Dynamic Multipoint VPN (DMVPN)

It has been long time since my last post. I have been quite busy. The new job is all but what I expected. A lot of new things happened, including me passing the written exam. Now CCIE v5 is approaching and Dynamic Multipoint VPN is a new topic just added to the blueprint. Since I’ve been working with this kind of VPN for a while i decided that is about time to write a new blog post and try to explain the basic concepts and configurations.

Within the scope of the v5 curriculum, DMVPN will only have a single hub site and IPsec encryption will be pre-shared key based.

DMVPN

DMVPN is a combination of 5 different tools

  • mGRE (multipoint GRE tunnel)
  • NHRP (Next Hop Resolution Protocol)
  • Dynamic Routing Protocol (any that fits the business requirement, IS-IS is not supported)
  • Dynamic IPsec encryption
  • CEF (Cisco Express Forwarding)

Let’s briefly introduce some of those tools.

mGRE

Multipoint Generic Routing Encapsulation achieves the goal to minimize tunnels configuration on the Hub site. The traditional GRE configuration required a point-to-point tunnel to be created. In situation were multiple spokes are present, the hub configuration would quickly become a cumbersome to maintain and configure. For every new spoke a new tunnel is supposed to be configured on the hub site.

With Multipoint GRE instead, the HUB is configured with a multipoint configuration, while the spoke with a point-to-point one.

Of course, if dynamic routing is enable, remember to disable split-horizon on the hub if necessary and to consider the network as a point-to-multipoint.

NHRP

The Next Hop Resolution Protocol is what makes this tunnelling technique really dynamic. It is an “ARP-like” used in NBMA networks that allow clients (spokes) to dynamically register with the server (hub). The main advantage is obviously that we can add as many spokes as we want without ever-changing the Hub configuration.

Aside from spoke-to-hub static mapping (represented in red) , NHRP also allows the single spokes to dynamically discover and map the IP address of other clients. This way a spoke-to-spoke dynamic mapping (represented in green) is created, and traffic between spokes can flow directly without having to pass trough the hub first, greatly reducing CPU and BW requirements at the hub site.

DMVPN

Once created, this dynamic mapping is not permanent, but if no traffic is using the mapping (read as: if no traffic is passing the tunnel) will eventually timeout (2 hours by default).

Also CEF is important as it is used by NHRP to map the IP addresses.

IPsec Encryption

There is little here to talk about, we need IPsec to encrypt our traffic and make a VPN out of this dynamic tunnel. Confidentiality and data integrity are achieved using IPsec.

What the configuration will look like is nothing too difficult. We are going to configure a pre-shared key as authentication method together with the wildcard “0.0.0.0″ since we don’t have any idea who the spoke will be. While this may look like a required configuration for the hub only (the spokes do know who the hub is after all), in reality also the spokes need the wildcard or a spoke-to-spoke vpn will fail establish when required.

Configuration example 

I’m going to show you here how to configure the hub and the spokes. The spokes configuration can be copy-pasted as-is, on all the spokes.

Hub

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key MYSECRETPASSWORD address 0.0.0.0
crypto isakmp keepalive 10 5
!
!
crypto ipsec transform-set MINE esp-3des
 mode tunnel
!
crypto ipsec profile DMVPN
 set transform-set MINE
!
interface Tunnel1
 ip address 172.16.1.1 255.255.255.0
 ip mtu 1400
 ip nhrp authentication !@password%$
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp holdtime 100
 ip nhrp registration timeout 40
 ip tcp adjust-mss 1360
 keepalive 5 2
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN
!
interface GigabitEthernet0/0
 ip address 157.11.44.33 255.255.255.0
!

The hub configuration is quite straight forward. The first section is the IPsec part. The pre-shared key is “MYSECRETPASSWORD” and the peer ip address is “0.0.0.0 standing for “any peer”.

The second section is the configuration for the tunnel itself. NHRP is shown first and mGRE follows.

NHRP allows us to configure a password based authentication so that only authorized clients can register with the NHRP server and this is what ip nhrp authentication is used for. Also the network-id must match to be able for a spoke to register. ip nhrp map multicast, instead , is used in the same way “frame-relay map .. broadcast” would do; basically it allows packets replication to be sent as unicast to the either statically configured as mapped address or the dynamically discovered ones. This is obvious of extreme importance if we think of dynamic routing protocols using multicast packets to establish their adjacency. The last part of the NHRP configuration are ip nhrp holdtime and ip nhrp registration timeout.

The holdtime specifies how long the server will keep in cache the registrations coming from the clients. If no registration update is receive, will time it out. The registration updates are sent at 1/3 of the hold time value. If also ip nhrp registration timeout is configured (usually on spokes only), the NHRP registration requests will be sent every [Timeout] sends, not 1/3 of the configured hold-time.

The final part of the tunnel configuration is the mGRE part and doesn’t require any special explanation; the configuration is self-explanatory.

Spoke

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key MYSECRETPASSWORD address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 5
!
!
crypto ipsec transform-set MINE esp-3des
!
crypto ipsec profile DMVPN
 set transform-set MINE
!
interface Tunnel1
 ip address 172.16.1.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication !@password%$
 ip nhrp map 172.16.1.1 157.11.44.33
 ip nhrp map multicast 157.11.44.33
 ip nhrp network-id 1
 ip nhrp holdtime 100
 ip nhrp nhs 172.16.1.1
 ip nhrp registration timeout 40
 ip tcp adjust-mss 1360
 keepalive 5 2
 tunnel source Dialer0
 tunnel mode gre multipoint
 tunnel protection ipsec profile DMVPN
!
interface Dialer0
 ip address negotiated
!

