
 network 10.0.0.0
 network 192.168.3.0
!
interface Tunnel11
 ....
 delay 5
!
interface Tunnel22
 ....
 delay 10
!

All the Spoke routers try to register their logical IP address to NBMA IP address mapping with the Hub. Each Spoke router has 2 tunnel interfaces to two different Hubs- Primary and Backup. Hence all Spoke routers send Registration Request packets to both Primary and Backup with its logical-to-NBMA address mapping. The following output shows Spoke1 router registering with two Hubs. The Hubs respond with Registration Reply packet to the Spoke routers.

NHRP Registration

Primary#
*Mar  1 09:55:23.589: NHRP: Receive Registration Request via Tunnel11 vrf 0, packet size: 92
*Mar  1 09:55:23.589: NHRP: netid_in = 123, to_us = 1
*Mar  1 09:55:23.589: NHRP: Tu11: Creating dynamic multicast mapping  NBMA: 172.36.1.1
*Mar  1 09:55:23.589: NHRP: Attempting to send packet via DEST 10.0.1.2
*Mar  1 09:55:23.593: NHRP: Encapsulation succeeded.  Tunnel IP addr 172.36.1.1
*Mar  1 09:55:23.593: NHRP: Send Registration Reply via Tunnel11 vrf 0, packet size: 112
*Mar  1 09:55:23.597:       src: 10.0.1.1, dst: 10.0.1.2
*Mar  1 09:55:23.597: NHRP: 112 bytes out Tunnel11
Backup#
*Mar  1 09:54:59.585: NHRP: Receive Registration Request via Tunnel22 vrf 0, packet size: 92
*Mar  1 09:54:59.585: NHRP: netid_in = 456, to_us = 1
*Mar  1 09:54:59.585: NHRP: Tu22: Creating dynamic multicast mapping  NBMA: 172.36.1.1
*Mar  1 09:54:59.589: NHRP: Attempting to send packet via DEST 10.0.2.2
*Mar  1 09:54:59.589: NHRP: Encapsulation succeeded.  Tunnel IP addr 172.36.1.1
*Mar  1 09:54:59.593: NHRP: Send Registration Reply via Tunnel22 vrf 0, packet size: 112
*Mar  1 09:54:59.593:       src: 10.0.2.1, dst: 10.0.2.2
*Mar  1 09:54:59.593: NHRP: 112 bytes out Tunnel22

This registration on the mGRE interface on the Hub router to build a dynamic tunnel back to the registering Branch/Spoke router without having to know the Branch tunnel destination statically. NHRP tells mGRE interface where to tunnel a packet to reach a certain address.

The NHRP cache can be viewed using show ip nhrp command. The Hubs learn the mappings dynamically and the Spoke routers have only a single static mapping via each tunnel interface in their NHRP cache.

NHRP Cache

Primary# show ip nhrp
10.0.1.2/32 via 10.0.1.2, Tunnel11 created 07:57:45, expire 00:00:58
  Type: dynamic, Flags: unique registered used
  NBMA address: 172.36.1.1
10.0.1.3/32 via 10.0.1.3, Tunnel11 created 00:36:01, expire 00:00:49
  Type: dynamic, Flags: unique registered used
  NBMA address: 172.46.1.1
10.0.1.4/32 via 10.0.1.4, Tunnel11 created 00:03:49, expire 00:00:49
  Type: dynamic, Flags: unique registered used
  NBMA address: 172.56.1.1
Spoke3# show ip nhrp
10.0.1.1/32 via 10.0.1.1, Tunnel11 created 00:14:53, never expire
  Type: static, Flags: used
  NBMA address: 172.16.1.1
10.0.2.1/32 via 10.0.2.1, Tunnel22 created 00:14:46, never expire
  Type: static, Flags: used
  NBMA address: 172.26.1.1

The unique flag indicates that the Registration Request message had unique flag enabled. The NHS rejects all Registration Requests if the mapping in the message is already present or not unique. The used flag indicates that the router uses this mapping to switch IP packets.

All Branch routers learn about remote 192.168.x.0/24 networks via EIGRP over Tunnel 11 (Primary tunnel).

