This lab simulates a real-world deployment of DMVPN Phase 3 (Dynamic Multipoint VPN) using a fictional scenario involving the Moroccan transportation company ONCF. The goal is to provide hands-on experience with configuring a scalable and secure WAN solution over the Internet, utilizing technologies such as GRE, NHRP, IPSec, and OSPF.
Disclaimer: The ONCF company is used strictly as an example in this educational context. This lab has no affiliation with ONCF and does not reflect any real infrastructure or implementation by the organization.
This lab is intended for networking students or anyone interested in learning how DMVPN Phase 3 works in a multi-branch topology using a central hub and spoke routers. The configuration is tested in EVE-NG and includes full tunnel, IPSec encryption, and OSPF dynamic routing.
Author: _abderrafik (th3poet)
Date: April 2025
You have been hired by ONCF, the Moroccan metro company operating in several major cities. The organization aims to implement a secure, scalable WAN over the Internet using DMVPN Phase 3, allowing secure communication between branches while maintaining centralized control from the headquarters
Your Mission: You are tasked with configuring and setting up DMVPN Phase 3 using the following requirements:
Hub (Headquarters): Casablanca (CASA)
Spokes (Branches): Tangier, Fes, Marrakech, Rabat
Transport: Internet (via ISP)
Site WAN IP Tunnel IP LAN Network -------------------------------------------------- CASA 11.0.0.2/30 172.16.0.1 192.168.1.0/24 TANGER 12.0.0.2/30 172.16.0.2 192.168.2.0/24 FES 13.0.0.2/30 172.16.0.3 192.168.3.0/24 MARRAKECH 14.0.0.2/30 172.16.0.4 192.168.4.0/24 RABAT 15.0.0.2/30 172.16.0.5 192.168.5.0/24 - Download Lab Files
Clone the repository: ~$ git clone https://github.com/0xth3poet/DMVPN-IPsec-Setup.git Or download manually: https://github.com/0xth3poet/DMVPN-IPsec-Setup/blob/main/_Exports_unetlab_export-20250430-212957.zip 
We are using a default route with the ISP router (already configured in the lab)
CASA_HUB(config)#ip route 0.0.0.0 0.0.0.0 fa0/0 SPOKE_TANGER(config)#ip route 0.0.0.0 0.0.0.0 fa0/1 SPOKE_FES(config)#ip route 0.0.0.0 0.0.0.0 fa0/0 SPOKE_MARRAKECH(config)#ip route 0.0.0.0 0.0.0.0 fa0/0 SPOKE_RABAT(config)#ip route 0.0.0.0 0.0.0.0 fa0/0 HUB Configuration (R-CASA)
interface Tunnel0 ip address 172.16.0.1 255.255.255.0 tunnel source fa0/0 tunnel mode gre multipoint ip nhrp network-id 123 ip nhrp authentication pass123 ip nhrp map multicast dynamic ip ospf network point-to-multipoint ip nhrp redirect Spoke Configuration (R-TANGER)
interface tunnel0 ip address 172.16.0.2 255.255.255.0 tunnel source fa0/1 tunnel mode gre multipoint ip nhrp network-id 123 ip nhrp map 172.16.0.1 11.0.0.2 ip nhrp nhs 172.16.0.1 ip nhrp authentication pass123 ip nhrp map multicast 11.0.0.2 ip ospf network point-to-multipoint ip nhrp shortcut Spoke Configuration (R-FES)
interface tunnel0 ip address 172.16.0.3 255.255.255.0 tunnel source fa0/0 tunnel mode gre multipoint ip nhrp network-id 123 ip nhrp map 172.16.0.1 11.0.0.2 ip nhrp nhs 172.16.0.1 ip nhrp authentication pass123 ip nhrp map multicast 11.0.0.2 ip ospf network point-to-multipoint ip nhrp shortcut Spoke Configuration (R-MARRAKECH)
interface tunnel0 ip address 172.16.0.4 255.255.255.0 tunnel source fa0/0 tunnel mode gre multipoint ip nhrp network-id 123 ip nhrp map 172.16.0.1 11.0.0.2 ip nhrp nhs 172.16.0.1 ip nhrp authentication pass123 ip nhrp map multicast 11.0.0.2 ip ospf network point-to-multipoint ip nhrp shortcut Spoke Configuration (R-RABAT)
interface tunnel0 ip address 172.16.0.5 255.255.255.0 tunnel source fa0/0 tunnel mode gre multipoint ip nhrp network-id 123 ip nhrp map 172.16.0.1 11.0.0.2 ip nhrp nhs 172.16.0.1 ip nhrp authentication pass123 ip nhrp map multicast 11.0.0.2 ip ospf network point-to-multipoint ip nhrp shortcut show dmvpn NOTE: implement this configuration of IPSEC on all routers except ISP router
crypto isakmp policy 10 authentication pre-share encryption aes 256 hash sha group 5 exit crypto isakmp key cisco123 address 0.0.0.0 crypto ipsec transform-set dmvpn esp-3des esp-sha-hmac mod tunnel exit crypto ipsec profile prof-dmvpn set transform-set dmvpn interface tunnel0 tunnel protection ipsec profile prof-dmvpn show crypto ipsec sa show crypto ipsec profile HUB Configuration (R-CASA)
router ospf 1 network 172.16.0.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0 SPOKE Configuration (R-TANGER)
router ospf 1 network 172.16.0.0 0.0.0.255 area 0 network 192.168.2.0 0.0.0.255 area 0 SPOKE Configuration (R-FES)
router ospf 1 network 172.16.0.0 0.0.0.255 area 0 network 192.168.3.0 0.0.0.255 area 0 SPOKE Configuration (R-MARRAKECH)
router ospf 1 network 172.16.0.0 0.0.0.255 area 0 network 192.168.4.0 0.0.0.255 area 0 SPOKE Configuration (R-RABAT)
router ospf 1 network 172.16.0.0 0.0.0.255 area 0 network 192.168.5.0 0.0.0.255 area 0 From FES, ping RABAT LAN: SPOKE_FES(config)#do ping 192.168.5.1 From RABAT, ping TANGER LAN: SPOKE_RABAT(config)#do ping 192.168.2.1 Use Wireshark to analyze tunnel traffic, IPSec encryption, and dynamic spoke-to-spoke communication.