DMVPN

anyone working or worked with this? I would suppose if you have 2 host sites and a bunch of remote sites this would be good?

Trying to find best options for IPSEC Vpn's termenating at 2 host sites.

Find more posts tagged with

Comments

dtlokee

DMVPN is really designed for many sites, it typically requires 2 routers just for the NHRP requests. If you only hae a couple sites it would be better to configure IPSec tunnels or IPSec encrypted GRE tunnels if you plan to run your routing protocols over the tunnels.

The goal of DMVPN is to allow for the spoke to spoke tunnels to be created dynamically. If you don't plan to have spoke to spoke tunnels then it wouldn't be worthwhile. However if you have spokes that are getting their IP addresses dynamically, you may want to use this as an option.

larkspur

thanks for the well explained reply...

so let me ask this, if i have 50 sites termnating ipsec tunnels to a ios router i can get away with building one crypto map for all 50 sites?

Of course as long as none of the defining statemnets in the crypto map need to be changed.

In the event there are say 3 differrent types of vpn terminating, (gre, ipsec, etc) I would need to look at 3 diffrrent crypto policies, and more than one crypto can terminate on the same interface or break it out to tunnel interfaces?

hope that makes sense..

I am reviewing books on VPN design and foundentals and have deployed few site-to-site ipsec vpn's but want to go bigger...

larkspur

anyone on the VPN design questions?

Netstudent

You might want to take this one to the cisco.com forums if you can't get a solution.

dtlokee

larkspur wrote:

thanks for the well explained reply...

so let me ask this, if i have 50 sites termnating ipsec tunnels to a ios router i can get away with building one crypto map for all 50 sites?

Of course as long as none of the defining statemnets in the crypto map need to be changed.

In the event there are say 3 differrent types of vpn terminating, (gre, ipsec, etc) I would need to look at 3 diffrrent crypto policies, and more than one crypto can terminate on the same interface or break it out to tunnel interfaces?

hope that makes sense..

I am reviewing books on VPN design and foundentals and have deployed few site-to-site ipsec vpn's but want to go bigger...

You sort of need one crypto map for all 50 sites (how many crypto maps can you assign to one interface?)

If you are using DMVPN the type of vpn is going to use mGRE, so that would be your "type" of VPN. You don't need to make multiple tunnel interfaces for DMVPN's, just a connection to the NHRP hub (usually 2 of them for backup) and the spoke to spoke VPN's will be established dynamically.

Netstudent

nevermind...What was I thinking?

larkspur

oh wow, i moved this a couple of times, my bad need to practice patience....

dtlokee - so away from the DMVPN complexity. butjust more on site-to-site. so for every ipsec spoke that comes online a crypto map statemnet will need to be defined?

I hope I am asking this correctly.

tia!!

networker050184

Here is a lab for a hub and spoke configuration I used to learn about it. All the routers are connected to a switch with all interfaces in the same VLAN. Hope this helps you get more of a grasp of things.

HUB Router

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname Hub

The first step is to create the tunnel. Generic Routing Encapsulation (GRE) tunnels provide a specific pathway across the shared WAN and encapsulate traffic with new packet headers to ensure delivery to specific destinations. The network is private because traffic can enter a tunnel only at an endpoint. Tunnels do not provide true confidentiality (encryption does) but can carry encrypted traffic.

Create a GRE tunnel template which will be applied to all the dynamically created GRE tunnels.

Hub(config)#interface Tunnel 0
Hub(config-if)#description Hub
Hub(config-if)#ip address 10.0.0.1 255.255.255.0
Hub(config-if)#no ip redirects
Hub(config-if)#ip mtu 1440
Hub(config-if)#ip nhrp authentication 123
Hub(config-if)#ip nhrp map multicast dynamic
Hub(config-if)#ip nhrp network-id 1
Hub(config-if)#ip ospf network broadcast
Hub(config-if)#ip ospf priority 2

Hub(config-if)#tunnel source f0/1
Hub(config-if)#tunnel mode gre multipoint
Hub(config-if)#tunnel key 0

This is the outbound interface.

Hub(config-if)#int f0/1
Hub(config-if)#ip address 172.19.0.1 255.255.255.240
Hub(config-if)#no shut

This is the inbound interface

Hub(config-if)#int loopback 0
Hub(config-if)#ip address 14.0.0.1 255.255.255.255

Enable a routing protocol to send and receive dynamic updates about the private networks. Notice you are not advertising the source IP address of the interface. Only the tunnel address and your private network addresses are advertised.

Hub(config-if)#router ospf 100
Hub(config-router)#network 10.0.0.0 0.255.255.255 area 0
Hub(config-router)#network 14.0.0.0 0.255.255.255 area 0
Hub(config-router)#end

Spoke1 Router

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname Spoke1

Create a GRE tunnel template which will be applied to all the dynamically created GRE tunnels.