EIGRP routes

Spoke1# show ip route eigrp
D    192.168.0.0/24 [90/284471296] via 10.0.1.1, 00:05:58, Tunnel11
D    192.168.2.0/24 [90/284472576] via 10.0.1.3, 00:05:53, Tunnel11
D    192.168.3.0/24 [90/284472576] via 10.0.1.4, 00:03:56, Tunnel11
Spoke2# show ip route eigrp
D    192.168.0.0/24 [90/284471296] via 10.0.1.1, 00:25:18, Tunnel11
D    192.168.1.0/24 [90/284472576] via 10.0.1.2, 00:06:11, Tunnel11
D    192.168.3.0/24 [90/284472576] via 10.0.1.4, 00:04:15, Tunnel11
Spoke3# show ip route eigrp
D    192.168.0.0/24 [90/284471296] via 10.0.1.1, 00:04:38, Tunnel11
D    192.168.1.0/24 [90/284472576] via 10.0.1.2, 00:04:38, Tunnel11
D    192.168.2.0/24 [90/284472576] via 10.0.1.3, 00:04:38, Tunnel11

However, the CEF adjacency for prefixes connected to remote Branch router over the DMVPN cloud, are seen as invalid adjacency on the Branch3 routers. While the CEF adjacency for the next-hop is valid punt adjacency which means that the packet cannot be CEF-switched and need to be fast-switched or process-switched.

Spoke3# show ip cef 192.168.1.0
192.168.1.0/24, version 33, epoch 0
0 packets, 0 bytes
  via 10.0.1.2, Tunnel11, 0 dependencies
    next hop 10.0.1.2, Tunnel11
    invalid adjacency
Spoke3# show ip cef 10.0.1.2
10.0.1.0/24, version 22, epoch 0, attached, connected
0 packets, 0 bytes
  via Tunnel11, 0 dependencies
    valid punt adjacency

When Branch3 router tries to send packet to 192.168.1.0/24, it finds out that it has a punt adjacency for its next-hop of 10.0.1.2. Then Branch3 router attempts to send NHRP Resolution Request directly to its next-hop 10.0.1.2 i.e. Spoke1 router, but it fails as the NBMA address of Branch1 router is unknown. However, the Branch3 router continues to send packets via the NHS.

*Mar  1 08:36:58.865: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel11 netid-out 123
*Mar  1 08:36:58.865: NHRP: Checking for delayed event 0.0.0.0/10.0.1.2 on list (Tunnel11).
*Mar  1 08:36:58.869: NHRP: No node found.
*Mar  1 08:36:58.869: NHRP: Sending packet to NHS 10.0.1.1 on Tunnel11
*Mar  1 08:36:58.881: NHRP: Checking for delayed event 0.0.0.0/10.0.1.2 on list (Tunnel11).
*Mar  1 08:36:58.881: NHRP: No node found.
*Mar  1 08:36:58.881: NHRP: Attempting to send packet via DEST 10.0.1.2
*Mar  1 08:36:58.885: NHRP: Send Resolution Request via Tunnel11 vrf 0, packet size: 72
*Mar  1 08:36:58.885:  src: 10.0.1.4, dst: 10.0.1.2
*Mar  1 08:36:58.885:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Mar  1 08:36:58.889:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 08:36:58.889:  (M) flags: "router auth src-stable nat ", reqid: 129
*Mar  1 08:36:58.889:      src NBMA: 172.56.1.1
*Mar  1 08:36:58.889:      src protocol: 10.0.1.4, dst protocol: 10.0.1.2
*Mar  1 08:36:58.893:  (C-1) code: no error(0)
*Mar  1 08:36:58.893:        prefix: 0, mtu: 1514, hd_time: 60
*Mar  1 08:36:58.893:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Mar  1 08:36:58.893: NHRP: Encapsulation failed for destination 10.0.1.2 out Tunnel11
*Mar  1 08:36:58.897: NHRP: Attempting to send packet via NHS 10.0.1.1
*Mar  1 08:36:58.897: NHRP: Encapsulation succeeded.  Tunnel IP addr 172.16.1.1

An NHRP packet contains 3 parts-

1. Fixed Part (F): It specifies the address-family (afn), protocol type (IP) as well as subnetwork type and length.

2. Mandatory Part (M): It specifies the flags and the request ID (reqid). It also includes the source NBMA address and source/destination protocol IP addresses.

3. Client Information Element (CIE C-1) part: It contains information about networks connected to requesting/responding routers.

