DMVPN – Dynamic Multipoint Virtual Private Network (Part-1)

DMVPN – Dynamic Multipoint Virtual Private Network (Part-1)

To get to the final objective of configuring DMVPN in a topologies we will go through several steps.

In part one we will configure the physical connection and several point-to-point GRE-IPSEC tunnels between the hub and the spokes.

Then, on part 2,  we will configure Multipoint GRE on our way to DMVPN.

The 10.0.0.X networks used must be considered as public addressing. We are going to use private addresses just for the sake of the simulation.

The 172.X.X.X networks will be used as the internal network, and the 192.168.0.X will be used for the tunnel addresses.

INITIAL TOPOLOGY

dmvpn1-2

INITIAL CONFIGURATION

INTERNET

 hostname INTERNET
!
interface Ethernet0/0
 description Connects to HUB
 ip address 10.0.0.2 255.255.255.252
 no shutdown
!
interface Ethernet0/1
 description Connects to SPOKE1
 ip address 10.0.0.6 255.255.255.252
 no shutdown
!
interface Ethernet0/2
 description Connects to SPOKE2
 ip address 10.0.0.10 255.255.255.252
 no shutdown
!
interface Ethernet0/3
 description Connects to SPOKE3
 ip address 10.0.0.14 255.255.255.252
 no shutdown

HUB

hostname HUB
!
interface Loopback0
 description Local Lan 0
 ip address 172.16.0.1 255.255.254.0
!
interface Loopback1
 description Local Lan 1
 ip address 172.16.2.1 255.255.255.0
!
interface Loopback2
 description Local Lan 2
 ip address 172.16.3.1 255.255.255.0
!
interface Loopback3
 description Local Lan 3
 ip address 172.16.4.1 255.255.252.0
!
interface Ethernet0/0
 description Internet Connection
 ip address 10.0.0.1 255.255.255.252
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.0.2

SPOKES

hostname SPOKE1
!
interface Loopback0
 description Local 0
 ip address 172.17.0.1 255.255.255.0
!
interface Loopback1
 description Local 1
 ip address 172.17.1.1 255.255.255.0
!
interface Ethernet0/0
 description INTERNET Connection
 ip address 10.0.0.5 255.255.255.252
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.0.6
hostname SPOKE2
!
interface Loopback0
 description Local 0
 ip address 172.18.0.1 255.255.255.0
!
interface Loopback1
 description Local 1
 ip address 172.18.1.1 255.255.255.0
!
interface Ethernet0/0
 description INTERNET Connection
 ip address 10.0.0.9 255.255.255.252
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.0.10
hostname SPOKE3
!
interface Loopback0
 description Local 0
 ip address 172.19.0.1 255.255.255.0
!
interface Loopback1
 description Local 1
 ip address 172.19.1.1 255.255.255.0
!
interface Ethernet0/0
 description INTERNET Connection
 ip address 10.0.0.13 255.255.255.252
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.0.14

TOPOLOGY

dmvpn1-3

CONFIGURATION STEPS FOR POINT-TO-POINT GRE-IPSEC TUNNELS

  1. Set the GRE tunnel interfaces with the respective source and destination parameters on the HUB and all SPOKE routers.
  2. Create the crypto policy(ies) in the tunnel edges
  3. Create the crypto key(s) in the tunnel edges
  4. Create the transform-set(s) in the tunnel edges
  5. Create the necessary crypto ACLs for each tunnel
  6. Create the crypto map instances for each tunnel
  7. Apply the crypto map to the interface

HUB (STEP – 1) – GRE Tunnel Interfaces

interface Tunnel1
 description Tunnel to SPOKE1
 ip address 192.168.0.1 255.255.255.252
 tunnel source Ethernet0/0
 tunnel destination 10.0.0.5
 tunnel mode gre ip
!
interface Tunnel2
 description Tunnel to SPOKE2
 ip address 192.168.0.5 255.255.255.252
 tunnel source Ethernet0/0
 tunnel destination 10.0.0.9
 tunnel mode gre ip
!
interface Tunnel3
 description Tunnel to SPOKE3
 ip address 192.168.0.9 255.255.255.252
 tunnel source Ethernet0/0
 tunnel destination 10.0.0.13
 tunnel mode gre ip

SPOKES (STEP – 1) – GRE Tunnel Interfaces

!SPOKE1
interface Tunnel1
 description Tunnel to HUB
 ip address 192.168.0.2 255.255.255.252
 tunnel source Ethernet0/0
 tunnel destination 10.0.0.1
 tunnel mode gre ip
!SPOKE2
interface Tunnel2
 description Tunnel to HUB
 ip address 192.168.0.6 255.255.255.252
 tunnel source Ethernet0/0
 tunnel destination 10.0.0.1
 tunnel mode gre ip
!SPOKE3
interface Tunnel3
 description Tunnel to HUB
 ip address 192.168.0.10 255.255.255.252
 tunnel source Ethernet0/0
 tunnel destination 10.0.0.1
 tunnel mode gre ip

HUB (STEP – 2 and 3) – Crypto policy and Key

crypto isakmp policy 1
 authentication pre-share
 hash md5
 encryption des
 group 1
 exit
!one key for all spokes
crypto isakmp key hub$poke address 0.0.0.0 
!Or one key for each spoke
!crypto isakmp key hub$poke1 address 10.0.0.5
!crypto isakmp key hub$poke2 address 10.0.0.9
!crypto isakmp key hub$poke3 address 10.0.0.13

