CCNP VPN Practice Lab

A focused lab for practising DMVPN with EIGRP, IPsec site-to-site with IKEv1, and IPsec site-to-site with IKEv2. Each technology is on its own dedicated routers so configs can't cross-contaminate.

Loading the lab

In the CML web UI:

1. Dashboard → Import Lab (top-right) → Upload File.
2. Select CCNP-VPN.yaml.
3. Open the imported lab and hit Start.
4. Wait a few minutes for IOSv cold boot. Default creds are admin / cisco.

Topology

                         +------------------+
                         |   INTERNET (sw)  |
                         |   100.0.0.0/24   |
                         +---+----+---+----++
                             |    |   |    |
              +--------------+    |   |    +--------------+
              |          +--------+   +--------+          |
              |          |                     |          |
       +------+------+   |                     |   +------+------+
       |  IKEV1-A    |   |                     |   |  IKEV2-A    |
       |  .20        |   |                     |   |  .30        |
       +------+------+   |                     |   +------+------+
              |          |                     |          |
       +------+------+   |                     |   +------+------+
       |  IKEV1-B    |   |                     |   |  IKEV2-B    |
       |  .21        |   |                     |   |  .31        |
       +-------------+   |                     |   +-------------+
                         |                     |
                  +------+------+      +------+------+
                  |    HUB      |      |             |
                  |    .10      |      |   (DMVPN    |
                  +------+------+      |    cloud)   |
                         |             |             |
              +----------+----------+  +-------------+
              |                     |
       +------+------+      +------+------+
       |   SPOKE1    |      |   SPOKE2    |
       |   .11       |      |   .12       |
       +-------------+      +-------------+

All routers connect to a single L2 segment (the INTERNET unmanaged switch) and live in 100.0.0.0/24. That's the simulated public network. Each router also has a Loopback10 representing the LAN behind it.

Addressing

DMVPN tunnel network (you'll create): 172.16.0.0/24

• HUB tunnel0 = 172.16.0.1
• SPOKE1 tunnel0 = 172.16.0.2
• SPOKE2 tunnel0 = 172.16.0.3

What's already done for you

The lab YAML's bootstrap config sets:

• Hostnames, no ip domain lookup
• username admin privilege 15 secret cisco and enable secret cisco
• SSH (RSA keys generated, vty transport input ssh)
• GigabitEthernet0/0 with the public IP from the table above
• Loopback10 with the LAN IP from the table above

That's it. Everything else is yours.

Sanity check before doing anything: every router should be able to ping every other router's public IP — they're all on the same L2 segment. If that doesn't work, the underlay is broken and nothing else will come up.

HUB# ping 100.0.0.11   ! should hit SPOKE1
HUB# ping 100.0.0.20   ! should hit IKEV1-A

Section A — DMVPN with EIGRP

Routers: HUB, SPOKE1, SPOKE2

Goals

• Build a Phase 3 DMVPN cloud (mGRE + NHRP) on 172.16.0.0/24.
• Run EIGRP AS 100 over the tunnel so spoke LANs are advertised.
• Verify spoke-to-spoke traffic goes direct (not via the hub) once shortcuts kick in.

Tasks

1. On HUB — build the mGRE tunnel and NHRP server.

• interface Tunnel0
• ip address 172.16.0.1 255.255.255.0
• tunnel source GigabitEthernet0/0
• tunnel mode gre multipoint
• tunnel key 100
• ip nhrp network-id 100
• ip nhrp map multicast dynamic
• ip nhrp redirect (Phase 3)
• Disable EIGRP split horizon and next-hop-self on the tunnel:
  • no ip split-horizon eigrp 100
  • no ip next-hop-self eigrp 100

2. On SPOKE1 and SPOKE2 — build mGRE and register with the hub.

• interface Tunnel0
• ip address 172.16.0.X 255.255.255.0
• tunnel source GigabitEthernet0/0
• tunnel mode gre multipoint
• tunnel key 100
• ip nhrp network-id 100
• ip nhrp nhs 172.16.0.1
• ip nhrp map 172.16.0.1 100.0.0.10
• ip nhrp map multicast 100.0.0.10
• ip nhrp shortcut (Phase 3)

3. EIGRP on all three (HUB, SPOKE1, SPOKE2).

• router eigrp 100
• network 172.16.0.0 0.0.0.255
• network 10.0.0.0 (or be specific with the loopbacks)

Verification

show dmvpn detail
show ip nhrp
show ip eigrp neighbors
show ip route eigrp

From SPOKE1, ping 10.30.30.1 (SPOKE2's LAN). First packet should go via the hub; once NHRP shortcuts kick in (after the redirect), the spoke-to-spoke tunnel should appear in show dmvpn.

Gotchas

• Forgetting no ip split-horizon eigrp 100 on the hub — spokes won't learn each other's routes.
• Forgetting no ip next-hop-self eigrp 100 on the hub — the next hop gets rewritten and Phase 3 shortcuts don't work properly.
• Mismatched tunnel key or network-id — silent failure.

Section B — IPsec site-to-site with IKEv1

Routers: IKEV1-A, IKEV1-B

Goals

• Bring up an IKEv1 (ISAKMP) site-to-site IPsec tunnel using a pre-shared key.
• Encrypt traffic between the two LAN loopbacks.

