DMVPN

From Baranoski.ca
Jump to navigation Jump to search

In my opinion, Dynamic Multipoint VPN (DMVPN) is the greatest technology that Cisco has implemented. It has numerous advantages over "traditional" VPN technologies:

  • Deployment is simple. Spoke node configurations can almost be reproduced verbatim.
  • It can be used over any medium (3G/4G, cable, DSL, fibre, etc).
  • Scalable, with no additional configuration required on the hub to accommodate growth.
  • There is no need to update the configuration on the hub as sites are added, removed, or changed.
  • Spokes can have static or dynamic IPs. It will even work through NAT.
  • High availability is easy to configure.
  • Spokes can communicate with each other directly, without passing through the hub. This can improve spoke-to-spoke performance and minimize the load on the hub.
  • It natively uses standard routing protocols (OSPF, BGP, EIGRP, etc).
  • It can easily be configured as a backup connection, as it supports routing protocols and automatically sets a high metric.
  • It can support multiple network technologies, such as IPv6, multicast, and L2TP tunnels.
  • It can be easily integrated into customer IPVPNs in a service provider environment.


Basic DMVPN Establishment

The deployment of DMVPN spokes is simple, as the hub nodes have no prior knowledge of the spokes. Since the spoke sites may have dynamic WAN IPs, this simplifies the hub configuration immensely. The spoke sites have their hub sites statically configured. On IOS 15 builds, the hubs can actually be configured using their DNS names. This prevents anyone from having to update the configuration on all the spokes if the hub has to change IPs.

First, they establish an ISAKMP/IPSec connection to the hub(s):

HUB1#show crypto isakmp sa
dst             src             state          conn-id slot status
192.0.2.1       198.51.100.1    QM_IDLE            541    0 ACTIVE

Using NHRP (Next-Hope Reachability Protocol), they create an association on the hubs between their WAN IP and their GRE IP, bringing up the GRE tunnel:

HUB1#show ip nhrp brief
   Target             Via            NBMA           Mode   Intfc   Claimed
10.10.10.3/32      10.10.10.3      198.51.100.1    dynamic  Tu1     <   >

OSPF creates an adjacency over the GRE tunnel:

HUB1#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.3        0   FULL/DROTHER    00:00:30    10.10.10.3      Tunnel1

A spoke router will also learn of other spokes through the GRE tunnel and dynamically create tunnels to other them as needed:

SPOKE1#show ip nhrp brief
   Target             Via            NBMA           Mode    Intfc   Claimed
10.10.10.1/32       10.10.10.1      192.0.2.1       static   Tu1     <   >
10.10.10.2/32       10.10.10.3      203.0.113.28    static   Tu1     <   >
10.10.10.4/32       10.10.10.4      198.51.100.117  dynamic  Tu1     <   >
10.10.10.5/32       10.10.10.5      198.51.100.202  dynamic  Tu1     <   >


Basic Hub Configuration

A very basic WAN interface. The real thing would have things like a firewall.

interface FastEthernet0
 ip address 192.0.2.1 255.255.255.0

This is a simple crypto configuration. Note that the ISAKMP key that is allowed from any host (0.0.0.0/0)

crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key aw3s0m3crypt0k3y address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 5 periodic
!
crypto ipsec transform-set DMVPN_TRANSFORM_SET esp-aes esp-md5-hmac
!
crypto ipsec profile DMVPN
 set transform-set DMVPN_TRANSFORM_SET

Create the tunnel interface. Note the following:

  • The subnet is a /24 to accommodate all the other DMVPN nodes that will be participating.
  • The IP MTU has been lowered below that of the WAN interface. Having it the same or higher will kill the throughput.
  • The line mapping multicast to dynamic refers to spoke nodes.
  • There is a secondary hub node, 10.10.10.2.
  • Note the network-id. This must be the same on all nodes participating in this VPN. It can also be used to distinguish multiple customers existing on a single hub.
  • The NHRP shortcut and redirect lines are used for DMVPN "Phase 3" spoke-to-spoke tunneling.
  • The tunnel source is set to the WAN interface, the mode configured as gre multipoint, and the crypto profile is assigned.
interface Tunnel0
 description DMVPN
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast dynamic
 ip nhrp map multicast 203.0.113.28
 ip nhrp map 10.10.10.2 203.0.113.28
 ip nhrp network-id 1
 ip nhrp holdtime 180
 ip nhrp nhs 10.10.10.2
 ip nhrp registration timeout 60
 ip nhrp shortcut
 ip nhrp redirect
 ip ospf network broadcast
 ip ospf priority 128
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN

Enable a routing protocol, and add the tunnel subnet.

router ospf 1
 router-id 10.10.10.1
 network 10.10.10.0 0.0.0.255 area 0

Basic Spoke Configuration

Note that this configuration is largely the same as the hub configuration. The only differences being:

  • The WAN interface uses DHCP.
  • Both hubs are configured in the tunnel interface.
  • The NHRP redirect option is not configured.
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key aw3s0m3crypt0k3y address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 5 periodic
!
crypto ipsec transform-set DMVPN_TRANSFORM_SET esp-aes esp-md5-hmac
!
crypto ipsec profile DMVPN_PROFILE
 description DMVPN PROFILE FOR OTHER SITES
 set transform-set DMVPN_TRANSFORM_SET
!
interface Tunnel0
 description DMVPN TUNNEL TO OTHER SITES
 ip address 10.10.10.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map 10.10.10.1 192.0.2.1
 ip nhrp map multicast 192.0.2.1
 ip nhrp map 10.10.10.2 203.0.113.28
 ip nhrp map multicast 203.0.113.28
 ip nhrp network-id 1
 ip nhrp holdtime 180
 ip nhrp nhs 10.10.10.1
 ip nhrp nhs 10.10.10.2
 ip nhrp registration timeout 60
 ip nhrp shortcut
 ip ospf network broadcast
 ip ospf priority 0
 tunnel source Ethernet1
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN_PROFILE
!
interface Ethernet1
 description WAN
 ip address dhcp
!
router ospf 1
 router-id 10.10.10.3
 network 10.10.10.0 0.0.0.255 area 0