BACHELOR OF SCIENCE IN ELECTRONIC AND

TELECOMMUNICATIONS ENGINEERING

Implementation of Dynamic Multipoint VPN over IPsec for

Secure Enterprise Network

Supervised by

Abu Zafar Md. Imran

Lecturer

Department of Electronic and Telecommunications Engineering, IIUC

Submitted by

Towhidul Alam (T-141023)

Kawsar Hamid (T-123036)

Department of Electronic and Telecommunications Engineering

International Islamic University Chittagong Kumira, Sitakunda,Chittagong – 4318

 Certificate of Approval

The Thesis entitled as ―IMPLEMENTATION of DYNAMIC MULTIPOINT VPN

OVER IPSEC FOR SECURE ENTERPRISE NETWORK submitted by Towhidul
Alam and Kawsar Hamid bearing ID No.: T-141023 and ID No.: T-123036, to the
Department of Electronic and Telecommunications Engineering (ETE) of International
Islamic University Chittagong (IIUC) has been accepted as satisfactory for the partial
fulfillment of the requirements for the Degree of Bachelor in Electronics and
Telecommunications.

th
Engineering and approved as to its style and contents for the examination held on 09

July 2018.

Approved By-

Abu Zafar Md. Imran

Supervisor

Lecturer

Department of Electronics and Telecommunications

Engineering International Islamic University Chittagong

i
 Declaration

It is hereby declared that the work presented herein is genuine work done by us and has
not concurrently submitted in candidature for any degree. The result of this thesis that
we have found totally depend on our own investigation/work.

This work was done under the guidance of Abu Zafar Md. Imran, Lecturer of
Electronic and Telecommunications Engineering, International Islamic University
Chittagong.

Towhidul Alam Kawsar Hamid

ii
ii
i
 Abstract

The Purpose of this thesis is to promote an improvement of availability and remote

access for secure enterprise network infrastructure by using dual hub dual
DMVPN(Dynamic Multipoint VPN).using multipoint GRE (mGRE) over IPSec data
transmission of enterprise network are reliably secure. DMVPN is a technology that
implements different protocols concept such as IPSec encryption, next hop resolution
protocol (NHRP), generic routing encapsulation (GRE) and provides dynamic and
static IPSec tunnel between spoke to hub, spoke to spoke. In this book, we implement
the technique of DMVPN to constructs secure enterprise network of enterprise
organization and by using hot standby routing protocol (HSRP) to overcome the
failure network. The simulation was done by GNS3 and packet capture by wire shark
software. From the result of the test, DMVPN technology with HSRP protocols
completely fulfills the real necessity that undertaking utilizes a system for enterprises.
It offers a mode which is a fast, advantageous and practical venture and accessible up
time network to an endeavor for building a safe and dependable network .

iii
 Acknowledgement

In the name of Allah, the most Beneficent and the most Merciful

First of all we start by thanking Allah, the Almighty for bondless grace to keep
patience and sincerity of us to end up this thesis paper a successful one.

We would like to thank our supervisor Abu Zafar Md. Imran for his continuous
guidance and advice in order to be successfully finishing the entire thesis work. While
working, he has been a sincere mentor to do a quality research from the very
beginning. He kept us focused on our thesis and helped us improve the quality of our
thesis by giving invaluable feedback.

We would like to thank all faculty members and staff of the Department of Electronic
and Telecommunications Engineering, IIUC for their generous help in various ways
for the completion of this thesis.

An endeavor of this caliber required a lot of support and we would like to proudly
mention that our family kept their support for us all the way. We have to thank our
parents and families for being extremely supportive while we were doing this work.

iv
 Table of Contents

Certificate of Approval i

Declaration ii

Abstract iii

Acknowledgement iv

Table of Contents v

List of Figures ix

List of Tables xii

List of Abbreviation xiii

Chapter1: Introduction 1

1.1 Background 1

1.2 Goal and Motivation 3

1.2.1 Goal 3

1.2.2 Motivation 3

1.3 Objectives 3

1.4 Thesis Overview 4

Chapter 2: Literature Review 6

2.1 Introduction 6

2.2 Background of DMVPN 7

v
2.3 DMVPN in the view of enterprise 8

2.3.1 Hub-spoke topology for enterprise 9

2.3.2 Limitation of DMVPN 10

2.4 Routing protocols of DMVPN 11

2.4.1 Routing protocols Authentication 13

2.5 HOT Standby Router protocol(HSRP) 14

2.5.1 Members of HSRP Group 15

Chapter 3: DMVPN Technologies 16

3.1 Dynamic Multipoint Virtual Private Network 16

3.2 DMVPN Technologies 17

3.2.1 Next Hop Resolution Protocol(NHRP) 17

3.2.2 Multipoint Generic Routing Encapsulation(mGRE) 19

3.2.3 IP based Routing Protocol 20

Chapter 4: Threat Analysis of VPN 23

4.1 Disadvantage of VPN 23

4.1.1 Costly 23

4.1.2 poor connection 23

4.1.3 Not Reliable 23

4.1.4 More complex 23

4.2 Administrative Fault 24

4.3 Problem faced in Enterprise Network 25

4.4 VPN against DMVPN Solution 26

vi
Chapter 5: Simulation and simulator Parameter 28

5.1 Why Simulator? 28

5.2 Simulator 28

5.2.1 Graphical Network Simulator(GNS3) 28

5.2.2 Wire shark 28

5.3 Design and Analysis in GNS3 29

5.4 Resulting Parameter 29

5.4.1 Latency 29

5.4.2 Throughput 30

5.4.3 Response Time 30

Chapter 6: Network Design And System Procedure 32

6.1 Requirement and Solution 32

6.2 Designing Scheme 33

6.2.1 Implementation Mechanism 33

6.3 Network Topology 35

6.3.1 Headquarter End Topology 36

6.3.2A Interface setting command of IPsec Profile for Headquarter End 37

6.3.3B Interface setting command of IPsec Profile For Headquarter End 38

6.3.4 C Interface setting command of HSRP For Headquarter End 39

6.4 Branches End Topology 40

6.4.1 A Interface setting command of IPsec Profile For Branch End 41

6.4.2 B Interface setting command of NHRP Profile For Branches End 42

vii
 6.4.3 Hot stand-by routing protocols Interface Command 43

6.5 ICMP And I/O Graph Of Primary Router 44

6.5.1 ICMP And I/O Graph Of Secondary Router 45

Chapter 7: Result Analysis 47

7.1 Throughput data Analysis 47

7.1.1 Throughput Graph 47

7.2 Response Time data Analysis 48

7.3 Comparison Table 49

7.4 Crypto ESP format analysis 51

7.5 Characteristic Of HSRP 53

Chapter 8 : Conclusion 54

Reference 55

Appendix 57

viii
 List of Figure

Figure 2.1 A simplified HUB-SPOKE Topology 9

Figure 3.1 A DMVPN Topology 17

Figure 3.2 NHRP and mGRE addressing 19

Figure 3.3 GRE packet formatting 20

Figure 5.1 Network design procedure on GNS3 29

Figure 6.1 Network Topology for Enterprise 35

Figure 6.2 Headquarter End Topology 37

Figure 6.3 (a) Primary Router IPsec Profile Setting Command

(b) Secondary Router IPsec profile 38

Figure 6.4 (a) Primary Router IPsec Profile setting command

(b) Secondary Router IPsec Profile 39

Figure 6.5 (a) Primary Router HSRP (b) Secondary Router HSRP 40

Figure 6.6 Branches End Topology 40

Figure 6.7 (a) Branch 1 IPsec Profile (b)Branch 2 IPsec Profile 41

Figure 6.8 (a) Branch 2 two NHRP Profile (b) Branch 2 two NHRP Profile 42

Figure 6.9 (a) Primary Router HSRP (b)Secondary Router HSRP 43

Figure 6.10 Ping Result of Branch One Against Primary Router 44

Figure 6.11 I/O Graph of Primary Router Interface 45

Figure 6.12 Ping Result of Branch One Against Secondary Router 46

ix
Figure 6.13 I/O Graph of Secondary Router Interface 46

Figure 7.1 Throughput Graph 47

Figure 7.2 Crypto ESP format of Branch 1 to Primary router 51

Figure 7.3 Crypto ESP format of Branch 2 to Primary router 52

Figure 7.4 Crypto format of Branch to Branch communication 53

Figure 7.5 The HSRP Characteristic 53

x
 List of Tables

Table 2.1 Routing Protocol of DMVPN 12

Table 3.1 Dynamic Routing Protocols 22

Table 7.1 Average Throughput Result 47

Table 7.2 Average Response Time Result 48

Table 7.3Comparison Table 50

xi
 List of Abbreviation

AH Authentication Header

DV Distance Vector

DMVPN Dynamic Multipoint VPN

EIGRP Enhanced Interior Gateway Routing Protocol

ESP Encapsulation Security Payload

GRE Generic Routing Encapsulation

GNS3 Graphical Network Simulator 3 (Software)

HSRP Hot Stand By Routing Protocols

IP Internet Protocol

IGP Interior Gateway Protocol

ISP Internet Service Provider

IGRP Interior Gateway Routing Protocol

OSPF Open Shortest Path First

IPSEC Internet Protocol security

NHRP Next Hop Resolution Protocol

VPN Virtual Private Network

PPTP Point-to-Point Tunneling Protocol

LS Line State

xii
 Chapter 1

INTRODUCTION

1.1 Introduction

In present days computer networks are necessary to operate the majority of companies
and institution. Which allows networks to provide different services, and access to
shares resources of connecting computers and related devices across departments and
workgroup network which are actually called Enterprises networks.

Current computer systems are required to work the greater part of organizations and
foundations. Essential systems administration conventions and components
don't protect against attacks (i.e. wiretapping, information change, and so forth.).
System security is a key issue on the grounds that destructive treatment in the system
develops. Security incorporates numerous angles which include: confirmed,
trustworthiness, non-disavowal, and classification. The creators chose to test the
privacy, in light of the fact that the information exchange between corporate
headquarters (HQ) and Remote Branch (RB) or business accomplices, clients or
contractual workers utilizing open systems (Internet). The issue of information
secrecy in an organization with numerous branches that are dynamic worldwide is
vital.

