DMVPN
In my opinion, Dynamic Multipoint VPN (DMVPN) is the greatest technology that Cisco has implemented. It has numerous advantages over "traditional" VPN technologies:
- Deployment is simple. Spoke node configurations can almost be reproduced verbatim.
- It can be used over any medium (3G/4G, cable, DSL, fibre, etc).
- Scalable, with no additional configuration required on the hub to accommodate growth.
- There is no need to update the configuration on the hub as sites are added, removed, or changed.
- Spokes can have static or dynamic IPs. It will even work through NAT.
- High availability is easy to configure.
- Spokes can communicate with each other directly, without passing through the hub. This can improve spoke-to-spoke performance and minimize the load on the hub.
- It natively uses standard routing protocols (OSPF, BGP, EIGRP, etc).
- It can easily be configured as a backup connection, as it supports routing protocols and automatically sets a high metric.
- It can support multiple network technologies, such as IPv6, multicast, and L2TP tunnels.
- It can be easily integrated into customer IPVPNs in a service provider environment.
Basic DMVPN Establishment
The deployment of DMVPN spokes is simple, as the hub nodes have no prior knowledge of the spokes. Since the spoke sites may have dynamic WAN IPs, this simplifies the hub configuration immensely. The spoke sites have their hub sites statically configured. On IOS 15 builds, the hubs can actually be configured using their DNS names. This prevents anyone from having to update the configuration on all the spokes if the hub has to change IPs.
First, they establish an ISAKMP/IPSec connection to the hub(s):
HUB1#show crypto isakmp sa dst src state conn-id slot status 192.0.2.1 198.51.100.1 QM_IDLE 541 0 ACTIVE
Using NHRP (Next-Hope Reachability Protocol), they create an association on the hubs between their WAN IP and their GRE IP, bringing up the GRE tunnel:
HUB1#show ip nhrp brief Target Via NBMA Mode Intfc Claimed 10.10.10.3/32 10.10.10.3 198.51.100.1 dynamic Tu1 < >
OSPF creates an adjacency over the GRE tunnel:
HUB1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.10.10.3 0 FULL/DROTHER 00:00:30 10.10.10.3 Tunnel1
A spoke router will also learn of other spokes through the GRE tunnel and dynamically create tunnels to other them as needed:
SPOKE1#show ip nhrp brief Target Via NBMA Mode Intfc Claimed 10.10.10.1/32 10.10.10.1 192.0.2.1 static Tu1 < > 10.10.10.2/32 10.10.10.3 203.0.113.28 static Tu1 < > 10.10.10.4/32 10.10.10.4 198.51.100.117 dynamic Tu1 < > 10.10.10.5/32 10.10.10.5 198.51.100.202 dynamic Tu1 < >
Basic Hub Configuration
A very basic WAN interface. The real thing would have things like a firewall.
interface FastEthernet0 ip address 192.0.2.1 255.255.255.0
This is a simple crypto configuration. Note that the ISAKMP key that is allowed from any host (0.0.0.0/0)
crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key aw3s0m3crypt0k3y address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 60 5 periodic ! crypto ipsec transform-set DMVPN_TRANSFORM_SET esp-aes esp-md5-hmac ! crypto ipsec profile DMVPN set transform-set DMVPN_TRANSFORM_SET
Create the tunnel interface. Note the following:
- The subnet is a /24 to accommodate all the other DMVPN nodes that will be participating.
- The IP MTU has been lowered below that of the WAN interface. Having it the same or higher will kill the throughput.
- The line mapping multicast to dynamic refers to spoke nodes.
- There is a secondary hub node, 10.10.10.2.
- Note the network-id. This must be the same on all nodes participating in this VPN. It can also be used to distinguish multiple customers existing on a single hub.
- The NHRP shortcut and redirect lines are used for DMVPN "Phase 3" spoke-to-spoke tunneling.
- The tunnel source is set to the WAN interface, the mode configured as gre multipoint, and the crypto profile is assigned.
interface Tunnel0 description DMVPN ip address 10.10.10.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp map multicast dynamic ip nhrp map multicast 203.0.113.28 ip nhrp map 10.10.10.2 203.0.113.28 ip nhrp network-id 1 ip nhrp holdtime 180 ip nhrp nhs 10.10.10.2 ip nhrp registration timeout 60 ip nhrp shortcut ip nhrp redirect ip ospf network broadcast ip ospf priority 128 tunnel source FastEthernet0 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN
Enable a routing protocol, and add the tunnel subnet.
router ospf 1 router-id 10.10.10.1 network 10.10.10.0 0.0.0.255 area 0
Basic Spoke Configuration
Note that this configuration is largely the same as the hub configuration. The only differences being:
- The WAN interface uses DHCP.
- Both hubs are configured in the tunnel interface.
- The NHRP redirect option is not configured.
crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key aw3s0m3crypt0k3y address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 60 5 periodic ! crypto ipsec transform-set DMVPN_TRANSFORM_SET esp-aes esp-md5-hmac ! crypto ipsec profile DMVPN_PROFILE description DMVPN PROFILE FOR OTHER SITES set transform-set DMVPN_TRANSFORM_SET ! interface Tunnel0 description DMVPN TUNNEL TO OTHER SITES ip address 10.10.10.3 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp map 10.10.10.1 192.0.2.1 ip nhrp map multicast 192.0.2.1 ip nhrp map 10.10.10.2 203.0.113.28 ip nhrp map multicast 203.0.113.28 ip nhrp network-id 1 ip nhrp holdtime 180 ip nhrp nhs 10.10.10.1 ip nhrp nhs 10.10.10.2 ip nhrp registration timeout 60 ip nhrp shortcut ip ospf network broadcast ip ospf priority 0 tunnel source Ethernet1 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN_PROFILE ! interface Ethernet1 description WAN ip address dhcp ! router ospf 1 router-id 10.10.10.3 network 10.10.10.0 0.0.0.255 area 0