Tasks (mirror these on both sides — flip the peer IP and ACL)

1. Phase 1 — ISAKMP policy and PSK.

crypto isakmp policy 10
 encryption aes 256
 hash sha256
 authentication pre-share
 group 14
 lifetime 86400
!
crypto isakmp key MySecretKey123 address <peer-public-ip>

2. Phase 2 — transform set and ACL for interesting traffic.

crypto ipsec transform-set TS-IKEV1 esp-aes 256 esp-sha256-hmac
 mode tunnel
!
ip access-list extended VPN-ACL
 permit ip <local-lan> <wildcard> <remote-lan> <wildcard>

On IKEV1-A: local 10.100.100.0/24, remote 10.110.110.0/24. On IKEV1-B: flip them.

3. Crypto map and apply to the WAN.

crypto map CMAP-IKEV1 10 ipsec-isakmp
 set peer <peer-public-ip>
 set transform-set TS-IKEV1
 match address VPN-ACL
!
interface GigabitEthernet0/0
 crypto map CMAP-IKEV1

Triggering the tunnel

The tunnel is on-demand — it only comes up when interesting traffic hits the crypto map. Sourced ping from the loopback:

IKEV1-A# ping 10.110.110.1 source Loopback10

Verification

show crypto isakmp sa          ! should show QM_IDLE
show crypto ipsec sa           ! pkts encaps / decaps incrementing
show crypto session detail
debug crypto isakmp            ! if something doesn't come up
debug crypto ipsec

Gotchas

• ACLs must be exact mirrors. If A says 10.100/24 -> 10.110/24 then B must say 10.110/24 -> 10.100/24. Asymmetry = phase 2 fails.
• source Loopback10 on the ping — without it, the source IP is the G0/0 public address and won't match the ACL.
• The crypto map only takes effect when applied to the egress interface. Forgetting that step is the most common "why doesn't it work" cause.

Section C — IPsec site-to-site with IKEv2

Routers: IKEV2-A, IKEV2-B

Goals

• Same outcome as section B but using IKEv2 — cleaner, more modular, what you should actually be using on new builds.

Tasks (mirror these on both sides)

1. IKEv2 proposal, policy, keyring, profile.

crypto ikev2 proposal PROP-IKEV2
 encryption aes-cbc-256
 integrity sha256
 group 14
!
crypto ikev2 policy POL-IKEV2
 proposal PROP-IKEV2
!
crypto ikev2 keyring KR-IKEV2
 peer REMOTE
  address <peer-public-ip>
  pre-shared-key MySecretKey123
!
crypto ikev2 profile PROF-IKEV2
 match identity remote address <peer-public-ip> 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local KR-IKEV2

2. IPsec transform set and profile.

crypto ipsec transform-set TS-IKEV2 esp-aes 256 esp-sha256-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-IKEV2
 set transform-set TS-IKEV2
 set ikev2-profile PROF-IKEV2

3. Tunnel interface (IPsec virtual tunnel — VTI, much cleaner than crypto maps).

interface Tunnel20
 ip address 172.20.0.X 255.255.255.252
 tunnel source GigabitEthernet0/0
 tunnel destination <peer-public-ip>
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-IKEV2

On IKEV2-A: 172.20.0.1, peer destination 100.0.0.31. On IKEV2-B: 172.20.0.2, peer destination 100.0.0.30.

4. Static routes for the LANs across the tunnel.

ip route <remote-lan> <mask> Tunnel20

Verification

show crypto ikev2 sa
show crypto ipsec sa
show interfaces tunnel 20
ping 10.210.210.1 source Loopback10   ! from IKEV2-A

Why a VTI here instead of a crypto map?

Crypto maps are the "old way" (and what you used in Section B for IKEv1 on purpose). VTIs treat IPsec as just another routed interface — you can run routing protocols, QoS, and ACLs over it like any other tunnel. It's the modern pattern and what you'll be expected to know on the exam.

Gotchas

• Identity match — match identity remote address must match the peer's actual source IP. If the peer is behind NAT or sourcing from a different interface, this fails silently.
• Forgetting tunnel mode ipsec ipv4 — you'll end up with a plain GRE tunnel that the IPsec profile can't protect.
• tunnel protection ipsec profile order matters — set tunnel mode first, then the protection.

Suggested order of attack

1. Underlay sanity check — ping every public IP from the HUB.
2. DMVPN — biggest piece, do it first while you're fresh.
3. IKEv1 — second hardest, but a useful contrast to remind you why IKEv2 exists.
4. IKEv2 — easiest of the three once you've done IKEv1.

If you only have an hour, do DMVPN. If you have two, add IKEv2. IKEv1 is more about understanding the legacy syntax than learning anything new conceptually.

Tearing it down and starting over

If you wreck a section and want to start that part fresh without losing progress on the others, on each affected router:

HUB# write erase
HUB# reload

When it boots back up, paste the same bootstrap config block that's in the YAML for that node (under nodes: -> configuration:). The rest of the lab keeps running.

Useful debug commands

Always undebug all when you're done — IOSv consoles get noisy fast.