Enterprises are using the different technique to construct the safe network between
headquarter and many branches and corporate to carry out information, shares
resources data and applications. For secure communication, most of the company use
traditional leased line method to connect remote users and branches. But this method,
leased line is not cheap to plan and take a large amount of time and cost to install and
activate. Enterprise management is bigger and the branches are separate all over the
country. Enterprise, customer, employee are always enhance requested for security
transmission data and availability network. Many enterprise networks are using the
VPN technique to construct a safe enterprise network across the different region. But
IPsec VPN does not support route dynamically. A problem of the traditional VPN that

1
networking and expansion are underhand, maintenance and operation cost is hugely
expensive. [1]

While design an enterprise network it is ensuring that data transmission is secure,

maintenance and operation cost is minimized, and the connection between
Headquarter and branch are always available. In this purpose, we design an enterprise
network using DMPVN technique over IPsec to establish a secure network and using
Hot standby routing protocols (HSRP) to ensure that networks are not interrupted by
connection loss, and network are always available for connecting with each
destination.

The Dynamic Multipoint VPN (DMVPN) technology is based on the combination of

different techniques which provides the ability to build dynamically IPsec tunnel
between Hub to spoke, spoke to spoke tunneling. The Following technologies are
Multipoint Generic Routing Encapsulation (mGRE), Next Hop resolution protocol
(NHRP), Dynamic routing protocols (EIGRP), Dynamic IPsec Encryption.[2]

Enterprise's network of Dynamic Tunnel (DMVPV) is seen by the author as a server

is called by Headquarter (Hub) and the client are seen as the Spoke (branch office). A
cloud server is connected to the two different Hub where the tunnel is created and
branch are connected to the headquarter by using the Internet.

The DMVPN network in this point of view of the author contains a certain number of
branches, DMVPN Headquarter is introduced by authoring the management station.
Transmission tunnel between the headquarter and the branches from a logical
structure of connection links the elementary function of links brokers is to provide
communication between network branches by informing branches about the tunnel
parameter. A tunnel between branches and headquarter dynamically on transmission
time only, so the logical structure is conditional to continuous modification. It is
occupied that branches can onwards demand about the parameter of tunnel command
other branches to one of the many knows servers system with tunnel broker
redundancy. There is a primary and secondary server (Hub) in the group of
Headquarter. In the fall of primary hub link down or cut the link the branches have
continuously communicated the Headquarter by secondary hub until the primary hub
are repaired.

2
1.2 Goal and Motivation

1.2.1 Goal

 To ensure secure transmission of data For Enterprise.

 Simple provisioning-Adding new spoke (Branch) required No

configuration of Hub (HQ server) or other spoke (Branch)

 To Ensure Remote Access Connection.

 DMVPN solve the problem of Dynamic IP address and NAT translation

problem.

 Using Dual Hub Dual DMVPN with HSRP protocol, reduce problem of
availability.

 Using HSRP protocol to ensure 100% network resources up time.

1.2.2 Motivation

Traditional VPN and Leased line method are costly and installed are huge time to
setup a enterprise network for business purpose, but DMVPN are more secure and
faster communication technology and remote access mechanism for safe and business
chain organization. Whenever organization demand to set up branches anywhere
DMVPN are fastest way to connected the center. And hot stand by routing protocols
are using the purpose of redundancy, by using HSRP protocols clients and customers
are satisfactory are using all time connection with their destination end.

1.3 Objective

The Purpose of this work is to promote an improvement of availability and remote

access for secure enterprise network infrastructure by using dual hub dual
DMVPN(Dynamic Multipoint VPN).using multipoint GRE (mGRE) over IPsec data
transmission of enterprise network are reliably secure .The objectives of this thesis
are:

 To study on Dynamic Multipoint VPN working phenomena.

 To implement secure enterprise network based on Dual Hub Dual DMVPN ‘‘Hub
to spoke’’ ‘‘spoke to spoke’’ Network topology.

3
 To Configure and simulate EIGRP Routing protocol with required simulator.

 Design and configure DMVPN over IPsec to Ensure Data Integrity and
confidentiality.

 Analyze Dual hub Dual DMVPN technique to ensure the latency.

 To Configure Hot Stand by Routing Protocols (HSRP) to ensure the availability of

network.

 Creates a distributed (NHRP) mapping database of all the spoke tunnels to real
(public interface) addresses. IPsec is triggered through “tunnel protection”. NHRP
triggers IPsec before installing new mappings. IPsec notifies NHRP when encryption
is ready. NHRP installs mappings, and sends registration if needed. NHRP and IPsec
notify each other when a mapping or service assurance is cleared.

1.4 Thesis Overview

Chapter 1: Introduction.

Chapter 2: Literature review, background of DMVPN, DMVPN in the view of

enterprise, hub spoke topology for enterprise, limitation of DMVPN ,Routing
protocols of DMVPN, hot standby router protocol (HSRP) , members of HSRP group

Chapter 3: DMVPN technologies, short overview dynamic multipoint virtual private

network, next hop resolution protocols, Multipoint generic routing encapsulation, Ip
based routing protocols

Chapter 4: Threat analysis of VPN, short overview of its disadvantage, administrative

fault of virtual private network, and some problem faced of VPN in enterprise
network, overview of VPN against DMVPN solution.

Chapter 5: simulation and simulator parameter, why simulation are need, overview of
graphical network simulation 3, short overview of wire shark, short overview of
resulting parameter.

Chapter 6: Network design, requirement and solution of DMVPN network, designing

scheme of our work, implementation mechanism of work, network topology and
necessary command and figure.
4
Chapter 7: Result analysis of our work, necessary graph and table of your work.

Chapter 8: Conclusion

References

5
 Chapter 2

Literature Review

2.1 Introduction

In recent Years online administration has progressed toward becoming progressively

popular. Their administrations enable individuals to take part in business, discharge
data and offer to learn. Alongside the extent of big business administration ends up
greater and greater, the branch of organization spreads everywhere throughout the
entire nation, client and copartner constantly increment, the enterprise likewise
upgrades the demand for secure transmission of information increments. The customary
network mode, that private connections in view of repaired area are set to connected
with each other, is as of now hard to adjust the request of big business for current
administration movement. Along these lines, numerous enterprises which make
utilization of the new network method and hardware set up the network amongst
headquarters and branches to interconnect to build a protected undertaking network,
and do different offers and uses of an enterprise for administration and data asset. There
are numerous approaches to build undertaking system over the diverse area, for
example, paying for Edge Transfer, private line, ATM interface, and so on. Yet the
lease for utilizing these media transmission techniques to interconnect is exorbitant [3].
Joined by the introduction of VPN (Virtual Private System) strategy, an ever-increasing
number of undertakings receive this method to build protected enterprises organize
crosswise over various locales.

Enterprises by methods for VPN procure to a great degree safe network with arranging
execution qualities and network administration, required for remote branch workplaces
in substantial separations. The most up to date VPN arrangement is the standard of
Cisco Corporation – the Dynamic Multipoint VPN (DMVPN) [4]. It is an enhanced
VPN form in view of an arrangement on Cisco routers. The building up the procedure
of IPSec VPN burrows continue as before and standard decided, just the

Arrangement was changed. Remote branch workplaces (spokes) have the lasting IPSec
passage to headquarter, yet not to alternate spokes.

6
2.2 Background OF DMVPN

Organizations or enterprise may need to interconnect numerous sites to a primary site,

and maybe add to each other, over the Internet while encrypting the activity to ensure
it. For instance, an arrangement of retail locations that need to interface with the
organization home office for stock and requesting may likewise need to connection with
different stores inside the organization to look at item availability. Before the best way
to make the association was to utilize a Layer-2 network, for example, ISDN or Frame
Relay to interconnect everything. Setting up and paying for these hard-wired
connections for inside IP activity can be tedious and costly. In the event that the
majority of the sites (including the main site) as of now have moderately modest
Internet access, at that point this Internet access can likewise be utilized for internal IP
communication between the stores and central headquarter by utilizing IPsec tunnel to
guarantee security and information respectability.

With the goal for building large IPsec networks interconnecting their sites across the
Internet, we should have the capacity to scale the IPsec network. IPsec encrypts activity
between two endpoints (peers), and the encryption is finished by the two endpoints
utilizing a shared "secret". Since this secret is shared just between these two endpoints,
encrypted networks are intrinsically an accumulation of point-to-point links. Along
these lines, IPsec is inherently a point-to-point tunnel network. The most achievable
technique to scale an expansive point-to-point network is to compose it into a hub-and-
spoke or full (partial) mesh network. In many networks, most of the IP movement is
between the spokes and the hub, and next to no is between the spokes, so the hub and
spoke configuration is regularly the best decision. This outline likewise coordinates
with more seasoned Frame Relay systems since it was restrictively costly to pay for
joins between all sites in these networks. The last are enrolled as clients in NHRP (Next
Hop Resolution Protocol) server. When talking is expected to send the bundle to other
subnet work spoke, it makes a demand to the NHRP server no real (external) route
address. The dynamic IPsec tunnel is built up in such a way. Spoke-to-spoke tunnel is
acknowledged by methods for the mGRE interface.

When utilizing the Internet as the interconnection between the hub and spokes, the
spokes likewise have direct access to each other with no extra cost, however, it has been
extremely troublesome, if certainly feasible, to set up as well as deal with a full (partial)
7
mesh network. Full or partial network systems are frequently alluring on the grounds
that there can be taken a toll investment funds if addressed talked activity can go
straightforwardly through rather than by means of the hub. Addressed spoke-to-spoke
traffic navigating the hub utilizes hub assets and can cause additional deferrals,
particularly when utilizing IPSec encryption since the hub should unscramble the
approaching bundles from the sending spokes and after that re-encrypt the movement
to send it to the accepting spoke. Another illustration where guide spoke-to-spoke
movement would be helpful is where two spokes are in a similar city and the hub is the
across the country.