The Spoke3 router then tries to send the Resolution Request to NHS. It contains the source NBMA address of Spoke3 router (itself) and tunnel source address of Spoke3 router and tunnel destination address of Spoke1 router.

*Mar  1 08:36:58.897: NHRP: Send Resolution Request via Tunnel11 vrf 0, packet size: 72
*Mar  1 08:36:58.901:  src: 10.0.1.4, dst: 10.0.1.1
*Mar  1 08:36:58.901:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Mar  1 08:36:58.901:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 08:36:58.901:  (M) flags: "router auth src-stable nat ", reqid: 129
*Mar  1 08:36:58.905:      src NBMA: 172.56.1.1
*Mar  1 08:36:58.905:      src protocol: 10.0.1.4, dst protocol: 10.0.1.2
*Mar  1 08:36:58.905:  (C-1) code: no error(0)
*Mar  1 08:36:58.905:        prefix: 0, mtu: 1514, hd_time: 60
*Mar  1 08:36:58.909:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Mar  1 08:36:58.909: NHRP: 72 bytes out Tunnel11
*Mar  1 08:36:59.125: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel11 netid-out 123
*Mar  1 08:36:59.125: NHRP: Checking for delayed event 0.0.0.0/10.0.1.2 on list (Tunnel11).
*Mar  1 08:36:59.129: NHRP: No node found.
*Mar  1 08:36:59.129: NHRP: Sending packet to NHS 10.0.1.1 on Tunnel11

The request arrives at NHS. The NHS has a mapping for 10.0.1.2 in its NHRP cache. It responds with a Resolution Reply message with correct mapping in the Mandatory part.

*Mar  1 08:36:59.133: NHRP: Receive Resolution Request via Tunnel11 vrf 0, packet size: 92
*Mar  1 08:36:59.137:  (F) afn: IPv4(1), type: IP(800), hop: 254, ver: 1
*Mar  1 08:36:59.137:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 08:36:59.137:  (M) flags: "router auth src-stable nat ", reqid: 2970
*Mar  1 08:36:59.137:      src NBMA: 172.36.1.1
*Mar  1 08:36:59.137:      src protocol: 10.0.1.2, dst protocol: 10.0.1.4
*Mar  1 08:36:59.141:  (C-1) code: no error(0)
*Mar  1 08:36:59.141:        prefix: 0, mtu: 1514, hd_time: 60
*Mar  1 08:36:59.141:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Mar  1 08:36:59.141: NHRP: netid_in = 123, to_us = 1

The Spoke3 router receives the Resolution Reply packet and hence its CEF adjacency is now completed for 10.0.1.2. It now attempts to send the packet directly to Spoke1 router rather than through Hub router.

*Mar  1 08:36:59.285: NHRP: Receive Resolution Reply via Tunnel11 vrf 0, packet size: 120
*Mar  1 08:36:59.289:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Mar  1 08:36:59.289:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 08:36:59.289:  (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 129
*Mar  1 08:36:59.289:      src NBMA: 172.56.1.1
*Mar  1 08:36:59.293:      src protocol: 10.0.1.4, dst protocol: 10.0.1.2
*Mar  1 08:36:59.293:  (C-1) code: no error(0)
*Mar  1 08:36:59.293:        prefix: 32, mtu: 1514, hd_time: 59
*Mar  1 08:36:59.293:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Mar  1 08:36:59.297:        client NBMA: 172.36.1.1
*Mar  1 08:36:59.297:        client protocol: 10.0.1.2
*Mar  1 08:36:59.297: NHRP: netid_in = 0, to_us = 1
*Mar  1 08:36:59.297: NHRP: Checking for delayed event 0.0.0.0/10.0.1.2 on list (Tunnel11).
*Mar  1 08:36:59.301: NHRP: No node found.
*Mar  1 08:36:59.301: NHRP: No need to delay processing of resolution event nbma src:172.56.1.1 nbma dst:172.36.1.1

The show ip cef command now shows that the CEF adjacency is completed. Also, the show ip nhrp command shows a dynamically learnt NHRP entry.