The spoke config is pretty much identical, the only differences are just three lines of config. The first one is ip nhrp map [logical ip] [NBMA ip]. This command allows us to configure a static mapping on the spoke site with the well-known hub. ip nhrp map multicast instead, even if it means the same as on the hub, here we see a static mapping with the hub NBMA ip address. Finally the last difference in config is ip nhrp nhs [logical ip] with tells to the spoke who the NHRP server is.

Verification and show commands

The main verification and troubleshooting commands are basically two. show dmvpn and show ip nhrp are the ones that will give you all the details about the tunnels. Eventually also show commands for crypto can be used to verify IPsec is working as well. Here in the output you see how the hub and the spoke look like.

---- HUB ----

Gateway#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2 151.50.233.163       172.16.1.2    UP 00:02:33     D
     1 46.35.80.240        172.16.1.11    UP    1d02h     D

Gateway#sh ip nhrp
172.16.1.2/32 via 172.16.1.2
   Tunnel1 created 00:03:06, expire 00:01:31
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 151.50.233.163
172.16.1.11/32 via 172.16.1.11
   Tunnel1 created 1d02h, expire 00:01:38
   Type: dynamic, Flags: unique registered used nhop
   NBMA address: 46.35.80.240

---- SPOKE -----
   
QSI-BRD#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1  157.11.44.33      172.16.1.1    UP 00:00:41     S

QSI-BRD#sh ip nhrp
172.16.1.1/32 via 172.16.1.1
   Tunnel1 created 03:11:00, never expire
   Type: static, Flags: used
   NBMA address: 157.11.44.33
   
QSI-BRD#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel1
Uptime: 00:00:53
Session status: UP-ACTIVE
Peer: 157.11.44.33 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 157.11.44.33
      Desc: (none)
  IKE SA: local 151.50.233.163/500 remote 157.11.44.33/500 Active
          Capabilities:D connid:2004 lifetime:23:59:05
  IPSEC FLOW: permit 47 host 151.50.233.163 host 157.11.44.33
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 174 drop 0 life (KB/Sec) 4420595/3546
        Outbound: #pkts enc'ed 167 drop 16 life (KB/Sec) 4420594/3546

QSI-BRD#traceroute 172.16.1.11

Type escape sequence to abort.
Tracing the route to 172.16.1.11

  1 172.16.1.1 [AS 65000] 96 msec 96 msec 104 msec
  2 172.16.1.11 [AS 65000] 256 msec *  220 msec

  
QSI-BRD#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1  157.11.44.33      172.16.1.1    UP 00:01:30     S
     1  46.35.80.240     172.16.1.11    UP 00:00:06     D

QSI-BRD#sh ip nhrp
172.16.1.1/32 via 172.16.1.1
   Tunnel1 created 03:11:46, never expire
   Type: static, Flags: used
   NBMA address: 157.11.44.33
172.16.1.11/32 via 172.16.1.11
   Tunnel1 created 00:00:11, expire 00:01:30
   Type: dynamic, Flags: router used
   NBMA address: 46.35.80.240

QSI-BRD#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel1
Uptime: 00:00:14
Session status: UP-ACTIVE
Peer: 46.35.80.240 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 46.35.80.240
      Desc: (none)
  IKE SA: local 151.50.233.163/500 remote 46.35.80.240/500 Active
          Capabilities:D connid:2005 lifetime:23:59:44
  IPSEC FLOW: permit 47 host 151.50.233.163 host 46.35.80.240
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 2 drop 0 life (KB/Sec) 4535453/3585
        Outbound: #pkts enc'ed 1 drop 0 life (KB/Sec) 4535453/3585

Interface: Tunnel1
Uptime: 00:01:38
Session status: UP-ACTIVE
Peer: 157.11.44.33 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 157.11.44.33
      Desc: (none)
  IKE SA: local 151.50.233.163/500 remote 157.11.44.33/500 Active
          Capabilities:D connid:2004 lifetime:23:58:20
  IPSEC FLOW: permit 47 host 151.50.233.163 host 157.11.44.33
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 289 drop 0 life (KB/Sec) 4420583/3501
        Outbound: #pkts enc'ed 274 drop 16 life (KB/Sec) 4420579/3501

QSI-BRD#traceroute 172.16.1.11

Type escape sequence to abort.
Tracing the route to 172.16.1.11

  1 172.16.1.11 [AS 65000] 220 msec *  216 msec

The Hub’s output is showing two spokes which dynamically registered. The most interesting output instead is the one coming from the spoke.
The spoke shows just the static mapping with the hub. also IPsec shows that only one vpn tunnel exists. The most interesting feature of DMVPN is obviously the dynamic spoke-to-spoke tunnel and that was tested. A traceroute to the second spoke is ran, and the first packet shows how we pass trough the hub before being routed back out to the destination ip address. But this is DMVPN, and we expect a new tunnel to be formed between 172.16.1.2 and 172.16.1.11. The next part of the output shows that this is true. A dynamic mapping is added nad NHRP is showing the mapping with the different timers. Also show crypto session detail shows that a new vpn tunnel is created, and a second traceroute shows that now we reach the destination ip address without passing trough the hub anymore.

We now have an overview of how DMVPN works. I hope this post has been explanatory for the very basics concepts behind DMVPN and its components.

About these ads

, , , ,

  1. #1 by Jirka on December 10, 2013 - 10:02 pm

    Now I know your secret password :). I would say you should edit this one to match on HUB and spoke not? ;-)

    • #2 by anubisg1 on December 10, 2013 - 10:07 pm

      not sure what you are seeing ;) , but the IPsec password is matching and on both is “MYSECRETPASSWORD” while the nhrp password is “!@password%$” which btw is too long since it should be maximum 8chars

  2. #3 by Jirka on December 22, 2013 - 2:33 am

    I liked more the one before though :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 522 other followers

%d bloggers like this: