Now that OSPF is all fixed I can set up the Dual-Hub DMVPN. I need to decide on an addressing scheme to go across the DMVPN network, and I think that 192.168.1.0/24 is suitable; it's far enough away from the main networks 10.1.x.0/24 subnets to be easily distinguishable.
There are a couple of things to remember here. Firstly, we need to open up the transparent ASA to permit the DMVPN traffic, and similarly on the failover ASAs. The DMVPN hubs also need to be NAT-aware, as we will connect the clients to the NAT address (10.1.16.200 and 10.1.26.200), rather than the loopbacks. Thankfully, they handle this part themselves, but we do need to factor this in (as you'll see later).
We will start off by creating the isakmp policy and transport-sets that we will use. Because it is identical we can create it on notepad, nd then paste onto the routers, or create it on one router and then do "sh run | s crypto" and then copy and paste:
DMVPN-Hub1(config)#crypto isakmp policy 10 DMVPN-Hub1(config-isakmp)#encryption 3des DMVPN-Hub1(config-isakmp)#authentication pre-share DMVPN-Hub1(config-isakmp)#group 2 DMVPN-Hub1(config-isakmp)#exit DMVPN-Hub1(config)#crypto ipsec transform-set esp-3des-sha-hmac esp-3des esp-sha-hmac DMVPN-Hub1(cfg-crypto-trans)#mode transport DMVPN-Hub1(cfg-crypto-trans)#exit DMVPN-Hub1(config)#crypto ipsec profile DMVPN DMVPN-Hub1(ipsec-profile)#set transform-set esp-3des-sha-hmac DMVPN-Hub1(ipsec-profile)#exit DMVPN-Hub1(config)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0This then gets copied to the other routers:
DMVPN-Hub2(config)#crypto isakmp policy 10 DMVPN-Hub2(config-isakmp)# encr 3des DMVPN-Hub2(config-isakmp)# authentication pre-share DMVPN-Hub2(config-isakmp)# group 2 DMVPN-Hub2(config-isakmp)# exit DMVPN-Hub2(config)#crypto ipsec transform-set esp-3des-sha-hmac esp-3des esp-sha-hmac DMVPN-Hub2(cfg-crypto-trans)# mode transport DMVPN-Hub2(cfg-crypto-trans)#crypto ipsec profile DMVPN DMVPN-Hub2(ipsec-profile)# set transform-set esp-3des-sha-hmac DMVPN-Hub2(ipsec-profile)# exit DMVPN-Hub2(config)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0 DMVPN-Client(config)#crypto isakmp policy 10 DMVPN-Client(config-isakmp)# encr 3des DMVPN-Client(config-isakmp)# authentication pre-share DMVPN-Client(config-isakmp)# group 2 DMVPN-Client(config-isakmp)# exit DMVPN-Client(config)#crypto ipsec transform-set esp-3des-sha-hmac esp-3des esp-sha-hmac DMVPN-Client(cfg-crypto-trans)# mode transport DMVPN-Client(cfg-crypto-trans)#crypto ipsec profile DMVPN DMVPN-Client(ipsec-profile)# set transform-set esp-3des-sha-hmac DMVPN-Client(ipsec-profile)# exit DMVPN-Client(config)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0 EzVPN-Server(config)#crypto isakmp policy 10 EzVPN-Server(config-isakmp)# encr 3des EzVPN-Server(config-isakmp)# authentication pre-share EzVPN-Server(config-isakmp)# group 2 EzVPN-Server(config-isakmp)# exit EzVPN-Server(config)#crypto ipsec transform-set esp-3des-sha-hmac esp-3des esp-sha-hmac EzVPN-Server(cfg-crypto-trans)# mode transport EzVPN-Server(cfg-crypto-trans)#crypto ipsec profile DMVPN EzVPN-Server(ipsec-profile)# set transform-set esp-3des-sha-hmac EzVPN-Server(ipsec-profile)# exit EzVPN-Server(config)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0The beauty of things like DMVPN is that it's one of those technologies with little variation in the commands, so we can do a lot of direct cutting and pasting.