2.3 DMVPN in the View of Enterprise

The Dynamic Multipoint VPN (DMVPN) technology is utilized for scaling IPsec VPN
arranges by offering a huge scale IPSec VPN sending model that enables the system to
grow and understand its maximum capacity. DMVPN offers adaptability that empowers
zero-contact sending models [5]. A DMVPN cloud is a gathering of switches that is
arranged either with a multipoint GRE (mGRE) interface or point-to-point (p2p) GRE
interface (or mix of the two) that offer a similar address subnet. High accessibility is
given using a second center point router, which might be on the same DMVPN subnet
as the essential switch. This is normally alluded to as a single DMVPN cloud topology.
The second center router can likewise serve its own DMVPN subnet, which is known
as a double DMVPN cloud topology [4]. A double center single DMVPN topology is
by and large not suggested on the grounds that it depends on systems outside of the
passage to decide the suitable center for failover. Interestingly, head closes utilizing
double DMVPN subnets (double DMVPN cloud topology) depend on steering
conventions running within the passage to decide way choice.

Three principle issues have been recognized in the current writing in connection to
spine organize security, in particular: information encryption, information detachment
and dynamic routing sections transmission. To address these issues examines on
security conventions and advancements have been completed, concentrating on VPN,
IPSEC and DMVPN and the part they play in information segregation, information
encryption and routing information transmission separately.

8
2.3.1 HUB – Spoke topology for enterprise

HUB-SPOKE topology is profoundly helpful for organizations with

headquarter/branches structure. A rearranged topology is appeared in Fig. 2.1, outlining
the three destinations in the design.

Figure 2.1: A simplified HUB-SPOKE topology. [2]

To ensure the privacy of information transmission and routing data, each site arranges
two protocols: IPSEC what's more, DMVPN. This structure is known as a plan of
DMVPN over IPSEC. While IPSec is utilized to scramble information from the third
layer of the TCP/IP demonstrate [7], DMVPN is utilized to assemble multipoint GRE
(Generic Routing Encapsulation) tunnels to exchange dynamic directing data. With a
specific end goal to ensure data integrity and confidentiality, AH (authentication
header) and ESP (encapsulating security payload) are separately determined as IPSEC's
essential structures .With respect to DMVPN,

It fuses the upsides of GRE into NHRP (Next Hop Resolution Protocol), being, in this
way, an exceedingly versatile VPN .Since in this structure the inner network asks for
the ISP to convey the steering data of the private network scramble it, the ISP needs to
9
utilize DMVPN over IPSEC to change the IP header from communicate into unicast.
In the door, the device is designed with the goal that one virtual GRE tunnel can carry
interior activity, with all information embodied in the GRE tunnel before being
transmitted to the Web. Amid this procedure, to every bundle is included a GRE header
which changes either communicate or multicast parcel into a unicast. As Fig. 2.1
depicts, GRE utilizes an indistinguishable connection from IPSEC. An IPSEC header
is connected to scramble all GRE information, however, is unequipped for evolving the
physical IP address since the IPSEC needs a settled IP to deliver to make the IPSEC
tunnel. In this way, when DMVPN works with IPSEC the IP address of the GRE tunnel
is perpetual. [6]

2.3.2 Limitation of DMVPN

DMVPN over IPSEC is a powerful structure to complete encoded information

transmission with both multicast and communicate parcels. All things considered, the
fundamental issue with DMVPN is its difficulty for clients who need to acquire an IP
address progressively, i.e. by means of a DHCP server. As the DMVPN task relies upon
NHRP, which implies just the hubs enrolled on the NHRP server will interface with the
network, it is awkward for clients who move habitually. An option is EZVPN,

Fit for adjusting for this inadequacy as it is a remote get to VPN, which expands
versatility and adaptability while diminishing arrangement unpredictability. One of its
exceptional preferences is its fittingness for a condition in which dynamic address
customers convey with a settled focal site. EZVPN embraces a customer server design,
whereby the essential components incorporate EZVPN Remote and EZVPN Server.[7]

2.4 Routing protocols of DMVPN

Dynamic routing protocols are "capable" for the making of routing tables and
supporting their content [9]. The router trade data between themselves about network
topology by methods for the tables made, and they examine information and
characterize the ideal course for information transmission. Important normal for routing
protocol is its capacity to identify of network blames and reestablish network data.

Routing protocols are gathered by a few characteristics. To begin with, regardless of

whether they are inward IGP - Interior Gateway Protocol or outer EGP - Exterior
Gateway Protocols (Table 1). The second vital property is the criteria of course
10
determination. It is the most vital property on which routing protocol properties depend.
Contingent upon criteria of a route determination utilized, routing protocols are
partitioned into distance vector (DV), line state (LS) and hybrid or path vector (PV)
routing protocols.

EIGRP depends on separate vector and line state calculations. This routing protocol
empowers to consider the real-time network changes, e.g. packet delay value, paths
bandwidth, when it chooses the route. RIP characterizes the rundown of attributes that
are proposed for better execution dependability when the topology of organize is
precarious, and it permits a most extreme 15 travels. OSPF is the line state calculation,
and it varies from RIP and IGRP that is the routing protocols, in light of the separation
vector. OSPF employments extra attribute, i.e. measure up to costs, multipath routing
and the larger amount of routing, and it relies upon the solicitations of the type of
service (TOS).

11
Table 2.1 Routing Protocol for DMVPN

Protocol Type Routing Open Network Route Convergence Scalabilit

algorithm standard type control y

EIGRP IGP DV NO hub-to- Good Faster Lower

spoke
spoke-to-
spoke

OSPF IGP LS YES hub-to- Medium Faster Lower

spoke
spoke-to-
spoke

RIP IGP DV YES hub-to- Poor Lower High

spoke*

Note: May be used for creating spoke-to-spoke tunnel.

12
2.4.1 Routing Protocol Authentication

Authentication: This segment contrasts distinctive ways to deal with di routing

protocol authentication, including basic secret word confirmation and MD5 verification
[9].Routing protocol authentication can be utilized to keep a pernicious client from
framing a neighbor ship between his router and a creation router.

Authentication Methods

Cisco routers support a couple of different approaches to authenticating route

advertisements received from a neighboring router:

A. Plain text authentication

B. MD5authentication

 Plain Text Authentication

The plain text authentication [10] [11] process follows a procedure that can generally
be summarized as follows:

Step 1: A routing update is sent starting with one router then onto the next. That routing
update incorporates a key (that is, a secret word) and a key number since some routing
protocols bolster the arrangement of different keys. Note that if a routing protocol does
not bolster different keys, the key number related with a routing refresh is 0.

Step 2: A neighboring router gets the routing update. That router decides if the got key
matches its arranged key (with a coordinating key number).

Step 3: On the off chance that the neighboring router discovers that the keys coordinate,
it acknowledges the routing update. Notwithstanding, the routing update is rejected if
the keys don't coordinate.

13
 MD5 Authentication

The MD5 authentication process follows a procedure that can generally be summarized
as follows:

Steps 1: An MD5 validation calculation is kept running on a routing update alongside

a router's arranged key. The aftereffect of the MD5 calculation (that is, the message
process) is added to the finish of the routing update, which is then sent to a neighboring
router.

Step 2: The neighboring router gets the refresh and runs an MD5 calculation on the
routing update joined with its privately arranged key, which brings about a message
process.

Step 3: On the off chance that the privately designed message process coordinates the
got message process, the getting router acknowledges the parcel. In the event that the
freely figured message process esteems don't coordinate, the update is rejected.

2.5 Hot Standby Router Protocol (HSRP)

The Hot Standby Router Protocol (HSRP), gives a component which is intended to help
non-problematic failover of IP activity in specific conditions. Specifically, the protocols
secure against the disappointment of the principal hop router at the point when the
source have can't take in the IP address of the first hop router progressively. The
convention is intended for use over multi-get to, multicast or communicates competent
LANs (e.g., Ethernet).HSRP isn't proposed as a swap for existing dynamic router
discovery mechanisms and those protocols ought to be utilized rather at whatever point
conceivable. Extensive classes of inheritance have users that don't bolster dynamic
revelation is equipped for designing a default router. HSRP gives failover
administrations to those hosts. The greater part of the switches taking an interest in
HSRP is thought to run IP routing protocols and have a reliable arrangement of courses.
The talk of which protocols are proper and in the case of routing is reliable is past the
extent of this determination. Utilizing HSRP, an arrangement of routers work in the
show to display the fantasy of a solitary virtual router to the hosts on the LAN. This set
is known as an HSRP group or a standby group. A single router chose from the group
is in charge of sending the parcels that hosts send to the virtual routers. This switch is

14
known as the active router. Another router is chosen as the standby router. If the active
router comes up short, the standby accepts the parcel sending obligations of the routers
may run HSRP, just the active router advances the bundles sent to the virtual router. T o
limit organize a movement, just the active and the standby routers send occasional
HSRP messages once the convention has finished the decision procedure. On the off
chance that the active routers come up short, the standby routers assume control as the
active routers. On the off chance that the backup switch falls flat or turns into the active
routers another router is chosen as the standby router. [12]

2.5.1 MEMBERS OF HSRP GROUP

• Active Router - The router that is currently forwarding packets for the virtual router.

• Standby Router -The primary backup router.

• Standby Group - The set of routers participating in HSRP that jointly emulate a virtual
router.

15
 Chapter 3

DMVPN Technologies

3.1 Dynamic Multipoint Virtual Private Network

Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software answer for building
adaptable IPsec Virtual Private Networks (VPNs). Cisco DMVPN utilizes an
incorporated design to give simpler usage and administration to organizations that
require granular access controls for various client networks, including portable
specialists, remote workers, and extranet clients.

Dynamic Multipoint VPN (DMVPN) is steering frameworks we can use to

manufacture a VPN connect with different goals without having to statically outline
all devices. It's a "Hub and spoke" systems where the spokes will have the ability to
talk with each other clearly without experiencing the center. Encryption is maintained
through IPsec which settles on DMVPN a conspicuous choice for interfacing different
goals using standard Internet affiliations.