Spoke1(config)#interface Tunnel 0
Spoke1(config-if)#description spoke to Hub
Spoke1(config-if)#ip address 10.0.0.2 255.255.255.0
Spoke1(config-if)#no ip redirects
Spoke1(config-if)#ip mtu 1440
Spoke1(config-if)#ip nhrp authentication 123
Spoke1(config-if)#ip nhrp map multicast dynamic
Spoke1(config-if)#ip nhrp map 10.0.0.1 172.19.0.1
Spoke1(config-if)#ip nhrp map multicast 172.19.0.1
Spoke1(config-if)#ip nhrp network-id 1
Spoke1(config-if)#ip nhrp nhs 10.0.0.1
Spoke1(config-if)#ip ospf network broadcast
Spoke1(config-if)#tunnel source e0/0
Spoke1(config-if)#tunnel mode gre multipoint
Spoke1(config-if)#tunnel key 0

This is the outbound interface.

Spoke1(config-if)#int e0/0
Spoke1(config-if)#ip address 172.19.0.2 255.255.255.240
Spoke1(config-if)#no shut

This is the inbound interface.

Spoke1(config-if)#int loopback 0
Spoke1(config-if)#ip address 14.0.0.2 255.255.255.255

Enable a routing protocol to send and receive dynamic updates about the private networks. Notice you are not advertising the source IP address of the interface. Only the tunnel address and your private network addresses are advertised.

Spoke1(config-if)#router ospf 100
Spoke1(config-router)#network 10.0.0.0 0.255.255.255 area 0
Spoke1(config-router)#network 14.0.0.0 0.255.255.255 area 0
Spoke1(config-router)#end

Spoke2 Router

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname Spoke2

Spoke2(config)#interface Tunnel 0
Spoke2(config-if)#description spoke to Hub
Spoke2(config-if)#ip address 10.0.0.3 255.255.255.0
Spoke2(config-if)#no ip redirects
Spoke2(config-if)#ip mtu 1440
Spoke2(config-if)#ip nhrp authentication 123
Spoke2(config-if)#ip nhrp map multicast dynamic
Spoke2(config-if)#ip nhrp map 10.0.0.1 172.19.0.1
Spoke2(config-if)#ip nhrp map multicast 172.19.0.1
Spoke2(config-if)#ip nhrp network-id 1
Spoke2(config-if)#ip nhrp nhs 10.0.0.1
Spoke2(config-if)#ip ospf network broadcast
Spoke2(config-if)#tunnel source e0
Spoke2(config-if)#tunnel mode gre multipoint
Spoke2(config-if)#tunnel key 0

This is the outbound interface.

Spoke2(config-if)#int e0
Spoke2(config-if)#ip address 172.19.0.3 255.255.255.240
Spoke2(config-if)#no shut

This is the inbound interface.

Spoke2(config-if)#int loopback 0
Spoke2(config-if)#ip address 14.0.0.3 255.255.255.255

Enable a routing protocol to send and receive dynamic updates about the private networks. Notice you are not advertising the source IP address of the interface. Only the tunnel address and your private network addresses are advertised.

Spoke2(config-if)#router ospf 100
Spoke2(config-router)#network 10.0.0.0 0.255.255.255 area 0
Spoke2(config-router)#network 14.0.0.0 0.255.255.255 area 0
Spoke2(config-router)#end

Spoke3 Router

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname Spoke3

Create a GRE tunnel template which will be applied to all the dynamically created GRE tunnels.

Spoke3(config)#interface Tunnel0
Spoke3(config-if)#description spoke to Hub
Spoke3(config-if)#ip address 10.0.0.4 255.255.255.0
Spoke3(config-if)#no ip redirects
Spoke3(config-if)#ip mtu 1440
Spoke3(config-if)#ip nhrp authentication 123
Spoke3(config-if)#ip nhrp map multicast dynamic
Spoke3(config-if)#ip nhrp map 10.0.0.1 172.19.0.1
Spoke3(config-if)#ip nhrp map multicast 172.19.0.1
Spoke3(config-if)#ip nhrp network-id 1
Spoke3(config-if)#ip nhrp nhs 10.0.0.1
Spoke3(config-if)#ip ospf network broadcast
Spoke3(config-if)#tunnel source e1
Spoke3(config-if)#tunnel mode gre multipoint
Spoke3(config-if)#tunnel key 0

This is the outbound interface.

Spoke3(config-if)#int e1
Spoke3(config-if)#ip address 172.19.0.4 255.255.255.240
Spoke3(config-if)#no shut

This is the inbound interface.

Spoke3(config-if)#int loopback 0
Spoke3(config-if)#ip address 14.0.0.4 255.255.255.255

Enable a routing protocol to send and receive dynamic updates about the private networks. Notice you are not advertising the source IP address of the interface. Only the tunnel address and your private network addresses are advertised.