Now we can start creating the tunnels, and it's easier to break out Notepad, and chuck in the basics:
int tunnel 0 tun mode gre multipoint bandwidth 1000 delay 1000 no ip redirects ip mtu 1360 ip nhrp shortcut tunnel key 101 tunnel protection ipsec profile DMVPNLet's paste this onto the routers:
DMVPN-Hub1(config-if)#int tunnel 0 DMVPN-Hub1(config-if)#tun mode gre multipoint DMVPN-Hub1(config-if)#bandwidth 1000 DMVPN-Hub1(config-if)#delay 1000 DMVPN-Hub1(config-if)#no ip redirects DMVPN-Hub1(config-if)#ip mtu 1360 DMVPN-Hub1(config-if)#ip nhrp shortcut DMVPN-Hub1(config-if)#tunnel key 101 DMVPN-Hub1(config-if)#tunnel protection ipsec profile DMVPN DMVPN-Hub1(config-if)# DMVPN-Hub2(config)#int tunnel 0 DMVPN-Hub2(config-if)#tun mode gre multipoint DMVPN-Hub2(config-if)#bandwidth 1000 DMVPN-Hub2(config-if)#delay 1000 DMVPN-Hub2(config-if)#no ip redirects DMVPN-Hub2(config-if)#ip mtu 1360 DMVPN-Hub2(config-if)#ip nhrp shortcut DMVPN-Hub2(config-if)#tunnel key 101 DMVPN-Hub2(config-if)#tunnel protection ipsec profile DMVPN DMVPN-Hub2(config-if)# DMVPN-Client(config)#int tunnel 0 DMVPN-Client(config-if)#tun mode gre multipoint DMVPN-Client(config-if)#bandwidth 1000 DMVPN-Client(config-if)#delay 1000 DMVPN-Client(config-if)#no ip redirects DMVPN-Client(config-if)#ip mtu 1360 DMVPN-Client(config-if)#ip nhrp shortcut DMVPN-Client(config-if)#tunnel key 101 DMVPN-Client(config-if)#tunnel protection ipsec profile DMVPN DMVPN-Client(config-if)# EzVPN-Server(config)#int tunnel 0 EzVPN-Server(config-if)#tun mode gre multipoint EzVPN-Server(config-if)#bandwidth 1000 EzVPN-Server(config-if)#delay 1000 EzVPN-Server(config-if)#no ip redirects EzVPN-Server(config-if)#ip mtu 1360 EzVPN-Server(config-if)#ip nhrp shortcut EzVPN-Server(config-if)#tunnel key 101 EzVPN-Server(config-if)#tunnel protection ipsec profile DMVPN EzVPN-Server(config-if)#I should have also put the authentication command in there as well, as that will be the same for all of the routers:
DMVPN-Hub1(config-if)#ip nhrp authentication cisco DMVPN-Hub2(config-if)#ip nhrp authentication cisco DMVPN-Client(config-if)#ip nhrp authentication cisco EzVPN-Server(config-if)#ip nhrp authentication ciscoOK, let's set up the IP addresses. We'll use the 192.168.1.0/24 network, and use .1 for DMVPN-Hub1, .2 for Hub2, .5 for DMVPN-Client and .6 for EZVPN-Server:
DMVPN-Hub1(config-if)#ip address 192.168.1.1 255.255.255.0 DMVPN-Hub2(config-if)#ip address 192.168.1.2 255.255.255.0 DMVPN-Client(config-if)#ip address 192.168.1.5 255.255.255.0 EzVPN-Server(config-if)#ip address 192.168.1.6 255.255.255.0We need to set the tunnel source:
DMVPN-Hub1(config-if)#tunnel source lo0 DMVPN-Hub1(config-if)# *Jul 1: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up *Jul 1: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON DMVPN-Hub1(config-if)# DMVPN-Hub2(config-if)#tunnel source lo0 DMVPN-Hub2(config-if)# Jul 1: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up DMVPN-Hub2(config-if)# DMVPN-Client(config-if)#tunnel source lo0 DMVPN-Client(config-if)# *Jul 1: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up DMVPN-Client(config-if)# EzVPN-Server(config-if)#tunnel source lo0 EzVPN-Server(config-if)# *Jul 1: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up *Jul 1: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON EzVPN-Server(config-if)#The tunnels should come up at this point, and ISAKMP will be turned on. Let's complete the hubs:
DMVPN-Hub1(config-if)#ip nhrp map multicast dynamic DMVPN-Hub1(config-if)#ip nhrp network-id 101 DMVPN-Hub1(config-if)#ip nhrp redirect DMVPN-Hub1(config-if)# DMVPN-Hub2(config-if)#ip nhrp map multicast dynamic DMVPN-Hub2(config-if)#ip nhrp network-id 101 DMVPN-Hub2(config-if)#ip nhrp redirect DMVPN-Hub2(config-if)#We have a few commands to put on the clients.
