DMVPN: Dynamic Multipoint Virtual Private Network (DMVPN)[1] is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco IOS-based routers based on the standard protocols, GRE, NHRP and IPsec. DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for and load on the hub to route data between the spoke networks.
DMVPN is combination of the following technologies: Multipoint GRE (mGRE)Next-Hop Resolution Protocol (NHRP)Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)Dynamic IPsec encryptionCisco Express Forwarding (CEF) RegardsSheraz > CC: [email protected]; [email protected]; > [email protected]; [email protected] > From: [email protected] > Subject: Re: [OSL | CCIE_RS] [OSL | CCIE_Security] vpn types > Date: Tue, 30 Oct 2012 08:29:54 +0800 > To: [email protected] > > Dmvpn? > > Regards, > Alexander Lim > > On 30 Oct, 2012, at 5:55 AM, Sheraz Sheraz <[email protected]> wrote: > > > > > IPSEC VPN, GRE, SSL and Webvpn: > > > > IPSEC VPN site to site tunnel: > > > > IPSEC VPN can encrypt your traffic to move via internet cloud as hidden > > payload to secure enterprise and confidential data so that hackers don't > > harm your privacy. > > one can both the unit which are agree to established IPSEC tunnels have to > > be identical in terms of configuration there are two phases one is main > > mode and second is aggressive mode. > > > > > > Main Mode > > Main mode has three two-way exchanges between the initiator and receiver. > > First exchange—The algorithms and hashes used to secure the > > IKE communications are agreed upon in matching IKE SAs in each peer. Second > > exchange—This exchange uses a Diffie-Hellman exchange > > to generate shared secret keying material used to generate shared secret > > keys > > and to pass nonces, which are random numbers sent to the other party, > > signed, > > and returned to prove their identity. Third exchange—This exchange verifies > > the other side's > > identity. The identity value is the IPSec peer's IP address in encrypted > > form. The main outcome of main mode is matching IKE SAs between peers to > > provide > > a protected pipe for subsequent protected ISAKMP exchanges between the IKE > > peers. The IKE SA specifies values for the IKE exchange: the authentication > > method used, the encryption and hash algorithms, the Diffie-Hellman group > > used, > > the lifetime of the IKE SA in seconds or kilobytes, and the shared secret > > key > > values for the encryption algorithms. The IKE SA in each peer is > > bidirectional. > > main mode which is (phase-I) > > DF Group: > > Authentication type: > > Encryption type: > > Hashing type: > > > > Aggressive Mode > > In the aggressive mode, fewer exchanges are done and with fewer packets. In > > the first exchange, almost everything is squeezed into the proposed IKE SA > > values, the Diffie-Hellman public key, a nonce that the other party signs, > > and > > an identity packet, which can be used to verify the initiator's identity > > through a third party. The receiver sends everything back that is needed to > > complete the exchange. The only thing left is for the initiator to confirm > > the > > exchange. The weakness of using the aggressive mode is that both sides have > > exchanged information before there is a secure channel. Therefore, it is > > possible to sniff the wire and discover who formed the new SA. However, > > aggressive mode is faster > > > > > > Aggressive mode (Phase-11) > > Encryption > > payload encryption > > Hashing > > Identity information > > Lifetime > > PFS group > > Mode Tunnel or transport or Tunnel > > > > Link: https://learningnetwork.cisco.com/docs/DOC-8696 > > > > Remote IPSEC VPN: > > same concepts features are used for remote IPSEC VPN but remote user have > > to use VPN client such as Cisco VPN client. > > > > > > > > GRE Tunnel: > > Because IPSEC cant support dynamic routing so one must have to use GRE to > > carry the dynamic routing information its is only require when you have to > > use OSPF, RIP, EIGRP or BGP between two sites. Its is called IPSEC over GRE > > tunnel. > > > > IPSEC with GRE: https://learningnetwork.cisco.com/docs/DOC-2457 > > > > > > SSL VPN or : > > It has to be clientless like remote IPSEC VPN this type dosnt need any > > client software to be used only thing which is required is internet browser > > natively supports Secure Socket Layer (SSL) encryption. or they can make > > connections using a full client (such as AnyConnect) > > > > SSL VPN: > > http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.1/user/guide/ravpnbas.html > > > > Webvpn: > > WebVPN > > http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/webvpn.html > > http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml > > > > Difference between SSL and Web VPN: > > Clientless SSL VPN (WebVPN)In my words SSL VPN is actually WebVPN means > > both are same because both use browser and SSL/TLS security. > > > > Both are same: https://supportforums.cisco.com/docs/DOC-2213 > > > > > > https://supportforums.cisco.com/thread/242849 > > http://www.networkworld.com/community/node/17677 > > > > Regards > > Sheraz Latif > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > Are you a CCNP or CCIE and looking for a job? Check out > > www.PlatinumPlacement.com > > > > http://onlinestudylist.com/mailman/listinfo/ccie_rs
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