Spoke3# show ip cef 192.168.1.0
192.168.1.0/24, version 65, epoch 0
0 packets, 0 bytes
  via 10.0.1.2, Tunnel11, 0 dependencies
    next hop 10.0.1.2, Tunnel11
    valid adjacency
Spoke3# show ip nhrp
10.0.1.1/32 via 10.0.1.1, Tunnel11 created 00:10:37, never expire
  Type: static, Flags: used
  NBMA address: 172.16.1.1
10.0.1.2/32 via 10.0.1.2, Tunnel11 created 00:00:20, expire 00:00:54
  Type: dynamic, Flags: router
  NBMA address: 172.36.1.1
10.0.1.4/32 via 10.0.1.4, Tunnel11 created 00:00:19, expire 00:00:40
  Type: dynamic, Flags: router unique local
  NBMA address: 172.56.1.1
    (no-socket)
10.0.2.1/32 via 10.0.2.1, Tunnel22 created 00:10:30, never expire
  Type: static, Flags: used
  NBMA address: 172.26.1.1

The router flag means that the mapping is either for the remote router or for a network behind the remote router.

Backup Hub into picture

When the Primary Hub is not available, all Spoke routers learn about remote prefixes through Tunnel 22 rather than Tunnel 11.

Prefixes learnt through Tunnel 22

Spoke1# show ip route eigrp 1
D    192.168.0.0/24 [90/284472576] via 10.0.2.1, 00:06:04, Tunnel22
D    192.168.2.0/24 [90/284475136] via 10.0.2.3, 00:00:26, Tunnel22
D    192.168.3.0/24 [90/284475136] via 10.0.2.4, 00:06:02, Tunnel22
Spoke2# show ip route eigrp
D    192.168.0.0/24 [90/284472576] via 10.0.2.1, 00:00:43, Tunnel22
D    192.168.1.0/24 [90/284475136] via 10.0.2.2, 00:00:43, Tunnel22
D    192.168.3.0/24 [90/284475136] via 10.0.2.4, 00:00:43, Tunnel22
Spoke3# show ip route eigrp
D    192.168.0.0/24 [90/284472576] via 10.0.2.1, 00:06:35, Tunnel22
D    192.168.1.0/24 [90/284475136] via 10.0.2.2, 00:06:32, Tunnel22
D    192.168.2.0/24 [90/284475136] via 10.0.2.3, 00:00:57, Tunnel22
Spoke3# show ip cef 192.168.1.0
192.168.1.0/24, version 72, epoch 0
0 packets, 0 bytes
  via 10.0.2.2, Tunnel22, 0 dependencies
    next hop 10.0.2.2, Tunnel22
    invalid adjacency

Once again when Spoke3 router attempts to send packet to 192.168.1.0/24 prefix connected to Spoke1 router, first it tries to send the packet directly to Spoke1 router but since the CEF adjacency is not complete, the packets are forwarded to the Hub. However, the Spoke3 router also sends a Resolution Request packet for Backup NHS via Tunnel 22.

Backup#
*Mar  1 18:11:13.611: NHRP: Receive Resolution Request via Tunnel22 vrf 0, packet size: 72
*Mar  1 18:11:13.615:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Mar  1 18:11:13.615:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 18:11:13.615:  (M) flags: "router auth src-stable nat ", reqid: 195
*Mar  1 18:11:13.615:      src NBMA: 172.56.1.1
*Mar  1 18:11:13.615:      src protocol: 10.0.2.4, dst protocol: 10.0.2.2
*Mar  1 18:11:13.619:  (C-1) code: no error(0)
*Mar  1 18:11:13.619:        prefix: 0, mtu: 1514, hd_time: 60
*Mar  1 18:11:13.619:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0

The Backup NHS receives the Resolution Reply packet. It looks up its NHRP cache and finds a valid mapping. It responds with a Resolution Reply packet back to the Spoke3 router with correct mapping.

*Mar  1 18:11:13.623: NHRP: Forwarding Resolution Request via Tunnel22 vrf 0, packet size: 92
*Mar  1 18:11:13.627:  src: 10.0.2.1, dst: 10.0.2.2
*Mar  1 18:11:13.627:  (F) afn: IPv4(1), type: IP(800), hop: 254, ver: 1
*Mar  1 18:11:13.627:      shtl: 4(NSAP), sstl: 0(NSAP)
*Mar  1 18:11:13.627:  (M) flags: "router auth src-stable nat ", reqid: 195
*Mar  1 18:11:13.631:      src NBMA: 172.56.1.1
*Mar  1 18:11:13.631:      src protocol: 10.0.2.4, dst protocol: 10.0.2.2
*Mar  1 18:11:13.631:  (C-1) code: no error(0)
*Mar  1 18:11:13.631:        prefix: 0, mtu: 1514, hd_time: 60
*Mar  1 18:11:13.631:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0