SPOKES (STEP – 2 and 3) – Crypto policy and Key

!SPOKE1, SPOKE2, SPOKE3
crypto isakmp policy 1
 authentication pre-share
 hash md5
 encryption des
 group 1
 exit
crypto isakmp key hub$poke address 10.0.0.1

HUB (STEP – 4) – Transform-set

crypto ipsec transform-set TSET esp-des esp-md5-hmac

SPOKES (STEP – 4) – Transform-set

!SPOKE1, SPOKE2, SPOKE3
crypto ipsec transform-set TSET esp-des esp-md5-hmac

HUB (STEP – 5) – Crypto ACL

ip access-list extended HUBTOSPOKE1
 permit gre host 10.0.0.1 host 10.0.0.5
 deny ip any any
ip access-list extended HUBTOSPOKE2
 permit gre host 10.0.0.1 host 10.0.0.9
 deny ip any any
ip access-list extended HUBTOSPOKE3
 permit gre host 10.0.0.1 host 10.0.0.13
 deny ip any any

SPOKES (STEP – 5) – Crypto ACL

!SPOKE1
ip access-list extended SPOKETOHUB-ACL
 permit gre host 10.0.0.5 host 10.0.0.1 
 deny ip any any
!SPOKE2
ip access-list extended SPOKETOHUB-ACL
 permit gre host 10.0.0.9 host 10.0.0.1 
 deny ip any any
!SPOKE3
ip access-list extended SPOKETOHUB-ACL
 permit gre host 10.0.0.13 host 10.0.0.1 
 deny ip any any

HUB (STEP – 6) – Crypto Map

crypto map HUBTOSPOKES 10 ipsec-isakmp
 set peer 10.0.0.5
 set transform-set TSET
 match address HUBTOSPOKE1
crypto map HUBTOSPOKES 20 ipsec-isakmp
 set peer 10.0.0.9
 set transform-set TSET
 match address HUBTOSPOKE2
crypto map HUBTOSPOKES 30 ipsec-isakmp
 set peer 10.0.0.13
 set transform-set TSET
 match address HUBTOSPOKE3

SPOKES (STEP – 6) – Crypto Map

!SPOKE1, SPOKE2, SPOKE3
crypto map SPOKETOHUB 10 ipsec-isakmp
 set peer 10.0.0.1
 set transform-set TSET
 match address SPOKETOHUB-ACL

HUB (STEP – 7) – Apply Crypto Map to interface

interface Ethernet 0/0
 crypto map HUBTOSPOKES

SPOKES (STEP – 7) – Apply Crypto Map to interface

!SPOKE1, SPOKE2, SPOKE3
interface Ethernet 0/0
 crypto map SPOKETOHUB

To finish this stage we will configure a routing protocol to distribute the local lan through the gre-ipsec tunnel over the internet.

HUB – EIGRP CONFIGURATION

router eigrp 10
 network 172.16.0.0 0.0.7.255
 network 192.168.0.1 0.0.0.0
 network 192.168.0.5 0.0.0.0
 network 192.168.0.9 0.0.0.0
 passive-interface default
 no passive-interface Tunnel1
 no passive-interface Tunnel2
 no passive-interface Tunnel3

SPOKES – EIGRP CONFIGURATION

router eigrp 10
 network 172.17.0.0 0.0.1.255
 network 192.168.0.2 0.0.0.0
 passive-interface default
 no passive-interface Tunnel1
router eigrp 10
 network 172.18.0.0 0.0.1.255
 network 192.168.0.6 0.0.0.0
 passive-interface default
 no passive-interface Tunnel2
router eigrp 10
 network 172.19.0.0 0.0.1.255
 network 192.168.0.10 0.0.0.0
 passive-interface default
 no passive-interface Tunnel3

VERIFICATION

HUB# show ip route eigrp

<output omitted>

Gateway of last resort is 10.0.0.2 to network 0.0.0.0

 172.17.0.0/24 is subnetted, 2 subnets
D 172.17.0.0 [90/27008000] via 192.168.0.2, 00:01:01, Tunnel1
D 172.17.1.0 [90/27008000] via 192.168.0.2, 00:01:01, Tunnel1
 172.18.0.0/24 is subnetted, 2 subnets
D 172.18.0.0 [90/27008000] via 192.168.0.6, 00:00:49, Tunnel2
D 172.18.1.0 [90/27008000] via 192.168.0.6, 00:00:49, Tunnel2
 172.19.0.0/24 is subnetted, 2 subnets
D 172.19.0.0 [90/27008000] via 192.168.0.10, 00:00:37, Tunnel3
D 172.19.1.0 [90/27008000] via 192.168.0.10, 00:00:37, Tunnel3
 192.168.0.0/24 is variably subnetted, 6 subnets, 2 masks
HUB# ping 172.17.0.1 source 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
HUB# ping 172.18.0.1 source 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
HUB# ping 172.19.0.1 source 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

IMPLEMENTATION ISSUES

  • Multiple tunnel configuration in the HUB router.
  • Static IPSec tunnel configuration
  • Hub-and-Spoke Topology its unbearable to maintain and it does not scale well in large topologies
  • Full Mesh Topology creates to many configurations in all routers which can be an obstacle to management

On Part Two we will move on to multipoint GRE protected by IPSec on our way to DMVPN.

Until then stay good.

Advertisements