DMVPN Basic

-
Summary:
  • DMVPN stands for Dynamic Multipoint Virtual Private Network.
  • DMVPN is used to create a hub-and-spoke VPN architecture.
  • DMVPN Phase 1 provides hub-and-spoke communication. Spoke-to-spoke communication will always traverse the hub router. 
  • DMPVN Phase 2 supports dynamic spoke-to-spoke tunnels (appropriate routing configuration required). 


DMVPN Components:

  • mGRE - Multipoint GRE eliminates the need for numerous point-to-point GRE tunnels.
  • NHRP - Next Hop Resolution Protocol, used for mapping the WAN IP address to the GRE tunnel IP address.
  • IPSec - IP Security, used for securing TCP/IP traffic. IPSec is optional but recommended.

The Hub maintains a special NHRP database with the public IP Addresses of all configured spokes.

Each spoke registers its public IP address with the hub and queries the NHRP database for the public IP address of the destination spoke it needs to build a VPN tunnel.

mGRE Tunnel Interface is used to allow a single GRE interface to support multiple IPSec tunnels and helps dramatically to simplify the complexity and size of the configuration.

 A GRE interface definition includes:

interface Tunnel 0

ip address 10.0.0.1 255.0.0.0
tunnel source Dialer1
tunnel destination 172.16.0.2
tunnel key 1        (optional)

mGRE interface definition includes:

interface Tunnel 0

ip address 10.0.0.1 255.0.0.0
tunnel source Dialer 1
tunnel mode gre multipoint
tunnel key 1

It is important to note that mGRE interfaces do not have a tunnel destination. Because mGRE tunnels do not have a tunnel destination defined, they cannot be used alone.  NHRP fills this gap by telling mGRE where to send the packets.

DMVPN OPERATION - HOW DMVPN OPERATES

Before diving into the configuration of our routers, we’ll briefly explain how the DMVPN is expected to work. This will help in understanding how DMVPN operates in a network:

  • Each spoke has a permanent IPSec tunnel to the hub but not to the other spokes within the network.
  • Each spoke registers as a client of the NHRP server. The Hub router undertakes the role of the NHRP server.
  • When a spoke needs to send a packet to a destination (private) subnet on another spoke, it queries the NHRP server for the real (outside) address of the destination (target) spoke.
  • After the originating spoke learns the peer address of the target spoke, it can initiate a dynamic IPSec tunnel to the target spoke.
  • The spoke-to-spoke tunnel is built over the multipoint GRE (mGRE) interface.
  • The spoke-to-spoke links are established on demand whenever there is traffic between the spokes. Thereafter, packets are able to bypass the hub and use the spoke-to-spoke tunnel.
  • All data traversing the GRE tunnel is encrypted using IPSecurity (optional)













FOUR STEPS TO FULLY CONFIGURE CISCO DMVPN

To help simplify the configuration of DMVPN we’ve split the process into 4 easy-to-follow steps. Each step is required to be completed before moving to the next one. These steps are:

  • Configure the DMVPN Hub
  • Configure the DMVPN Spoke(s)
  • Protect the mGRE tunnels with IPSecurity (optional)
  • Configure Routing Between DMVPN mGRE Tunnels (static routing or routing protocol)


CONFIGURING THE DMVPN HUB ROUTER

nterface Tunnel0

 description mGRE - DMVPN Tunnel
 ip address 172.16.0.1 255.255.255.0
 no ip redirects
 ip nhrp authentication firewall
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source 203.0.113.10
 tunnel mode gre multipoint

Engineers familiar with GRE Tunnels will immediately notice the absence of the tunnel destination command. It has been replaced with the tunnel mode gre multipointcommand, which designates this tunnel as a multipoint GRE tunnel.

The ip nhrp map multicast dynamic command enables the forwarding of multicast traffic across the tunnel to dynamic spokes. This is usually required by routing protocols such as OSPF and EIGRP.  In most cases, DMVPN is accompanied by a routing protocol to send and receive dynamic updates about the private networks.

The ip nhrp network-id 1 command is used to identify this DMVPN cloud. All routers participating in this DMVPN cloud must have the same network-id configured in order for tunnels to form between them.

The ip nhrp authentication command is used to allow the authenticated updates and queries to the NHRP Database, ensuring unwanted queries are not provided with any information about the DMVPN network.


