DMVPN with IPSEC
[IOS] C3745-ADVENTERPRISEK9-M), Version 12.4(25d)
====sv9-2====
enable
configure terminal
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 90
no ip next-hop-self eigrp 90
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
no shutdown
!
!--- This is the outbound interface.
interface FastEthernet0/0
ip address 209.168.202.225 255.255.255.0
no shutdown
!
router eigrp 90
network 1.1.1.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 209.168.202.226
!
interface FastEthernet1/0
ip address 1.1.1.1 255.255.255.0
no shutdown
======sv9-3====
enable
configure terminal
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 209.168.202.225
ip nhrp map multicast 209.168.202.225
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
!--- This is the outbound interface.
interface FastEthernet0/0
ip address 209.168.202.131 255.255.255.0
no shutdown
!
!--- This is the inbound interface.
interface FastEthernet1/0
ip address 2.2.2.2 255.255.255.0
no shut
exit
router eigrp 90
network 2.2.2.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 209.168.202.225
ip route 3.3.3.0 255.255.255.0 Tunnel0
======sv9-4=========
enable
configure terminal
!
interface Tunnel0
ip address 192.168.1.3 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 209.168.202.225
ip nhrp map multicast 209.168.202.225
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
no shutdown
!
!--- This is the outbound interface.
interface FastEthernet0/0
ip address 209.168.202.130 255.255.255.0
no shutdown
!
!--- This is the inbound interface.
interface FastEthernet1/0
ip address 3.3.3.3 255.255.255.0
no shutdown
!
!
router eigrp 90
network 3.3.3.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
ip route 2.2.2.0 255.255.255.0 Tunnel0
ip route 0.0.0.0 0.0.0.0 209.168.202.225
!
===IPSEC --R1,R2 and R3====
enable
configure terminal
crypto isakmp policy 1
encryption aes
hash md5
authentication pre-share
group 2
lifetime 86400
exit
crypto isakmp key 0 NETWORKLESSONS address 0.0.0.0
crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
exit
crypto ipsec profile MGRE
set security-association lifetime seconds 86400
set transform-set MYSET
exit
interface tunnel 0
tunnel protection ipsec profile MGRE
end
*** If you want to configure routing protocol as ospf, you should set ip ospf network type is broadcast or non-broadcast on the interface tunnel 0 and set for most top priority on the hub router.
===sv9-2===
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip ospf network broadcast
ip ospf priority 255
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile MGRE
exit
router ospf 1
router-id 1.1.1.1
network 1.1.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
interface Tunnel0
ip ospf network broadcast
end
interface Tunnel0
ip ospf network broadcast
end
Device# debug dmvpn all nhrp
Device# show ip nhrp
DMVPN |
DMVPN(Dynamic Multipoint VPN); 관리자가 수동으로 VPN을 구성하지 않고, 시스코 라우터가 목적지 주소를 파악해서 자동으로 VPN터널을 생성하는 기술. 즉, 운영자는 물리적으로 구현되어 있는 전용선과 인터넷을 기반으로 자유롭게 VPN을 구현할 수 있다. 전용선과 VPN을 최적의 방식으로 활용할 수 있는 것이 AVC(Application Visibility & Control)이다. 즉, 트래픽을 DPI(Deep Packet Inspection)기능을 이용하여 Packet이 사내 회계 시스템 웹 트래픽인지 트위터 트래픽인지을 구별해 낸다. 트래픽이 구별되는 QoS을 적용시켜 주거나, 가속을 시켜 주거나 하는것과 같은 컨트롤을 할 수 있는 기술이 바로 AVC이다. DMVPN -Point-to-Multipoint Overlay VPN tunneling technology -Dynamic and scalable way to build GRE over IPSec site-to-site tunnels -Romote sites build static tunnels to a central location, for example hub-and-spoke -Spokes exchange routing information with hub over the static tunnel(EIGRP,OSPF,BGP) -Spoke to hub traffic routes over the static tunnel -Spoke to spoke traffic routes over dynamic on-demand tunnels -Uses any IP transport ; Any Internet connectivity works, e.g. T1, DSL,Cable,Ethernet, etc. ; Supports arbitrary number of ISPs; Support going through NAT ; -Scalable encryption ;Spoke-to-spoke tunnels only form as needed
DMVPN Components -Can be broken down into two major components ; Traffic Routing use by Multipoint GRE(mGRE) and the Next Hop Resolution Protocal(NHRP) ; Traffic Encryption use IPSec. -Two main components are DMVPN Hub as an NHRP server and DMVPN Spokes are NHRP clients. -Spokes as the clients register with Hub/Server.; Spokes manually specify Hub’s address; Hub dynamically learns Spokes’ VPN address and NBMA address. -Spokes establish tunnels to Hub; Used exchange IGP Routing information. |
