FlexVPN Spoke to Spoke/DMVPN

FlexVPN can be setup with NHRP to run a DMVPN type setup.
Spokes will communicate directly with each other via NHRP resolution.
- NHRP Registration does not exist with FlexVPN.

Topology used is below:

Right now it’s a normal hub and spoke topology with FlexVPN. All router loopbacks are being advertised over IKEV2. R1 has a virtual template setup.

To enable spoke to spoke communication, we’ll need to enable NHRP under the Virtual-Template interface. This cannot be completed however if there’s an active VPN tunnel running over the interface. Removing the SA requires shutting down the interface R1 is connected to. The SA does not completely leave the box for a few minutes after.

Under the Virtual-Template interface on our hub we’ll add the two NHRP commands with a network-id of 1. Then on the spokes a dynamic VTI is required for spoke to spoke communication. This will require a Virtual-Template as well using ip unnumbered Tunnel #.

In addition the NHRP commands need to be added to the existing static VTI.

When spoke to spoke communication is needed, both spoke routers will need to authenticate with each other. That will require using the existing keyring.

All of the above will need to be configured for additional spokes. The same has been applied to R3, but with peer IPs that work.

List

The following was configured:
- NHRP Redirect and network-id under Hub Virtual-Template
- A Virtual-Template Interface on each spoke with the following:
  - IP Unnumbered
  - NHRP ID and shortcut <‘virtual-template #’>
  - Tunnel source
  - IPSEC profile
- New Peer under Keyring
- NHRP Network ID and Shortcut under Tunnel 0

Now when looking at the route table of our hub, we’ll see the following static routes associated with Virtual-Access interfaces.

On the spokes we’ll see initially only static routes for the hub loopback. If we run a ping from spoke to spoke though, we’ll see that R2 will receive override routes once the NHRP redirect process has completed.