CONFIGURING THE DMVPN SPOKES ROUTERS

interface Tunnel0
 description mGRE - DMVPN Tunnel
 ip address 172.16.0.2 255.255.255.0
 no ip redirects
 ip nhrp authentication firewall
 ip nhrp map multicast dynamic
 ip nhrp map 172.16.0.1 203.0.113.10
 ip nhrp map multicast 203.0.113.10
 ip nhrp network-id 1
 ip nhrp nhs 172.16.0.1
 tunnel source Ethernet0/0
 tunnel mode gre multipoint

After a couple of seconds, we receive confirmation that our tunnel interface is up:

*May 11 18:20:39.917: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

The ip nhrp nhs 172.16.0.1 command tells our spoke router who the Next Hop Server (NHS) is, while the ip nhrp map 172.16.0.1 203.0.113.10 command maps the NHS address (172.16.0.1) to the Hub’s (R1) public IP address (203.0.113.10).

The ip nhrp map multicast 203.0.113.10 ensures multicast traffic is sent only from spokes to the hub and not from spoke to spoke. All multicast traffic should be received by the hub, processed and then updates are sent out to the spokes.

Lastly, notice that tunnel source FastEthernet0/1 command. All spokes with dynamic WAN IP address must be configured to bind the physical WAN interface as the tunnel source. This way,  when the spoke’s WAN IP changes, it will be able to update the NHS server with its new WAN IP address.


VERIFYING DMVPN FUNCTIONALITY AT THE R1 HUB ROUTER

Hub#sh d
*May 11 18:27:35.502: %SYS-5-CONFIG_I: Configured from console by console
Hub#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 203.0.113.2          172.16.0.2    UP 00:06:58     D
     1 203.0.113.6          172.16.0.3    UP 00:00:52     D

Hub#

The first column #Ent shows the number of entries that exist in the NHRP Database for the same spoke. Usually, we wouldn’t expect to see more than one for each spoke.

The second column Peer NBMA Addr presents the spoke’s public IP address, while the third column, Peer Tunnel Add, shows each spoke’s local Tunnel’s IP address. 

Next, the State column shows the current state the tunnel is in. In our case, both tunnels are UP. Right next to the State is the UpDN Tm, which is the Up or Down Time of the current State.  This is a very important bit of information as you can clearly see out how long your tunnel has been in its current state.

Lastly, the Attrib column shows the type of tunnels established by the spokes. D stands for Dynamic, S for Static and I for Incomplete. Usually dynamic spokes will create D type tunnels. Tunnels established from the spokes to the Hub router are expected to be type, since the Hub remains static.


VERIFYING DMVPN FUNCTIONALITY AT THE R2 & R3 SPOKE ROUTER

Remote-2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 203.0.113.10         172.16.0.1    UP 00:04:31     S


ROTECTING - ENCRYPTING DMVPN MGRE TUNNELS WITH IPSEC

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key firewall.cx address 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre


VERIFYING THE DMVPN CRYPTO TUNNELS

Hub#sh crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 203.0.113.6 port 500
  Session ID: 0
  IKEv1 SA: local 203.0.113.10/500 remote 203.0.113.6/500 Active
  IPSEC FLOW: permit 47 host 203.0.113.10 host 203.0.113.6
        Active SAs: 2, origin: crypto map

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 203.0.113.2 port 500
  Session ID: 0
  IKEv1 SA: local 203.0.113.10/500 remote 203.0.113.2/500 Active
  IPSEC FLOW: permit 47 host 203.0.113.10 host 203.0.113.2
        Active SAs: 2, origin: crypto map


ROUTING BETWEEN DMVPN MGRE TUNNELS

router eigrp 100
 network 172.16.0.0 0.0.0.255
 network 192.168.0.0 0.0.255.255

Following two commands need be added to Hub tunnel interface for EIGRP
interface Tunnel0
 description mGRE - DMVPN Tunnel
 ip address 172.16.0.1 255.255.255.0
 no ip redirects
 no ip next-hop-self eigrp 100
 no ip split-horizon eigrp 100
 ip nhrp authentication firewall
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source 203.0.113.10
 tunnel mode gre multipoint
 tunnel protection ipsec profile protect-gre
end


Hub#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
1   172.16.0.2              Tu0                      14 00:00:27   15  1470  0  1
0   172.16.0.3              Tu0                      14 00:00:33    9  1470  0  1













http://www.firewall.cx/cisco-technical-knowledgebase/cisco-services-tech/896-cisco-dmvpn-intro.html

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/901-cisco-router-dmvpn-configuration.html

Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more