DMVPN-Client(config-if)#ip nhrp map 192.168.1.1 10.1.16.200 DMVPN-Client(config-if)#ip nhrp map 192.168.1.2 10.1.26.200 DMVPN-Client(config-if)#ip nhrp map multicast 10.1.26.200 DMVPN-Client(config-if)#ip nhrp map multicast 10.1.16.200 DMVPN-Client(config-if)#ip nhrp nhs 192.168.1.1 DMVPN-Client(config-if)#ip nhrp nhs 192.168.1.2 DMVPN-Client(config-if)#ip nhrp network-id 101 DMVPN-Client(config-if)# EzVPN-Server(config-if)#ip nhrp map 192.168.1.1 10.1.16.200 EzVPN-Server(config-if)#ip nhrp map 192.168.1.2 10.1.26.200 EzVPN-Server(config-if)#ip nhrp map multicast 10.1.26.200 EzVPN-Server(config-if)#ip nhrp map multicast 10.1.16.200 EzVPN-Server(config-if)#ip nhrp nhs 192.168.1.1 EzVPN-Server(config-if)#ip nhrp nhs 192.168.1.2 EzVPN-Server(config-if)#ip nhrp network-id 101 EzVPN-Server(config-if)#We need a few ACLs to help. The problem is, that I have been quite messy with the ACLs on the firewalls so far, and they could probably do with a clean up. I think this is the reason for these errors:
DMVPN-Hub1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 4.4.4.4 5.5.5.5 MM_KEY_EXCH 1096 ACTIVE 4.4.4.4 5.5.5.5 MM_NO_STATE 1095 ACTIVE (deleted) 4.4.4.4 6.6.6.6 MM_KEY_EXCH 1097 ACTIVE 4.4.4.4 6.6.6.6 MM_NO_STATE 1094 ACTIVE (deleted) IPv6 Crypto ISAKMP SA DMVPN-Hub1The traffic is passing to an extent, but definitely not all the traffic.
After (much) tidying up, this is what I am left with:
FO-ASA/C1(config)# sh run | i access-list access-list Out->In extended permit icmp any host 4.4.4.4 access-list Out->In extended permit icmp any object GlobalNats access-list Out->In extended permit esp host 5.5.5.5 host 4.4.4.4 access-list Out->In extended permit esp host 6.6.6.6 host 4.4.4.4 access-list Out->In extended permit udp host 5.5.5.5 host 4.4.4.4 eq isakmp access-list Out->In extended permit udp host 6.6.6.6 host 4.4.4.4 eq isakmp access-list In->Out extended permit icmp host 4.4.4.4 any access-list In->Out extended permit icmp object GlobalNats any access-list In->Out extended permit esp host 4.4.4.4 host 5.5.5.5 access-list In->Out extended permit esp host 4.4.4.4 host 6.6.6.6 access-list In->Out extended permit udp host 4.4.4.4 host 5.5.5.5 eq isakmp access-list In->Out extended permit udp host 4.4.4.4 host 6.6.6.6 eq isakmp FO-ASA/C1(config)# sh run | i access-group access-group In->Out in interface Inside access-group Out->In in interface outside FO-ASA/C1(config)# FO-ASA/C2(config)# sh run | i access-list access-list Out->In extended permit icmp any host 1.1.1.1 access-list Out->In extended permit icmp any host 3.3.3.3 access-list Out->In extended permit icmp any object-group GlobalNats access-list Out->In extended permit esp host 5.5.5.5 host 3.3.3.3 access-list Out->In extended permit esp host 6.6.6.6 host 3.3.3.3 access-list Out->In extended permit udp host 5.5.5.5 host 3.3.3.3 eq isakmp access-list Out->In extended permit udp host 6.6.6.6 host 3.3.3.3 eq isakmp access-list In->Out extended permit esp host 3.3.3.3 host 5.5.5.5 access-list In->Out extended permit esp host 3.3.3.3 host 6.6.6.6 access-list In->Out extended permit udp host 3.3.3.3 host 5.5.5.5 eq isakmp access-list In->Out extended permit udp host 3.3.3.3 host 6.6.6.6 eq isakmp access-list In->Out extended permit icmp host 1.1.1.1 any access-list In->Out extended permit icmp host 3.3.3.3 any access-list In->Out extended permit icmp object-group GlobalNats any FO-ASA/C2(config)# sh run | i access-group access-group Out->In in interface outside access-group In->Out in interface inside FO-ASA/C2(config)# Transparent(config)# sh run | i access-list access-list Out->In extended permit ospf host 10.1.7.1 host 224.0.0.5 access-list Out->In extended permit ospf host 10.1.7.1 host 224.0.0.6 access-list Out->In extended permit icmp host 10.1.7.1 host 10.1.7.2 access-list Out->In extended permit ospf host 10.1.7.1 host 10.1.7.2 access-list Out->In extended permit icmp host 1.1.1.1 any access-list Out->In extended permit icmp host 10.1.26.200 any access-list Out->In extended permit icmp host 10.1.16.200 any access-list Out->In extended permit icmp host 10.1.26.254 any access-list Out->In extended permit icmp host 10.1.16.254 any access-list Out->In extended permit esp host 10.1.16.200 host 5.5.5.5 access-list Out->In extended permit esp host 10.1.26.200 host 5.5.5.5 access-list Out->In extended permit esp host 10.1.16.200 host 6.6.6.6 access-list Out->In extended permit esp host 10.1.26.200 host 6.6.6.6 access-list Out->In extended permit udp host 10.1.16.200 host 5.5.5.5 eq isakmp access-list Out->In extended permit udp host 10.1.26.200 host 5.5.5.5 eq isakmp access-list Out->In extended permit udp host 10.1.16.200 host 6.6.6.6 eq isakmp access-list Out->In extended permit udp host 10.1.26.200 host 6.6.6.6 eq isakmp access-list In->Out extended permit ospf host 10.1.7.2 host 224.0.0.5 access-list In->Out extended permit ospf host 10.1.7.2 host 224.0.0.6 access-list In->Out extended permit ospf host 10.1.7.2 host 10.1.7.1 access-list In->Out extended permit icmp host 10.1.7.2 host 10.1.7.1 access-list In->Out extended permit icmp any host 1.1.1.1 access-list In->Out extended permit icmp any host 10.1.26.200 access-list In->Out extended permit icmp any host 10.1.16.200 access-list In->Out extended permit icmp any host 10.1.26.254 access-list In->Out extended permit icmp any host 10.1.16.254 access-list In->Out extended permit esp host 5.5.5.5 host 10.1.16.200 access-list In->Out extended permit esp host 5.5.5.5 host 10.1.26.200 access-list In->Out extended permit esp host 6.6.6.6 host 10.1.16.200 access-list In->Out extended permit esp host 6.6.6.6 host 10.1.26.200 access-list In->Out extended permit udp host 5.5.5.5 host 10.1.16.200 eq isakmp access-list In->Out extended permit udp host 5.5.5.5 host 10.1.26.200 eq isakmp access-list In->Out extended permit udp host 6.6.6.6 host 10.1.16.200 eq isakmp access-list In->Out extended permit udp host 6.6.6.6 host 10.1.26.200 eq isakmp Transparent(config)# Transparent(config)# sh run | i access-group access-group Out->In in interface Outside access-group In->Out in interface Inside Transparent(config)#This is much neater and more precise, but as far as DMVPN goes, still no dice, so let's think about the network. We have four DMVPN-speaking routers behind two firewalls. Whilst the transparent firewall is not performing NAT (because it's transparent), the other firewall is. So, let' enable NAT traversal, and open up port 4500 (nat traversal):
Transparent(config)# crypto isakmp nat-traversal Transparent(config)# access-list Out->In extended permit udp host 10.1.16.200 host 5.5.5.5 eq 4500 Transparent(config)# access-list Out->In extended permit udp host 10.1.26.200 host 5.5.5.5 eq 4500 Transparent(config)# access-list Out->In extended permit udp host 10.1.16.200 host 6.6.6.6 eq 4500 Transparent(config)# access-list Out->In extended permit udp host 10.1.26.200 host 6.6.6.6 eq 4500 Transparent(config)# access-list In->Out extended permit udp host 5.5.5.5 host 10.1.16.200 eq 4500 Transparent(config)# access-list In->Out extended permit udp host 5.5.5.5 host 10.1.26.200 eq 4500 Transparent(config)# access-list In->Out extended permit udp host 6.6.6.6 host 10.1.16.200 eq 4500 Transparent(config)# access-list In->Out extended permit udp host 6.6.6.6 host 10.1.26.200 eq 4500 Transparent(config)# FO-ASA/C1(config)# crypto isakmp nat-traversal FO-ASA/C1(config)# access-list Out->In extended permit udp host 5.5.5.5 host 4.4.4.4 eq 4500 FO-ASA/C1(config)# access-list Out->In extended permit udp host 6.6.6.6 host 4.4.4.4 eq 4500 FO-ASA/C1(config)# access-list In->Out extended permit udp host 4.4.4.4 host 5.5.5.5 eq 4500 FO-ASA/C1(config)# access-list In->Out extended permit udp host 4.4.4.4 host 6.6.6.6 eq 4500 FO-ASA/C1(config)# FO-ASA/C1(config)# changeto con C2 FO-ASA/C2(config)# crypto isakmp nat-traversal FO-ASA/C2(config)# access-list Out->In extended permit udp host 5.5.5.5 host 3.3.3.3 eq 4500 FO-ASA/C2(config)# access-list Out->In extended permit udp host 6.6.6.6 host 3.3.3.3 eq 4500 FO-ASA/C2(config)# access-list In->Out extended permit udp host 3.3.3.3 host 5.5.5.5 eq 4500 FO-ASA/C2(config)# access-list In->Out extended permit udp host 3.3.3.3 host 6.6.6.6 eq 4500 FO-ASA/C2(config)#This gets us exactly where we need to be:
DMVPN-Hub1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 4.4.4.4 5.5.5.5 QM_IDLE 1079 ACTIVE 4.4.4.4 6.6.6.6 QM_IDLE 1080 ACTIVE IPv6 Crypto ISAKMP SA DMVPN-Hub1# DMVPN-Hub2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 3.3.3.3 6.6.6.6 QM_IDLE 1097 ACTIVE 3.3.3.3 5.5.5.5 QM_IDLE 1096 ACTIVE IPv6 Crypto ISAKMP SA DMVPN-Hub2# DMVPN-Client#sh dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket T1 - Route Installed, T2 - Nexthop-override C - CTS Capable # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting UpDn Time --> Up or Down Time for a Tunnel ========================================================================== Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 10.1.16.200 192.168.1.1 UP 00:09:05 S 1 10.1.26.200 192.168.1.2 UP 00:01:09 S DMVPN-Client# EzVPN-Server#sh dmvpn | b Interface Interface: Tunnel0, IPv4 NHRP Details Type:Spoke, NHRP Peers:2, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 10.1.16.200 192.168.1.1 UP 00:04:59 S 1 10.1.26.200 192.168.1.2 UP 00:01:37 S EzVPN-Server# EzVPN-Server#ping 192.168.1.1 so tun 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: Packet sent with a source address of 192.168.1.6 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/24 ms EzVPN-Server#ping 192.168.1.2 so tun 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: Packet sent with a source address of 192.168.1.6 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 17/20/24 ms EzVPN-Server# DMVPN-Client#ping 192.168.1.1 so tun0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: Packet sent with a source address of 192.168.1.5 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/28 ms DMVPN-Client#ping 192.168.1.2 so tun0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: Packet sent with a source address of 192.168.1.5 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 18/20/22 ms DMVPN-Client#There is no huge mystery to dual-hub DMVPN, it is the same as single-hub, but with a couple more commands.
I covered DMVPN in VPNs and NAT for Cisco Networks, so have a read of that.
Now that the tunnels are up, we can run EIGRP across it:
DMVPN-Hub1(config)#int tun 0 DMVPN-Hub1(config-if)#no ip split-horizon eigrp 101 DMVPN-Hub1(config-if)#router eigrp 101 DMVPN-Hub1(config-router)#eigrp router-id 192.168.1.1 DMVPN-Hub1(config-router)#network 192.168.1.0 0.0.0.255 DMVPN-Hub1(config-router)# DMVPN-Hub2(config)#int tun 0 DMVPN-Hub2(config-if)#no ip split-horizon eigrp 101 DMVPN-Hub2(config-if)#router eigrp 101 DMVPN-Hub2(config-router)#eigrp router-id 192.168.1.2 DMVPN-Hub2(config-router)#network 192.168.1.0 0.0.0.255 DMVPN-Hub2(config-router)# DMVPN-Client(config)#int tun 0 DMVPN-Client(config-if)#no ip split-horizon eigrp 101 DMVPN-Client(config-if)#router eigrp 101 DMVPN-Client(config-router)#eigrp router-id 192.168.1.5 DMVPN-Client(config-router)#network 192.168.1.0 0.0.0.255 DMVPN-Client(config-router)# *Jul 2: %DUAL-5-NBRCHANGE: EIGRP-IPv4 101: Neighbor 192.168.1.1 (Tunnel0) is up: new adjacency *Jul 2: %DUAL-5-NBRCHANGE: EIGRP-IPv4 101: Neighbor 192.168.1.2 (Tunnel0) is up: new adjacency DMVPN-Client(config-router)# EzVPN-Server(config)#int tun 0 EzVPN-Server(config-if)#no ip split-horizon eigrp 101 EzVPN-Server(config-if)#router eigrp 101 EzVPN-Server(config-router)#eigrp router-id 192.168.1.6 EzVPN-Server(config-router)#network 192.168.1.0 0.0.0.255 EzVPN-Server(config-router)# *Jul 2: %DUAL-5-NBRCHANGE: EIGRP-IPv4 101: Neighbor 192.168.1.2 (Tunnel0) is up: new adjacency *Jul 2: %DUAL-5-NBRCHANGE: EIGRP-IPv4 101: Neighbor 192.168.1.1 (Tunnel0) is up: new adjacency EzVPN-Server(config-router)#Next up will be zone-based firewalls. I have not tried these before, so it should be interesting,