Dynamic Multipoint VPN (DMVPN) is a blend of GRE, NHRP, and IPsec. NHRP
empowers the associates to have dynamic areas with GRE/IPsec tunnels spine is a
center and talked topology empowers control tended to talk tunneling by means of
auto leveling to an inadequate squash. Dynamic Multipoint burrowing kind of a
virtual private system (VPN) maintained on Cisco IOS based switches, Hawaii AR
G3 switches, and USG firewalls, on a Unix-like working structure.

Cisco DMVPN permits branch areas to discuss straightforwardly with each other over
the general population WAN or Internet, for example, when utilizing voice over IP
(VOIP) between two branch workplaces yet doesn't require a lasting VPN association
between locales. It empowers zero-contact sending of IPsec VPNs and enhances
organize execution by lessening dormancy and jitter while advancing head office
transfer speed use.

16
 Figure 3.1 A DMVPN Topology. [16]

3.2 DMVPN Technologies

DMVPN based on four proven technologies. The four technologies are discussed
below.

 Next Hop Resolution Protocol (NHRP).

 Multipoint Generic Routing Encapsulation (mGRE).

 IP based Routing Protocol(RIP ,EIGRP,OSPF,BGP, etc)

 Internet protocol security (IPsec).

3.2.1 Next Hop Resolution Protocol (NHRP)

NHRP gives a mapping between within and outside address of a passage endpoint.
These mappings can be static or dynamic. In a dynamic situation, a next-hop server
(NHS) is utilized to keep up a rundown of conceivable passage endpoints. Every
endpoint utilizing the NHS enrolls its own public and private mapping with the NHS.
The neighborhood mapping of the NHS should dependably be static. Note that the
branch focuses to within or secured address of the NHS server. The NHRP hold time
is utilized to decide to what extent adjoining routers ought to consider the reserved
passage of this device to be legitimate.

17
The designed esteem is passed to the remote spoke when the addressed spoke-to-
spoke session is started. The remote spoke begins a commencement clock. At the
point when this clock terminates, the remote router evacuates the reserved section to
the neighborhood router. On the off chance that movement is as yet streaming, the
remote router must demand the mapping from the NHS server once more. spoke
routers may have diverse hold times, despite the fact that this training isn't normal. On
the off chance that two spokes are in session, and one clock lapses before the other,
the spoke tells the adjoining talked that NHRP reserve passage ought to be matured
out. Every device additionally evacuates the addressed spoke-to-spoke encryption
session. [1] [2]

Next Hop Resolution Protocol (NHRP) is a Layer 2 address determination convention

and reserve, similar to Address Resolution Protocol (ARP) and Frame Relay Inverse-
ARP. NHRP is utilized by a branch router connected with a non-broadcast multi-
access (NBMA) sub-system to decide the IP address of the "NBMA next hop"; for
this situation, the head end router or the destination IP address of another branch
router.

At the point when a branch router is first settled onto a DMVPN network, it enlists its
IP address with the head end router whose IP address is as of now pre-configured on
the branch router. This enrollment enables the mGRE interface on the head end router
to construct a dynamic tunnel back to the enlisting branch router without knowing the
branch tunnel destination through a CLI arrangement.

NHRP maps a tunnel IP deliver to an NBMA IP address. NHRP advises the mGRE
interface where to tunnel a packet to achieve a specific address. At the point when the
bundle is encapsulated in the mGRE packet, the IP destination address is the NBMA
address. Figure 1.1 demonstrates a case of NHRP and mGRE tunneling. [3] [4]

18
 Figure 3.2 NHRP and mGRE addressing [13].

3.2.2 Multipoint Generic Routing Encapsulation (mGRE)

Multipoint Generic Routing Encapsulation is a tunneling protocol that encapsulates a

difference protocol packet types inside IP tunnels, making a virtual point-to-point
connection toward device at a remote point over an IP network.

The setup of mGRE enables a tunnel to have numerous destinations. The setup of
mGRE on one side of a tunnel does not have any connection to the tunnel properties
that may exist at the leave points. This implies a mGRE tunnel on the center point
(hub) may be connected with a point-to-point tunnel on the branch. Alternately, a
point-to-point GRE tunnel may interface with mGRE tunnel. The recognizing feature
between mGRE interface and a point-to-point GRE interface is the tunnel destination.
An mGRE interface does not have a configured destination. Rather, the GRE burrow
is configured with the command tunnel mode GRE multipoint. This charge is utilized
rather than the tunnel destination found with shared GRE tunnels.

19
 Figure 3.3 GRE packet formatting [6].

Other than taking into consideration various goals, an mGRE tunnel requires NHRP
to determine the tunnel endpoints. The protocol header for an mGRE packet is four
bytes bigger than a point-to-point GRE packet. The extra four bytes constitute a
passage key esteem, which is used to separate between various mGRE interfaces in a
similar router.

Without a tunnel key, routers can bolster just a single mGRE interface relating to one
IP network. Tunnel keys enable a branch router to have an alternate mGRE interface
relating to each DMVPN cloud in the network topology. A head end router can be
designed too with two mGRE interfaces indicating each DMVPN cloud for high
accessibility and repetition. [5] [6]

3.2.3 IP based Routing Protocol

This outline suggests the utilization of a dynamic routing protocol to spread routes
from the head end to the branch workplaces. Utilizing a routing protocol has a few
focal points over the present components in IPsec Direct Encapsulation alone.

In a VPN, routing protocols give a similar level of advantages when contrasted with a
customary network, which incorporates the accompanying

 Network topology information

 Topology change notification (such as when a link fails)

 Remote peer status

20
A few routing protocols can be utilized as a part of a DMVPN configuration,
including EIGRP, OSPF, RIPv2, and ODR (DMVPN hub-and-spoke as it were).
Outlines displayed in this plan control utilize EIGRP as the routing protocol, in light
of the fact that EIGRP was utilized amid the adaptability testing. EIGRP is prescribed
as the dynamic routing protocol due to its protection of switch CPU cycles and
network data transfer capacity, and additionally its bandwidth. EIGRP likewise gives
a scope of choices to address outline and default route propagation. Other routing
protocols, for example, OSPF have additionally been confirmed, however, are not
talked about in extraordinary detail. ODR can't be utilized as a part of the addressed
spoke-to-spoke network show on the grounds that ODR does not bolster split
tunneling. Routing protocols increment the CPU use on a network gadget, so this
effect must be considered when measuring those devices. [7]

In 2007 Cisco Systems are described the dynamic routing protocols and their network
type, route control, and converge in DMVPN overview guide.

Several routing protocols can be implementing in a DMVPN design, including

EIGRP, OSPF, RIPv2, and BGP

But the EIGRP dynamic routing protocols are best to route control and converge are
very faster than other dynamic routing protocols. The table show in 3.1 the Dynamic
routing protocols controls used in DMVPN technologies to reliably routing the
information and faster communication way to design enterprises.

The advantages of using EIGRP protocols in DMVPN to design enterprise network is

it supports the multi area route system rather than other dynamic routing protocols.
The all-inclusiveness of EIGRP routing protocols is in its ease of use in the systems
with other routing protocols, on the grounds that the data of all routing protocols can
be joined by methods for EIGRP. In any case, similarly as with all EIGRP systems,
the number of neighbors ought to be restricted to guarantee the center point switch
can restore correspondences after a noteworthy blackout. [2]

21
The description are arranged in Table 3.1

Service Network Type Route Converge CPU Scaling Notes

Control

EIGRP Hub-Spoke Spoke- Good Faster High Lower Multiple

Spoke area

OSPF Hub-Spoke Spoke- Fair Faster High Lower Single

Spoke area

BGP Hub-Spoke Spoke- Good Slower Medium Medium Static

Spoke neighbor

RIPV2 Hub-Spoke Spoke- Poor Slower Low High Passive

Spoke mode
needs IP
SLA

Table 3.1: Dynamic Routing Protocols

22
 Chapter 4

Threat Analysis of VPN

4.1 Disadvantage of VPN

As useful as it may be, a VPN is not fail-proof. Therefore, let’s take a look at VPN
disadvantages as well:
4.1.1 Costly
Traditional VPN are costly to set up n the purpose of organization basis.we may
subscribe in to a free Virtual Private Network, however for security reasons, you
might need to decide on a paid month to month membership. Consider the
accompanying – no online administration is really "free", which may imply that a
complimentary VPN may accompany a concealed reward – i.e. it may pitch
information from company online action to advertisement suppliers, among other
terrible amazements and set up it to very huge amount of cost.
4.1.2 Poor connection
That is to say that a VPN, by encrypting all your network traffic for anonymity
reasons, usually takes a lot of resources which means that it might become annoyingly
slow. It isn’t always the case though, but for good speed connection, we may have to
operation for a paid VPN or extra speedy method.
4.1.3 Not Reliable
To develop past focuses, you ought to be additionally mindful of the way that VPN
IPs aren't one of a kind, yet shared by different individuals, which may prompt a few
offensive situations, for example, IP address boycotting and IP caricaturing, to give
some examples. Along these lines, it is vital to buy in just respectable, dependable
VPNs that you've looked into completely previously.
4.1.4 More Complex

To develop past focuses, you ought to be additionally mindful of the way that VPN
IPs aren't special, however shared by different individuals, which may prompt a few
disagreeable situations, for example, IP address boycotting and IP satirizing, to give
some examples. In this way, it is critical to buy in just legitimate, dependable VPNs
that you've inquired about altogether heretofore.

23
4.2 Administrative Fault

The usage of VPN technique can easily expand administration and application
capacity of big business organize from LAN to open system. The system assets of big
business central station and branches can be connected in wellbeing and not be
limited by zone. And after that, endeavor can spare to the costly lease for the
exceptional line. It is a sort of situation that is more financial and adaptable to execute
association of various system assets. Passages in VPN are actualized utilizing
Tunneling conventions. Tunneling conventions are partitioned into layer 2 burrowing
conventions and layer 3 Tunneling conventions relying upon at which layer of OSI
display burrow is actualized. The current VPN arrangements regularly utilize
nonspecific directing epitome (GRE) or multiprotocol name exchanging/fringe
entryway convention (MPLS/BGP), and the VPNs developed by utilizing either
innovation experience the ill effects of the accompanying downsides:

1) Complicated in systems administration and setup.