Spoke3(config-if)#router ospf 100
Spoke3(config-router)#network 10.0.0.0 0.255.255.255 area 0
Spoke3(config-router)#network 14.0.0.0 0.255.255.255 area 0
Spoke3(config-router)#end

Monitoring and Testing the Configuration:

Hub

Hub#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.19.0.0/27 is subnetted, 1 subnets
C 172.19.0.0 is directly connected, Ethernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
14.0.0.0/32 is subnetted, 2 subnets
O 14.0.0.2 [110/11112] via 10.0.0.2, 00:06:47, Tunnel0
C 14.0.0.1 is directly connected, Loopback0
Hub#

Hub#show ip nhrp detail
10.0.0.2/32 via 10.0.0.2, Tunnel0 created 00:18:53, expire 01:41:06
Type: dynamic, Flags: authoritative unique registered
NBMA address: 172.19.0.2 (Spoke1)
10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:08:47, expire 01:51:12
Type: dynamic, Flags: authoritative unique registered
NBMA address: 172.19.0.3 (Spoke2)
10.0.0.4/32 via 10.0.0.4, Tunnel0 created 00:01:01, expire 01:58:58
Type: dynamic, Flags: authoritative unique registered
NBMA address: 172.19.0.3 (Spoke3)

Hub#show int tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Description: Hub
Internet address is 10.0.0.1/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 172.19.0.1 (Ethernet0/0), destination UNKNOWN
Tunnel protocol/transport multi-GRE/IP, key 0x0, sequencing disabled
Checksumming of packets disabled, fast tunneling enabled
Last input 00:00:05, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
94 packets input, 12930 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
92 packets output, 10130 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out

Spoke1

Spoke1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.19.0.0/27 is subnetted, 1 subnets
C 172.19.0.0 is directly connected, Ethernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
14.0.0.0/32 is subnetted, 2 subnets
C 14.0.0.2 is directly connected, Loopback0
O 14.0.0.3 [110/11112] via 10.0.0.1, 01:25:17, Tunnel0
O 14.0.0.4 [110/11112] via 10.0.0.1, 01:25:17, Tunnel0
O 14.0.0.1 [110/11112] via 10.0.0.1, 01:25:17, Tunnel0

Spoke1#show ip nhrp tunnel 0
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 00:01:02, never expire
Type: static, Flags: authoritative used
NBMA address: 172.19.0.1 (Hub)

Spoke1# show int tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Description: spoke to Hub
Internet address is 10.0.0.2/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 172.19.0.2 (Ethernet0/0), destination UNKNOWN
Tunnel protocol/transport multi-GRE/IP, key 0x0, sequencing disabled
Checksumming of packets disabled, fast tunneling enabled
Last input 00:00:03, output 00:00:07, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
555 packets input, 75658 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
586 packets output, 63422 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out

larkspur

excuse my lack of experience with vpn technology,

so this is a dmvpn example or for point-to-multipoint vpn?

networker050184

This is an example of DMVPN. This doesn't exlain the ins and outs, but you can use this as an example when doing some reaserch.

larkspur

very cool thanks a bunch....

networker050184

No problem, it helped me a lot. I like to set things up when I learn about them, it helps put it in perspective better than just reading.

larkspur

man I spent 4 or 5 hours this weekend labbin gipsec vpn. opened my eyes to a couple of things, i was not seeing before.

nothign like putting your hands on it.

networker050184

I agree, and people new this wonder why experience is regarded MUCH higher than certs or education.

LOkrasa

Great links on DMVPN you may want to look at:

keenon wrote:

http://cisco.com/en/US/products/ps6658/products_ios_protocol_option_home.html

this is pretty good

littlegrave wrote:

Yep, I used these presentations and study materials when I was preparing for the written and I find them very helpful. Although they might be enough for the written, you will want to read the NHRP and theDMVPN section from Cisco DocCD and some of the IPSec guides if you're not familiar with it. Don't be fooled by Cisco, they listed DMVPN under FR, but you've got to know IPSec (at least the basics).

Here are some guides I found helpful:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hiad_c/hadnhrp.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part17/ch10/hgreips.htm

Awesome info from both of those guys.

larkspur

thanks for the addtional resources. LOkrasa.

Humper

Has anyone used DMVPN with a PKI (CA) server? Right now I am using pre-shared keys but would like to use CA server. Can anyone provide me with documentation to set this up as I have tried looking for the DMVPN + CA implementation docs.

dtlokee

Yeah you need to change the way ISAKMP is negoiated from pre-share to rsa-sig, and you need to enroll with the CA the same way you would with a site to site VPN. Then set the "tunnel protection ipsec profile" command to link the IPSEC configuration to the tunnel.

Humper

dtlokee wrote:

Yeah you need to change the way ISAKMP is negoiated from pre-share to rsa-sig, and you need to enroll with the CA the same way you would with a site to site VPN. Then set the "tunnel protection ipsec profile" command to link the IPSEC configuration to the tunnel.

I understand how to change ISAKMP from pre-share to rsa-sig, but I am not sure what you mean by enroll the CA server. Is this done under crypto pki server command? I am also confused how the branch router config.

Right now I am looking at "Configuring certificate enrollment for PKI" found here:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804a5a17.html

Is this the right direction?

Quick Links

All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of