HUB Configuration |
1. enable 2. configure terminal 3. interface tunnel 0 4. ip address 10.1.1.1 255.255.255.0 (All hubs and spokes that are in the same DMVPN network must be addressed in the same IP subnet.) 5. ip mtu 1400 (Sets the maximum transmission unit (MTU) size, in bytes, of IP packets sent on an interface.) 6. ip nhrp authentication donttell (The NHRP authentication string must be set to the same value on all hubs and spokes that are in the same DMVPN network.) 7. ip nhrp map multicast dynamic (Allows NHRP to automatically add spoke routers to the multicast NHRP mappings.) 8. ip nhrp network-id 123 (The number argument specifies a globally unique 32-bit network identifier from a nonbroadcast multiaccess (NBMA) network. The range is from 1 to 4294967295.) 9. tunnel source FastEthernet 0/0 (Sets source address for a tunnel interface.) 10. tunnel key 100000 (The key number must be set to the same value on all hubs and spokes that are in the same DMVPN network.) 11. tunnel mode gre multipoint (Sets the encapsulation mode to mGRE for the tunnel interface.) 12. tunnel protection ipsec profile IPSECPROF#1 (The name argument specifies the name of the IPsec profile; this value must match the name specified in the crypto ipsec profile namecommand.) 13. bandwidth 1000 (The kbps argument specifies the bandwidth in kilobits per second. The default value is 9. The recommend bandwidth value is 1000 or greater. Setting the bandwidth value to at least 1000 is critical if EIGRP is used over the tunnel interface. Higher bandwidth values may be necessary depending on the number of spokes supported by a hub.) 14. ip tcp adjust-mss 1360 (Adjusts the maximum segment size (MSS) value of TCP packets going through a router. The max-segment-size argument specifies the maximum segment size, in bytes. The range is from 500 to 1460. The recommended value is 1360 when the number of IP MTU bytes is set to 1400. With these recommended settings, TCP sessions quickly scale back to 1400-byte IP packets so the packets will “fit” in the tunnel.) 15. ip nhrp holdtime 450 (Changes the number of seconds that NHRP NBMA addresses are advertised as valid in authoritative NHRP responses. The seconds argument specifies the time in seconds that NBMA addresses are advertised as valid in positive authoritative NHRP responses. The recommended value ranges from 300 seconds to 600 seconds.) 16. delay 1000 ((Optional) Used to change the EIGRP routing metric for routes learned over the tunnel interface. The number argument specifies the delay time in seconds. The recommend value is 1000.) |
Spoke Configuration 1. enable 2. configure terminal 3. interface tunnel number 4. ip address ip-address mask secondary 5. ip mtu bytes 6. ip nhrp authentication string 7. ip nhrp map hub-tunnel-ip-address hub-physical-ip-address (Statically configures the IP-to-NBMA address mapping of IP destinations connected to an MBMA network. hub-tunnel-ip-address --Defines the NHRP server at the hub, which is permanently mapped to the static public IP address of the hub. hub-physical-ip-address --Defines the static public IP address of the hub.) 8. ip nhrp map multicast hub-physical-ip-address (Enables the use of a dynamic routing protocol between the spoke and hub, and sends multicast packets to the hub router.) 9. ip nhrp nhs hub-tunnel-ip-address (Configures the hub router as the NHRP next-hop server.) 10. ip nhrp network-id number 11. tunnel source {ip-address | type number} 12. tunnel key key-number 13. Do one of the following: tunnel mode gre multipoint tunnel destination hub-physical-ip-address (Sets the encapsulation mode to mGRE for the tunnel interface.
Use this command if data traffic can use dynamic spoke-to-spoke traffic.
Specifies the destination for a tunnel interface.
Use this command if data traffic can use hub-and-spoke tunnels.) 14. tunnel protection ipsec profile name 15. bandwidth kbps 16. ip tcp adjust-mss max-segment-size 17. ip nhrp holdtime seconds 18. delay number |