2) Inconvenient in support and extension.

3) GRE can't cross NAT (Network Address Translation) passages. VPNs set up
utilizing early forms of IPsec (IP Security) does not bolster NAT traversal either.
NAT traversal is executed by embodying IPsec parcels in UDP bundles now.

4) GRE isn't material for situations with dynamic IP addresses.

5) Layer 2 burrowing convention (L2TP) and GRE don't scramble the transmitted
parcels. Though, IPsec gives the most secure assurance to bundles sent crosswise over
IPsec VPNs.

6) IPsec VPN does not bolster dynamical courses. VPN burrows that are set up
utilizing GRE and L2TP are interface based, though those that are built up utilizing
IPsec are flow based.

Thusly, course learning isn't conceivable between private systems interconnected

utilizing IPsec VPN burrows, which is conflicting to dynamic system arranging. The
Dynamic Multipoint VPN (DMVPN), is an application strategy which consolidates
GRE burrows with IPsec encryption. In the meantime, it takes care of a few issues
which IPsec exists by consolidating multipoint GRE (mGRE), Next Hop Resolution
24
Protocol (NHRP), and utilizing some new improvements. In DMVPN system, IPsec is
used to execute encryption capacity, GRE or mGRE is used to build up burrow,
NHRP is used to determine dynamic address issue of branch hub. DMVPN just
requests focal hub to apply for static open IP address. In synopsis, in course of
utilizing customary VPN, the issues exist that systems administration and
development is badly designed, the expenses of activity and support are costly, and so
on. In mention to these issues, this paper proposes to receive the DMVPN
arrangement. [11]

4.3 Problem faced in Enterprise Network

Different kinds of tunneling protocols can be used for the VPN implementation that
gives secure correspondence condition like devoted communication network.
However, choosing legitimate VPN arrangements as indicated by hierarchical
application necessities are not expressly characterized. To execute site to site secure
communication, the expansion of an association's intranet and extranet idea is applied.
To interface remote client with focal office or branch office, the remote access VPN
tunneling techniques are used. The basic VPN application situations are
communication with branch office, business accomplice or provider's networks and in
addition remote clients. To simulate the actual network condition one site to site and
one remote access VPN has been executed in GNS3 which is depicted in the
accompanying area. The simulation condition of GRE is one correspondence end has
a few systems and other site has another three systems. Configuring the GRE tunnel
includes making a tunnel interface which is a consistent interface. To configure the
tunnel source and destination, issue the tunnel source and tunnel destination
commands under the interface configuration mode for the tunnel. The IPsec tunneling
protocol is implemented in a same network topology of the GRE. The Site-to-Site
IPsec VPN tunnel configuration can be separated into two stage, for example, Phase
1, Phase 2. In ISAKMP Phase 1, the encryption technique (3DES), the authentication
method (Pre share), the hashing algorithm (MD5) are used for make first tunnel. In
Phase 2, distinct sorts of task, for example creation broadened ACL, creation IPsec
Transform, creation Crypto Map and applying crypto map to public in general
interface are happened. In this implementation just N 1 network of one end and N4
network of opposite end use IPsec tunnel for secure communication that means

25
different network get to is denied using access control list. The PPTP is a remote
access VPN tunneling protocol that creates private virtual point to point connection.
This is generally implemented between a server and a client where the server having a
place with the undertaking system and the customer being a remote workstation.
Cisco routers can be set up to go about as PPTP servers, on the other hand known as
Virtual Private Dialup Network (VPDN) servers. In this reenactment, cloud is utilized
as home client that utilizations windows 7 and router 1 goes about as a PPTP server.
In remote access PPTP, remote client gets to its focal office through open system by
means of PPTP server safely. The L2TP is another exceptionally secure remote access
tunneling convention that conveys layer 2 traffics that joined with IPsec. To arrange
L2TP over IPsec, first we designed IPsec transport mode to empower IPsec with
L2TP. At that point we arranged L2TP with a Virtual Private Dial-up Network VPDN
gathering. The setup of L2TP with IPsec bolsters endorsements utilizing the pre-
shared keys. The L2TP with IPsec is executed in same system topology as PPTP
utilizing same systems administration gadgets. [5][11]

4.4 VPN against DMVPN solution

In allusion to the above problems of the VPN, the DMVPN solution is adopted for
enterprise network, the following problem and solution are given below.
1) To adopt VPN technique can solve the problem for enterprise to transmit data in
security. We use GRE over IPsec technique, it make the system initiate IPsec
encryption automatically. IPsec is utilized to implement encryption function, GRE or
mGRE is utilized to establish tunnel. IPsec uses an access control list (ACL) to define
what data are to be encrypted. That’s, when a data packet matches the defining of
ACL, the IPsec encryption tunnel will be set up immediately. When using GRE with
IPsec, the GRE tunnel configuration includes the GRE tunnel peer (tunnel destination
&) address already, which is also the IPsec peer address. So, by binding GRE tunnel
and IPsec, once GRE tunnel is established, IPsec encryption is triggered immediately,
then IPsec encryption starts up automatically.
2) Using traditional VPN cannot solve the problems of dynamic IP address and NAT
translation, but using DMVPN can commendably solve these problems. When using
the DMVPN solution, we assign a router as hub router (HUB, central node) which
uses static public IP address but other routers as spoke routers (SPOKE) which use
static or dynamic IP address and by using NHRP protocol, hub router acts as the

26
NHRP server. When spoke router comes to online, it automatically registers relational
information with the hub router according to the external net public IP address of hub
router and NHRP protocol. So, the problems are solved that branch node uses
dynamic IP address and NAT.
3) When need to add a new node, there is needless for modifying the configuration on
the hub and spoke routers, so that maintenance and expansion of network become
better. In the DMVPN solution, the tunnels from spoke router to hub router stay up
continuously since they create, and spoke routers don’t need configuration for direct
tunnels to any of the other spoke routers. By a simple configuration on the router
(spoke router) which is newer added to the node, it can automatically register with
hub router. At the same time, the hub router acts as the NHRP server and handles the
NHRP request of the source spoke router, provides the public net address of the
target spoke router to source spoke router. Thereby, the two spoke routers then
dynamically create an IPsec tunnel between them (via the mGRE interface) and data
can be directly transferred. This dynamic tunnel from spoke router to spoke router
will be automatically torn down after a configurable period of inactivity. In this way,
the configuration on spoke router is simplified, the costs of setting up network and
maintenance are reduced. And then, all other spoke routers can learn this new route
through dynamic routing protocol and dynamic route, the new added spoke router can
also learn the information of routing which reaches all other routers. So, maintenance
and expansion of network become better.

4) How to support dynamic route, in order to ensure the haleness and reliability of
network operation. Although IPsec tunnel can’t support encapsulation of IP
multicast/broadcast packets, GRE tunnel can encapsulate multicast/broadcast packets
into GRE packets. And GRE packets are unicast packets, so they can be encrypted by
IPsec. We implement multicast or broadcast by using GRE tunnel and the encryption
of data packets by using IPsec. In this way, we can run dynamic routing protocols
over mGRE tunnels, such as EIGRP, OSPF, RIP and so on. We update routing table
on the routers of two endpoints on encrypted tunnels by using dynamic routing
protocols. In this way, while network of either endpoint on tunnel changes, the other
endpoint can dynamically learn this changing, and keep the connectivity of network,
but needn’t modify the configuration on routers. Thereby, the haleness and reliability
of network operation are ensured.

27
 Chapter 5

Simulation and simulator Parameter

5.1 Simulation
Simulation is defined as the process of creating a model of an existing or proposed
system in order to identify and understand their functioning. We can predict the
estimation and assumption of the real system by using simulation results.

5.2 Simulator

5.2.1 Graphical Network Simulator (GNS3)

GNS3is a Graphical Network Simulator that allows emulation of complex networks.

We may be familiar with VMware or Virtual PC that are used to emulate various
operating systems in a virtual environment. These programs allow you to run
operating systems such as Windows XP Professional or Ubuntu Linux in a virtual
environment on your computer. GNS3 allows the same type of emulation using Cisco
Internetwork Operating Systems. It allows you to run a Cisco IOS in a virtual
environment on your computer. GNS3 is a graphical front end to a product called
Dynagen. Dynamaps is the core program that allows IOS emulation. Dynagen runs on
top of Dynamics to create a more user friendly, text-based environment. A user may
create network topologies using simple Windows in-type files with Dynagen running
on top of Dynamics. GNS3 takes this a step further by providing a graphical
environment. [10]

5.2.2 Wire shark

Wire shark is a network packet analyzer. A network packet analyzer will try to
capture network packets and tries to display that packet data as detailed as possible.
You could think of a network packet analyzer as a measuring device used to examine
what’s going on inside a network cable, just like a voltmeter is used by an electrician
to examine what’s going on inside an electric cable (but at a higher level, of
course).In the past, such tools were either very expensive, proprietary, or both.
However, with the advent of Wire shark, all that has changed.

28
5.3 Design and Analysis inGNS3

When implementing a real model of the system in the GNS3, some steps are to be
followed to design on simulator. Following steps are needed to work with GNS3.
These are —

Loading Cisco
ISO Image

Analysis Network
Result Design

Applying
Run Simulator
Cisco Comand

Figure 4.1: Network design procedure on GNS3

5.4 Resulting Parameter

5.4.1 Latency
Latency is a networking term to describe the total time it takes a data packet to travel
from one node to another. In other contexts, when a data packet is transmitted and
returned back to its source, the total time for the round trip is known as latency.
Latency refers to time interval or delay when a system component is waiting for
another system component to do something. This duration of time is called latency.
Latency = delay. It’s the amount of delay (or time) it takes to send information from
one point to the next. Latency is usually measured in milliseconds or ms. It’s also
referred to (during speed tests) as a ping rate.

29
5.4.2 Throughput
Throughput is the maximum rate of production or the most extreme rate at which
something can be processed. When used in the context of communication networks,
such as Ethernet or packet radio, throughput or network throughput is the rate of

Successful message delivery over a communication channel. The data these messages
belong to may be delivered over a physical or logical link, or it can pass through a
certain network node. Similarly, for network communications, throughput is measured
by calculating the amount of data transferred between locations during a specified
period, generally resulting as bits per second (bps), which has evolved to bytes per
second (Bps), kilobytes per second (Kbps), megabytes per second (Mbps) and
gigabytes per second (Gbps) .

5.4.3 Response Time

Response time in the context of computer technology is the elapsed time between an
inquiry on a system and the response to that inquiry. Used as a measurement of
system performance, response time may refer to service requests in a variety of
technologies. Low response times may be critical to successful computing.
Accounting for time demands made on a computer system can take many different
forms. In computer networking, for instance, response times between two systems can
be measured and viewed using such commands as ping or trace route (“tracer” from
the Windows command prompt). These diagnostic tools make use of the Internet
Control Message Protocol (ICMP).
Many people use the terms "response time" and "latency" interchangeably. However,
latency has more to do with the time delay between a particular cause and effect.
Response time deals with the total time between a request for service and the
fulfillment of that request. While some nuances exist in attempting to define the term,
response time is generally a sum of the service time and the wait time required to
process the request. Response time is a factor in many different computing
technologies, including disk I/O, database queries, memory handling and loading web
pages. Monitor response time measures how quickly pixels change from black to
white or to a different shade of grey. Quick monitor response times are important for
gaming.

30
Computer processes may depend on queues, which determine how or when a request
for service is handled. The queuing process may have a significant influence on the
response time.

31
 Chapter 6

Network Design and System procedure

6.1 Requirement and Solution

While designing an enterprise network most important thing to insure the secure
transmission of data, suitability of network maintenance and also most important
thing is that continuous availability of network recourses. IT included few sights as
considered that nowadays enterprise branches are classified in everywhere, each
headquarters and branches are the demand of secure transmission of data by means of
an Internet. So Design an enterprise network secure transmission of data across the
internet are considered first.
Secondly, ensure the smooth communication between the clients’, branches and
headquarters. Also considered the lower costs of setting up networks, network with
convenience and economical investment, and lower cost maintenance, and ensure the
authenticity of network operation. [4]
Using DMVPN with HSRP technology, the hints of above problem are overcome for
design an enterprise network.

 To design an enterprise network we conduct GRE over IPsec technique which

made the system IPsec encryption automatically. IPsec uses an access control list
(ACL) which identifies what data are being encrypted.GRE established a tunnel, GRE
and IPsec exchange the Peer address. Then IPsec encryption in GRE tunnel is setup
automatically.
 Using The DMVPN for enterprise network, resolve the problem of dynamic IP
address and NAT translation. In the DMVPN solution, the main Headquarter are acted
as an NHRP server and added new branches need not configure the server, so that
problem of remote access is solved by this way. Another advantage is that the
configuration on branch router is facilitating so that cost of setting up new branch
network and maintenance are attenuate. The newly added branch can get the data of
routing
 Which reaches all other branch routers. In this way, maintenance and
continuation of network become better.

32
 Using HSRP Protocols the failure routers are mainly overcome by priority
based secondary routers, an enterprise should be always considered first the
availability of network resources, if the availability of a network does not occur then
it hampers all branches as well as whole enterprises networks. So that using the
secondary router in Headquarter premises the failure of primary router are being
solved.

6.2 Designing Scheme

Enterprise headquarters network acts as a core of all networks in an enterprise and all
branches communication. In DMVPV network headquarter router acts as a hub router
(HUB), and all branches router are acts as spoke router (SPOKE). When branches are
added, branches router which called spoke router are used dynamic IP address, and its
register related information with HUB router while it connect in the core network
every time. After the confirmation form HUB router of the core network, spoke router
of branches are implements direct communication between other branches when
essential. When many branches need to add to the network only the branches router
told Headquarter router (HUB) of their related information in encrypted mode and
show their secret key, then HUB router Verify the information of requested Branches
and check the Secret Key, if successfully match all information, the branches are
ready to communicate with Headquarter router and other Branches router. In this
design, Another HUB Router is used in the core network to support the backup of the
Headquarter Router, by use of HSRP protocol this Router acts as a secondary HUB
router and Main HUB router acts as a primary router. If any problem occurs or lines
become down of the primary router, the network does not break down its still
connected to the whole network under the secondary HUB router. So in this way not
only a load of the headquarter is minimize, but also the communication between
branches become suitable and also the cost of makeup an enterprises network and
maintenance are protected as well as the services time are not hampered because of
the link disaster.

6.2.1 Implementation Mechanism

The mechanism of this Network implementation is divided into some parts as follow:
 Headquarter server act as a core network, so ensuring the 100 percent uptime of
core network to construct the alternative way, In this regards Hot standby routing

33
protocol (HSRP) is the best way to getting 100 percent network uptime. one active
router is always forwarding data between Clients (Branch) and Server(HQ), they use
to communicate in every different via in this path, there was another router in standby
mode when statistics are begin sent every time secondary router which is standby
mode are obtained an acknowledgement from major router which is active router,
when the link of active router is down the secondary router did now not get
acknowledgement and the secondary router are then online mode and records are
communicated through this till the essential router are repair.
 In DMVPN mechanism during this topology firstly all the branches are
connected to the headquarters router (HUB) through static tunnel and Branches are
connected one another through dynamically in one subnet network.
 Branch router that is named spoke router as associate NHRP client sends
requests packet for a resolve to headquarter router that acts as an NHRP server
whereas it's on-line, requests for the non- broadcast multi-access (NBMA) address of
next hop tunnel IP address mapping.
 The Headquarter Hub which is NHRP server will solve the NBMA address for
mapping and reply the resolution request which is sent by Branch (client).
 When Spoke router sent a request for registration to an NHS (NHRP Server) to
inform the HUB router NHS for NBMA information, all client next hop information
is to be cached at the NHS.
 The registration request information is principally included: original address of
VPN tunnel, router IP address which is external net address, company router internal
net interface IP address, target NHS server IP address.
 If the requests for registration information received by NHS server, it will select
the tunnel source address and net address taken to information and verify it with
address information in the NHS MAP table. If the two address is already on the table,
NHS updates it, and confirm that it is no expiry. If not on the table, NHS newly add
them in MAP table with their tunnel source address, subnet address and mask.
 In this way, the headquarter router (HUB) get all the related information such
crypto maps, crypto ACL, GRE tunnel interface of each branch router (Spoke) with
the requested information of registration and save it to the NHRP database.[4]

34
 HUB router which is NHS server sent an NHRP registration reply with a
substance to contain: NHS server address, NBMA subnet address and NBMA address
to a client in reply to that client's NHRP registration request.
 NHS sent a reply to request registration on NHC (NHRP clients which are
Spoke router) so that NHC are deleting the previous cache information, and update
own NHRP registration information on NHRP map table.

 Above all step, we can see that the resolution of NHRP has occurred between
Headquarter router (HUB router) which is NHS (NHRP server) and the all Branches
router (spoke router) which is NHC (NHRP client), NHS uses a public static IP
address so that all NHC find out the NHS whether NHC uses the private dynamic IP
address or static address inside NAT. As a result, the problem of the NAT is being
solved, and because of configuration is simple the Headquarter router need not
configure all the time whenever branch added or cut using the Hot standby routing
protocols between two Headquarter HUB router the failure time of NHS are being
solved. In the sign of the previous scheme and implementation mechanism, we
simulate a practical mechanism implementation of DMVPN technology with HSRP
protocols for secure enterprise network in some organization.

6.3 Network Topology

In the sign of the previous scheme and implementation mechanism, we simulate a

practical mechanism implementation of DMVPN technology with HSRP protocols for
secure enterprise network in some organization. The design and simulation are done
by Graphical Network Simulator-3, Figure: 6.1 are designed in this manner. We
established a headquarters server in Headquarter end and established two branches in
Branches end. Headquarter server are connected to the same LAN with two HUB via
a switch, and the two hubs are connected to the internet which is provided by internet
service provider(ISP).In the Branches end two different cities branches are connected

35
to the internet, and branches have their clients with same network LAN.

Figure 6.1: Network Topology for Enterprise

Whole topology is designed in GNS3 software, whole interface command with picture
are arranged step by step. For better to understand we divided the whole topology in
two part that is

1) Headquarter End Topology.

2) Branches End Topology.

6.3.1 Headquarter End Topology

We configure a network topology for this research purpose the designing method are
described step by step. first of all we set one server iso and two router iso file in
gns3,and connected both router in server port through serial cabel.the picture is
shown in figure 6.1

36
 Figure 6.2: Headquarter End Topology

The network topology that is shown in above is configured using the command
Cryptographic, GRE tunnel, NHRP profile, and Routing Protocols in GNS3
(Graphical Network Simulator 3
6.3.2 A Interface setting command of IPsec Profile for Headquarter End
To setup every interface with their necessary Cryptography Profile we have used
following command:

(a)

37
 (b)

Figure 6.3: (a) Primary Router IPsec Profile Setting Command (b) Secondary Router
IPsec profile

6.3.3 B Interface setting command of IPsec Profile for Headquarter End

To setup every interface with their necessary Cryptography Profile we have used
following command:

(a)

38
 (b)

Figure 6.3: (a) Primary Router IPsec Profile Setting Command (b) Secondary Router
IPsec profile

6.3.4 C Interface setting command of HSRP for Headquarter End HSRP

To setup up hot stand by routing protocols we create standby and active group in both
primary and secondary router. The command show in below:

(a)

(b)

Figure 6.5: (a) Primary Router HSRP (b) Secondary Router HSRP

39
6.4 Branches End Topology
Every Branches connected to their interested Internet service provider router which is
gateway to reach the headquarter destination. The end of branches topology is
showing below, the branches are connected to ISP through serial cable.

Figure 6.6 Branches End Topology

The network topology that is shown in above is configured using the command
Cryptographic , GRE tunnel, NHRP profile ,and Routing Protocols for Branches end
in GNS3 (Graphical Network Simulator 3)

6.4.1 A Interface setting command of IPsec Profile for Branch End

To setup every interface with their necessary Cryptography Profile we have used
following command in two branches:

40
 (a)

(b)

Figure 6.7 (a) Branch 1 IPsec Profile (b) Branch 2 IPsec Profile

6.4.2 B Interface setting command of NHRP Profile for Branches End

To setup every interface with their necessary NHRP Profile we have used following
command in two branches:

41
 (a)

(b)

Figure 6.8 (a) Branch 1 two NHRP Profile (b) Branch 2 two NHRP Profile

6.4.3 Hot stand-by routing protocols Interface Command

By creating stand by group we identify the active and standby router, make them
priority based command of Cisco iso.The command are showing below. We make

42
router number one is primary mode means active router and router number two is
secondary router.

(a)

(b)

Figure 6.9: (a) Primary Router HSRP (b) Secondary Router HSRP

6.5 ICMP and I/O Graph of Primary Router

43
After configure all the interface and all other IPsec NHRP and dynamic routing
protocols, we ping from branch one to Primary Router in 1000 time, the figure is
given below:

Figure 6.10: Ping Result of Branch One against Primary Router

In figure 6.10 we see the result when we ping or send 100-byte ICMP Echo from
branch one to primary router in 1000 times the result out came that delay or round-trip
time minimum is 4 ms and the maximum rate is 120ms and average time is 59ms.
When the packet is communicated to primary between branches 1 we capture the I/O
graph of their interface link. The picture of I/O graph are given below in figure 6.11

44
 Figure 6.11: I/O Graph of Primary Router Interface

6.5.1 ICMP and I/O Graph of Secondary Router

After the configure all the interface and all other IPsec NHRP and dynamic routing
protocols, we ping from branch one to Secondary Router in 1000 time when we cut
the link of Primary Router ,the figure is given below:

Figure 6.12: Ping Result of Branch One against Secondary Router

In figure 6.12 we see the result when we ping or send 100-byte ICMP Echo from
branch one to Secondary router in 1000 times when the primary router is down or link

45
destroyed the result out came that delay or round-trip time minimum is 8 ms and the
maximum rate is 180ms and average time is 66ms.

Figure 6.13: I/O Graph of Secondary Router Interface

When the packet is communicated to secondary router between branches 1 we capture

the I/O graph of their interface link. The picture of I/O graph are given below in
figure 6.1.

46
 Chapter 7
Result Analysis

7.1 Throughput data Analysis

The analyzed data of 1000 time ICMP Throughput of Primary and secondary router
and recorded average result in a table and the implement in graph the result of two
branches against both primary and secondary router are given below.

From To Average Throughput(Mbps)

Branch 1 Primary Router 1.721
Branch 1 Secondary Router 1.278
Branch 2 Primary Router 1.510
Branch 2 Secondary Router 1.392

Table 7.1: Average Throughput Result

In this Table we show that the average throughput result of branches and primary,
secondary router. In this it is prove that when we use primary router the throughput
are closer than if the secondary are in active mode that means primary link cut down.
The clients of branches still get touched of headquarter if the primary link down and
the throughput are well good to communicate.

7.1.1 Throughput Graph

The result of primary and secondary router throughput are designed in graph, this are
given in figure 7.1.

47
 Figure 7.1: Throughput Graph
In graph 7.1 show that the throughput of two major router, the primary router
throughput is good for better use branches to communicate each other and if the
primary router link is digester or hampered, branches communicated by secondary
router the throughput of that time is also closer to primary router, so that if the
primary router is offline the branches are communicated each other thought secondary
router without any delay.

7.2 Response Time data Analysis

The analyzed data of 1000 time ICMP response time of Primary and secondary router
and recorded average result in a table and the implement in graph the result of two
branches against both primary and secondary router are given below.

From To Average Response Time

(second)
Branch 1 Primary Router 0.221
Branch 1 Secondary Router 0.292
Branch 2 Primary Router 0.181
Branch 2 Secondary Router 0.179

Table 7.2: Average Response Time Result

48
In this Table we show that the average response time result of branches and
primary, secondary router. In this it is prove that when we use primary router the
response time are closer than if the secondary are in active mode that means
primary link cut down. The clients of branches still get touched of headquarter if
the primary link down and the response time are well good to communicate.

7.3 Comparison Table

We Implement the topology which we designed, we implement different services

like (FTP, WWW) against designed topology, find out the HUB response time,
throughput and measured time. we used two hub router one is the primary hub
and another is secondary and scheme in the table, Table 7.1 is for when branches
are visited headquarter end thought primary hub, Table 7.2 are for when link
disaster occurs in the primary hub so that the communication is happening
through a secondary hub. And finally we comparing both outputs in table 3.From
the result of testing at a different time, we can see that maximum of throughput of
FTP services can reach 2.701mbps when branches reach the headquarter server
using the primary hub link, and the maximum of throughput can reach 2.79mbps
when the primary link down and the branches are using the secondary hub. And
we see that the response time are approximate same and the average response
time is 0.201 to 0.251 second. In such response time, the branches don't at all vibe
the current of delay. From the aftereffect of usage for previously mentioned two
kinds of services we can see that DMVPN system can completely fulfill the
requests for real utilize.

49
Test Type of service Location of Throughput( megabits Response Time ( Measur
Time Station per second, Mbps) Second ) ed Time
(second
)

Averag Min. Max Aver Min. Max

e age

1 FTP Primary 1.271 0.96 1.72 0.22 0.21 0.22 59.212

service(Branch1) 1 1 1 0 1
Secondary 1.278 0.99 1.78 0.29 0.27 0.24 60.421
1 2 2 1 1
2 FTP Primary 1.510 1.03 2.70 0.18 0.11 0.23 45.681
service(Branch 1 1 1 8 1
2) Secondary 1.521 1.08 2.79 0.18 0.18 0.28 47.881
1 1 1 2 1
3 WWW service Primary 3.710 2.94 5.01 0.28 0.14 0.24 18.151
(Branch 1) 2 0 2 1 1
Secondary 3.728 2.99 5.02 0.20 0.14 0.25 19.121
3 9 2 3 1
4 WWW service Primary 3.815 2.96 4.95 0.20 0.15 0.24 18.021
(Branch 2) 1 1 2 1 5
Secondary 3.829 2.99 4.98 0.27 0.15 0.24 19.012
1s 3 3 9 3

Table 7.3: Comparison Table

50
7.4 Crypto ESP format analysis
When we sent packet from branch 1 to primary router then the packet are send crypto
format and format result are capture by wire shark, figure is given below.

Figure 7.2: Crypto ESP format of Branch 1 to Primary router

In this figure we show that when branch 1 pc ping ICMP Echo 1000 packet then
whole format are packed Encapsulating security payload format and its show in wire
shark software.
In Next figure we show that when we sent packet from branch 1 to primary router
then the packet are send crypto format and format result are capture by wire shark,
figure is given below.

51
 Figure 7.3: Crypto ESP format of Branch 2 to Primary router

In this figure we show that when branch 1 pc ping ICMP Echo 1000 packet then
whole format are packed Encapsulating security payload format and its show in wire
shark software.
When Branch are communicated the other branches of their subnet network then
packet are also send by ESP format but first it knock the primary hub and find the
related destination subnet then packet are Capsulated by security payload. The figure
are shown below
In figure7.4 it show that Packet are sent By Encapsulated security payload (ESP)
Format. Packet are first knock NHS(Next Hop Server) and finding Destination path
thought NHRP Table and then connect a Dynamic Tunnel between Branch to
Branch.

52
 \

Figure 7.4: Crypto format of Branch to Branch communication

7.5 Characteristic of HSRP

When the primary router link is down the secondary router are automatically online
because of hot stand by routing protocols. At that time branch are communicated
through secondary router. The send packet is captured by wire shark .The figure are
given below.

Figure 7.5: The HSRP Characteristic.

53
In figure Primary router are known as standby router. When primary link down
Standby router are automatically activated by HSRP protocols. And its follow
Dynamic EIGRP Protocols to send packets.

54
 Chapter 8
Conclusion
8.1 Conclusion

This Thesis studies and examinations the current issue for VPN rented line strategy
and rule of DMVPN and HSRP system. In light of this, to go for the interest for big
business developing the protected and unequaled accessible system, it advances the
arrangement and usage component and really approves of the plan and execution
instrument through a real application in an enterprise and corporate association.

That scheme gives us a sort of a way which is sheltered, effective flexible, and
temperate to construct safe enterprise network, not just the issues are understood in
course of big business advancement, for example, increment of branch expedites
network building, how to reduce the expenses of building and upkeep and in addition
the system interface digester solution, and so on yet, in addition, gives venture valid
security to acknowledge offer of assets. It can be predicted, alongside individuals
progressively improve the necessity for secure transmission of information, the
DMVPN with HSRP procedure will apply to more broad fields, and bring into play
increasingly important function.

8.2 Future work

There are several scopes to work on routing protocols-

 IPV4 Security Attack Analysis For Enterprise Network.

 Design IPV6 Enterprise Network Using DMVPN Technique.

 IPV6 Attack and security Analysis for Enterprise Network

In future, we will develop a network topology model which will provide faster data
and reliable communication.

55
 References

[1] HuaqiChen,”Design and implementation of secure Enterprise Network based on

DMVPN,” 2011 International Conference on. Business Management and Electronic
Information (BMEI), Guangzhou, China,pp.506-511, May 2011.

[2] Gebere Akele Tizazu , Ki-Hyung Kim , Abraham Belay Berhe ,”Dynamic
Routing Influence On Secure Enterprises Networks Based On DMVPN,” Ninth
International Conference 2017 on. Ubiquitous and Future Networks (ICUFN), Milan,
Italy, July 2017.

[3] Zhang Rui-xiang, Xiong Wei, Li Yong-gang, To construct enterprise VPN

network. Intelligent Building & City Information, pp.98-102, September 2005 (In
Chinese).

[4] Dynamic Multipoint VPN (DMVPN) Design Guide, Corporate Headquarters

Cisco Systems, Inc. 2006, 104 p.

[5] Yusuf Bhaiji, CCIE Professional Development Series Network Security

Technologies and Solutions. Cisco Press, March 19, 2008

[6] Dynamic Multipoint VPN (DMVPN) Design Guide (Version 1.1). Cisco
validated design, July 10,2008

[7] Hongru Li , P.W.C. Prasad, et all, “An improvement of Backbone Network

security using DMVPN over an EZVPN structure ,” International Conference on
Advances in Electrical, Electronic and System Engineering, pp.203-207, 2016.

[8] S. Jing, Z. Zheng, R. Sun, “The application research of campus network remote
access solution based on redundant architecture,” in Future Communication,
Information and Computer Science, 2015, pp. 135-137. CRC Press.

[9] RutaJankuniene, IevaJankunaite, “Route creation influence on DMVPN QoS,”

Proceedings of the ITI 2009 31st Int. Conf. on Information Technology Interfaces,
Cavtat, Croatia, pp.609-614, June 2009.

56
[10] LI Xiaohua, ZHAO Xiangang, XU Jian, YAO Shan, WANG Huaiwei and
ZHANG Yan, "Simulation and analysis of RIPv2 routing authentication based on
GNS", International Conference on Automatic Control and Artificial Intelligence,
pp. 1842-1845, 2012.

[11] Xiaohua Li a, Renlong Zhang, Yujie Wang, Li Yang, Juan Nie and
Quanyue Yang,―GNS-
basedSimulationandAnalysisofOSPFv2NeighborAuthentication‖, School of
Computer and Information Engineering, Beijing University ofAgriculture,
Beijing, China, vol. 989-994, pp.4603-4607, May2014.

[12] M.Udhayamoorthi, K.S.Mohan, Dr.S.Karthik,et all, “Enhanced Designing

Of Network Using ipv6 Protocol and Enabling HSRP For Redundancy,”
International Conference on Soft-Computing and Network Security (ICSNS),
India,2015.

[13] J. Luciani, D. Katz, D. Piscitello, NBMA Next Hop Resolution Protocol

(NHRP)[EB/OL]. IETF RFC 2332, 1998, p.2.

57
 Appendix

DMVPN (Dynamic Multipoint VPN) And HSRP (Hot Stand-

by Routing Protocols Configuration:

For Router R1:

R1#conf t

R1(config)#interface s1/0

R1(config)#ip address 101.1.1.100 255.255.255.0

R1(config)# no shutdown

R1(config)# interface f0/0

R1(config)#ip address 192.168.100.1 255.255.255.0

R1(config)# no shutdown

R1(config)#crypto isakmp policy 1

R1(config)#encryption aes 192

R1(config)#authentication pre-share

R1(config)# hash md5

R1(config)# group 2

R1(config)#crypto isakmp key towhid address 0.0.0.0 0.0.0.0

R1(config)#crypto ipsec transform-set towhid esp-des 256 esp-mh5-hmac

R1(config)#crypto ipsec profile towhid

R1(config)# set security-association life time second 120

R1(config)#set transform set towhid

58
R1(config)#mode transport

R1(config)#exit

R1(config)#interface Tunnel 0

R1(config)#ip address 192.168.1.1 255.255.255.0

R1(config)#no ip re-direct

R1(config)#ip mtu 1400

R1(config)#no ip next hop-self eigrp 100

R1(config)# ip nhrp authentication towhid

R1(config)#ip nhrp map multicast dynamic

R1(config)#ip nhrp network-id 1

R1(config)#no ip split-horizon eigrp 100

R1(config)#tunnel source serial s1/0

R1(config)#tunnel mode gre multipoint

R1(config)#tunnel key 1

R1(config)#tunnel protection ipsec profile towhid

R1(config)# interface f0/0

R1(config)# standby 1 ip 192.168.100.254

R1(config)# standby 1 priority 105

R1(config)# standby 1 preempt

R1(config)# router eigrp 100

59
R1(config)# network 101.1.1.100 0.0.0.255

R1(config)#network 192.168.1.1 0.0.0.255

R1(config-router)#no auto-summary

R1(config-router)#sh run

Building configuration...

[OK]

For Router R2 :

R2#conf t

R2(config)#interface s1/0

R2(config)#ip address 102.1.1.100 255.255.255.0

R2(config)#no shutdown

R2(config)#interface f0/0

R2(config)#ip address 192.168.100.2 255.255.255.0

R2(config)#no shutdown

R2(config)#crypto isakmp policy 1

R2(config)#encryption aes 192

R2(config)#authentication pre-share

R2(config)# hash md5

R2(config)# group 2

R2(config)#crypto isakmp key towhid address 0.0.0.0 0.0.0.0

R2(config)#crypto ipsec transform-set towhid esp-des 256 esp-mh5-hmac

R2(config)#crypto ipsec profile towhid

60
R2(config)# set security-association life time second 120

R2(config)#set transform set towhid

R2(config)#mode transport

R2(config)#exit

R2(config)#interface Tunnel 1

R2(config)#ip address 192.168.2.1 255.255.255.0

R2(config)#no ip re-direct

R2(config)#ip mtu 1400

R2(config)#no ip next hop-self eigrp 100

R2(config)# ip nhrp authentication towhid

R2(config)#ip nhrp map multicast dynamic

R2(config)#ip nhrp network-id 2

R2(config)#no ip split-horizon eigrp 100

R2(config)#tunnel source serial s1/0

R2(config)#tunnel mode gre multipoint

R2(config)#tunnel key 2

R2(config)#tunnel protection ipsec profile towhid

R2(config)#interface f0/0

R2(config)#standby 1 ip 192.168.100.254

R2(config)#standby 1 preempt

61
R2(config)# router eigrp 100

R2(config)# network 102.1.1.100 0.0.0.255

R2(config)#network 192.168.2.1 0.0.0.255

R2(config-router)#no auto-summary

R2(config-router)#sh run

Building configuration...

[OK]

For Router R4:

R4(config)#interface s1/0

R4(config)#ip address 104.1.1.100 255.255.255.0

R4(config)#no shutdown

R4(config)#crypto isakmp policy 1

R4(config)#encryption aes 192

R4(config)#authentication pre-share

R4(config)# hash md5

R4(config)# group 2

R4(config)#crypto isakmp key towhid address 0.0.0.0 0.0.0.0

R4(config)#crypto ipsec transform-set towhid esp-des 256 esp-mh5-hmac

R4(config)#crypto ipsec profile towhid

R4(config)# set security-association life time second 120

R4(config)#set transform set towhid

62
R4(config)#mode transport

R4(config)#exit

R4(config)#interface tunnel0

R4(config)#ip address 192.168.1.2 255.255.255.0

R4(config)#no ip re-direct

R4(config)#ip my 1400

R4(config)#ip nhrp authentication towhid

R4(config)#ip nhrp map 192.168.1.1 101.1.1.100

R4(config)#ip nhrp multicast 101.1.1.100

R4(config)#ip network-id 1

R4(config)#ip nhrp nhs 192.168.1.1

R4(config)#tunnel source s0/0

R4(config)#tunnel mode gre multicast

R4(config)#tunnel key 1

R4(config)#tunnel protection ipsec profile towhid pre-shared

R4(config)#interface tunnel1

R4(config)#ip address 192.168.2.2 255.255.255.0

R4(config)#no ip re-direct

R4(config)#ip my 1400

R4(config)#ip nhrp authentication towhid

R4(config)#ip nhrp map 192.168.2.1 102.1.1.100

63
R4(config)#ip nhrp multicast 102.1.1.100

R4(config)#ip network-id 2

R4(config)#ip nhrp nhs 192.168.2.1

R4(config)#tunnel source s0/0

R4(config)#tunnel mode gre multicast

R4(config)#tunnel key 2

R4(config)#tunnel protection ipsec profile towhid pre-shared

R4(config)#router eigrp 100

R4(config)#network 104.1.1.100 0.0.0.255

R4(config)#network 192.168.1.0 0.0.0.255

R4(config)#network 192.168.1.0 0.0.0.255

R4(config)#no auto-summary

R4(config)# sh run

Building configuration...

[OK]

For Router R5:

R5(config)#interface s1/0

R5(config)#ip address 105.1.1.100 255.255.255.0

R5(config)#no shutdown

R5(config)#crypto isakmp policy 1

64
R5(config)#encryption aes 192

R5(config)#authentication pre-share

R5(config)# hash md5

R5(config)# group 2

R5(config)#crypto isakmp key towhid address 0.0.0.0 0.0.0.0

R5(config)#crypto ipsec transform-set towhid esp-des 256 esp-mh5-hmac

R5(config)#crypto ipsec profile towhid

R5(config)# set security-association life time second 120

R5(config)#set transform set towhid

R5(config)#mode transport

R5(config)#exit

R5(config)#interface tunnel0

R5(config)#ip address 192.168.1.2 255.255.255.0

R5(config)#no ip re-direct

R5(config)#ip my 1400

R5(config)#ip nhrp authentication towhid

R5(config)#ip nhrp map 192.168.1.1 101.1.1.100

R5(config)#ip nhrp multicast 101.1.1.100

R5(config)#ip network-id 1

R5(config)#ip nhrp nhs 192.168.1.1

R5(config)#tunnel source s0/0

R5(config)#tunnel mode gre multicast

65
R5(config)#tunnel key 1

R5(config)#tunnel protection ipsec profile towhid pre-shared

R5(config)#interface tunnel1

R5(config)#ip address 192.168.2.2 255.255.255.0

R5(config)#no ip re-direct

R5(config)#ip my 1400

R5(config)#ip nhrp authentication towhid

R5(config)#ip nhrp map 192.168.2.1 102.1.1.100

R5(config)#ip nhrp multicast 102.1.1.100

R5(config)#ip network-id 2

R5(config)#ip nhrp nhs 192.168.2.1

R5(config)#tunnel source s0/0

R5(config)#tunnel mode gre multicast

R5(config)#tunnel key 2

R5(config)#tunnel protection ipsec profile towhid pre-shared

R5(config)#router eigrp 100

R5(config)#network 105.1.1.100 0.0.0.255

R5(config)#network 192.168.1.0 0.0.0.255

R5(config)#network 192.168.2.0 0.0.0.255

R5(config)#no auto-summary

R5(config)# sh run

66
Building configuration...

[OK]

67