DMVPN - best VPN solution?
- jakubkaminski12
- Jun 16, 2019
- 4 min read
VPNs are very popular solution for companies that don't want to spend hell lot of money for private links between their headquarters and branch offices.
VPN solution is based on Internet links so obviously the speed of the links are bit slower than MPLS, VPLS or other private cloud however it still offers benefits and connects your offices in secure and simple way.
VPNs may also be used for simple site to site tunnels between different businesses or combined with private links solutions for smaller offices.
There are in general 2 types and VPNs: IPSEC and GRE.
IPSEC is great because it is fully secured with data being protected in transit and has secure algorithms being employed on both ends of the tunnel. However it has one quite big disadvantage - it can not pass multicast and broadcast traffic - only unicast.
What comes to the rescue here is GRE tunnel which is opened totally and can transport any traffic - allowing routing protocols, etc. However it is not secure.
So how to combine those 2 to make it work in secure and protocol abundant way?
We can use GRE over IPSEC - simple and it works well but...
What if you have more 10 or more offices. You have to create so many tunnels - one between each branch and headquarter and then between branches if needed too. This is lot of overhead.
So how do we solve this headache?
Well some wise heads came up with what's called DMVPN - Dynamic Multipoint VPN:
What is this:
This is solution that builds VPN in dynamic way as of when needed. There is hub router that contains tunnels and database of all connections between branches. This is a brain of the entire operation. This router would normally be situated in the headquarter or the primary datacenter (obviously we can have backup in backup datacenter).
Other branch routers are called spokes and they establish connection to the hub.
They can either speak between them through the hub which is called phase 1 DMVPN or establish tunnel directly with the each other using the information held by the hub - phase 2 DMVPN
The protocol that enables it all work is NHRP - next hop routing protocol.
DMVPN combines multiple GRE (mGRE) Tunnels, IPSec encryption and NHRP (Next Hop Resolution Protocol) NHRP is layer 2 resolution protocol and cache, much like Address Resolution Protocol (ARP) or Reverse ARP (Frame Relay).
The Hub router undertakes the role of the server while the spoke routers act as the clients. The Hub maintains a special NHRP database with the public IP Addresses of all configured spokes.
Each spoke registers its public IP address with the hub and queries the NHRP database for the public IP address of the destination spoke it needs to build a VPN tunnel with.
If you want to set it up in your lab take a look below. ENJOY!!
CONFIGS:
HUB - R3:
GigabitEthernet1/0
description LAN-Network
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
GigabitEthernet3/0
description WAN-Network
ip address 1.1.1.1 255.255.255.252
duplex auto
speed auto
interface Tunnel0
description mGRE - DMVPN Tunnel
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip nhrp authentication tbroute
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source 1.1.1.1
tunnel mode gre multipoint
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key tbroute address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre
[The peer address for which the isakmp key is valid is 0.0.0.0 0.0.0.0, which means every possible host on the Internet. This is because spokes may have dynamic IP addresses]
ip route 192.168.2.0 255.255.255.0 172.16.0.2 ip route 192.168.3.0 255.255.255.0 172.16.0.3
[Routes can be static or using routing protocol - for simplicity here I used static routes]
SPOKE - R1:
GigabitEthernet2/0
description LAN-Network
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
GigabitEthernet1/0
description WAN-Network
ip address 2.2.2.1 255.255.255.252
duplex auto
speed auto
interface Tunnel0
description R1 mGRE - DMVPN Tunnel
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip nhrp authentication tbroute
ip nhrp map multicast dynamic
ip nhrp map 172.16.0.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key tbroute address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre
ip route 192.168.1.0 255.255.255.0 172.16.0.1 ip route 192.168.3.0 255.255.255.0 172.16.0.3
SPOKE - R2:
GigabitEthernet1/0
description LAN-Network
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
GigabitEthernet2/0
description WAN-Network
ip address 3.3.3.1 255.255.255.252
duplex auto
speed auto
interface Tunnel0
description R2 mGRE - DMVPN Tunnel
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip nhrp authentication tbroute
ip nhrp map multicast dynamic
ip nhrp map 172.16.0.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
tunnel source GigabitEthernet2/0
tunnel mode gre multipoint
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key tbroute address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!
interface Tunnel 0
tunnel protection ipsec profile protect-gre
ip route 192.168.1.0 255.255.255.0 172.16.0.1 ip route 192.168.2.0 255.255.255.0 172.16.0.2
-----------------------------------------------------------------------------------
The cloud is another router that has interfaces in other end of /30 subnets and it has static routes for each public network, e.g; ip route 1.1.1.0 255.255.255.252 1.1.1.1
Each spoke has default static route pointing to the IP on the cloud (R4), e.g; on R1 - ip route 0.0.0.0 0.0.0.0 2.2.2.2
ความคิดเห็น