The show ip nhrp command confirms the dynamically learnt mapping on Spoke3 router.

show ip nhrp

Spoke3# show ip nhrp
10.0.1.1/32 via 10.0.1.1, Tunnel11 created 00:28:08, never expire
  Type: static, Flags: used
  NBMA address: 172.16.1.1
10.0.2.1/32 via 10.0.2.1, Tunnel22 created 00:28:01, never expire
  Type: static, Flags: used
  NBMA address: 172.26.1.1
10.0.2.2/32 via 10.0.2.2, Tunnel22 created 00:01:13, expire 00:00:23
  Type: dynamic, Flags: router
  NBMA address: 172.36.1.1
10.0.2.4/32 via 10.0.2.4, Tunnel22 created 00:01:12, expire 00:00:05
  Type: dynamic, Flags: router unique local
  NBMA address: 172.56.1.1
    (no-socket)

Adding IPSec

For simplicity, we will use pre-shared keys for authentication for IKE Phase 1 in IPSec. For most scalability, X.509 digital certificates and PKI must be used. For IKE Phase 2, we use IPSec Profiles with tunnel interfaces. This can be applied to tunnel interfaces using tunnel protection ipsec profile <profile-name> [shared] command. The shared keyword is used on Branch routers as the two mGRE tunnel interfaces use the same tunnel source (Serial 0/0). All the traffic passing through the tunnel will be protected by IPSec.

Since mGRE adds new IP header, the transport mode is used with IPSec. The IPSec configuration on all routers is as follows:

IPSec Configuration on Primary router

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set TS
!
interface Tunnel 11
 ....
 tunnel protection ipsec profile DMVPN

IPSec Configuration on Backup router

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set TS
!
interface Tunnel 22
 ....
 tunnel protection ipsec profile DMVPN

All Branch routers share the same IPSec configuration.

IPSec Configuration on Branch routers

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set TS
!
interface Tunnel 11
 ....
 tunnel protection ipsec profile DMVPN shared
!
interface Tunnel 22
 ....
 tunnel protection ipsec profile DMVPN shared

Since all Branch routers send mGRE encapsulated EIGRP Hello multicast packets towards the Hub routers over both tunnels, ISAKMP negotiations start between Branch routers and Hub routers.

Both, Branch and Hub routers will create IPSec SA for GRE protocol (value = 47).

Spoke3# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
172.26.1.1      172.56.1.1      QM_IDLE           1002    0 ACTIVE
172.16.1.1      172.56.1.1      QM_IDLE           1001    0 ACTIVE
IPv6 Crypto ISAKMP SA
Spoke3# show crypto ipsec sa
interface: Tunnel11
    Crypto map tag: DMVPN-head-1, local addr 172.56.1.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.26.1.1/255.255.255.255/47/0)
   current_peer 172.26.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 76, #pkts encrypt: 76, #pkts digest: 76
    #pkts decaps: 77, #pkts decrypt: 77, #pkts verify: 77
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.26.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0x6D677A69(1835498089)
     inbound esp sas:
      spi: 0x171FDA10(387963408)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4437345/3357)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x6D677A69(1835498089)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4437345/3357)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
   current_peer 172.16.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 75, #pkts encrypt: 75, #pkts digest: 75
    #pkts decaps: 77, #pkts decrypt: 77, #pkts verify: 77
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.16.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0xB4509812(3025180690)
     inbound esp sas:
      spi: 0xEF9D4CCB(4020063435)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 1, flow_id: SW:1, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4569056/3351)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xB4509812(3025180690)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2, flow_id: SW:2, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4569056/3351)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
interface: Tunnel22
    Crypto map tag: DMVPN-head-1, local addr 172.56.1.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.26.1.1/255.255.255.255/47/0)
   current_peer 172.26.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 76, #pkts encrypt: 76, #pkts digest: 76
    #pkts decaps: 77, #pkts decrypt: 77, #pkts verify: 77
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.26.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0x6D677A69(1835498089)
     inbound esp sas:
      spi: 0x171FDA10(387963408)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4437345/3357)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x6D677A69(1835498089)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4437345/3357)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
   current_peer 172.16.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 75, #pkts encrypt: 75, #pkts digest: 75
    #pkts decaps: 77, #pkts decrypt: 77, #pkts verify: 77
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.16.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0xB4509812(3025180690)
     inbound esp sas:
      spi: 0xEF9D4CCB(4020063435)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 1, flow_id: SW:1, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4569056/3351)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xB4509812(3025180690)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2, flow_id: SW:2, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4569056/3351)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:

When Branch3 router sends packets to 192.168.1.0/24 connected to Branch1 router, Branch3 router tries to resolve the next-hop IP address using NHRP Resolution Request packets. The NHS provides the correct mapping- NBMA address 172.36.1.1 and tunnel IP address 10.0.1.2. Now Branch3 router tries to send the packets directly to Branch1 router. This triggers ISAKMP negotiation with NBMA address 172.36.1.1. This results in an IPSec SA corresponding to IP address pair 172.56.1.1,172.36.1.1 and GRE protocol (47).

Spoke3# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
172.56.1.1      172.36.1.1      QM_IDLE           1003    0 ACTIVE
172.26.1.1      172.56.1.1      QM_IDLE           1002    0 ACTIVE
172.36.1.1      172.56.1.1      QM_IDLE           1004    0 ACTIVE
172.16.1.1      172.56.1.1      QM_IDLE           1001    0 ACTIVE
IPv6 Crypto ISAKMP SA
Spoke3# show crypto ipsec sa
interface: Tunnel11
    Crypto map tag: DMVPN-head-1, local addr 172.56.1.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.26.1.1/255.255.255.255/47/0)
   current_peer 172.26.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 150, #pkts encrypt: 150, #pkts digest: 150
    #pkts decaps: 151, #pkts decrypt: 151, #pkts verify: 151
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.26.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0x6D677A69(1835498089)
     inbound esp sas:
      spi: 0x171FDA10(387963408)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4437335/3078)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x6D677A69(1835498089)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4437336/3078)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.36.1.1/255.255.255.255/47/0)
   current_peer 172.36.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.36.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0x665BD18E(1717293454)
     inbound esp sas:
      spi: 0xDED5217E(3738509694)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 7, flow_id: SW:7, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4477180/3502)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x665BD18E(1717293454)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 8, flow_id: SW:8, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4477180/3502)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
   current_peer 172.16.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 156, #pkts encrypt: 156, #pkts digest: 156
    #pkts decaps: 157, #pkts decrypt: 157, #pkts verify: 157
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.16.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0xB4509812(3025180690)
     inbound esp sas:
      spi: 0xEF9D4CCB(4020063435)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 1, flow_id: SW:1, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4569045/3072)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xB4509812(3025180690)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2, flow_id: SW:2, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4569046/3072)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
interface: Tunnel22
    Crypto map tag: DMVPN-head-1, local addr 172.56.1.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.26.1.1/255.255.255.255/47/0)
   current_peer 172.26.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 150, #pkts encrypt: 150, #pkts digest: 150
    #pkts decaps: 151, #pkts decrypt: 151, #pkts verify: 151
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.26.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0x6D677A69(1835498089)
     inbound esp sas:
      spi: 0x171FDA10(387963408)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4437335/3078)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x6D677A69(1835498089)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4437336/3078)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.36.1.1/255.255.255.255/47/0)
   current_peer 172.36.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.36.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0x665BD18E(1717293454)
     inbound esp sas:
      spi: 0xDED5217E(3738509694)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 7, flow_id: SW:7, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4477180/3502)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x665BD18E(1717293454)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 8, flow_id: SW:8, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4477180/3502)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.56.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
   current_peer 172.16.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 156, #pkts encrypt: 156, #pkts digest: 156
    #pkts decaps: 157, #pkts decrypt: 157, #pkts verify: 157
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 172.56.1.1, remote crypto endpt.: 172.16.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0xB4509812(3025180690)
     inbound esp sas:
      spi: 0xEF9D4CCB(4020063435)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 1, flow_id: SW:1, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4569045/3072)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xB4509812(3025180690)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2, flow_id: SW:2, crypto map: DMVPN-head-1
        sa timing: remaining key lifetime (k/sec): (4569046/3072)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas: