DMVNP

Introduction:

This document gives a brief information about DMVPN with a configuration example where you can see DMVPN without IPSEC and with IPSEC.

What is DMVPN?

DMVPN stands for Dynamic Multipoint VPN and it is an effective solution for dynamic secure overlay networks. In short, DMVPN is combination of the following technologies:

• Multipoint GRE (mGRE)
• Next-Hop Resolution Protocol (NHRP)
• Dynamic IPsec encryption

 
Dynamic Multipoint VPN (DMVPN) is Cisco’s answer to the increasing demands of enterprise companies to be able to connect branch offices with head offices and between each other while keeping costs low, minimizing configuration complexity and increasing flexibility.

With DMVPN, one central router, usually placed at the head office, undertakes the role of the Hub while all other branch routers are Spokes that connect to the Hub router so the branch offices can access the company’s resources. DMVPN consists of two mainly deployment designs:

• DMVPN Hub & Spoke, used to perform headquarters-to-branch interconnections
  
• DMVPN Spoke-to-Spoke, used to perform branch-to-branch interconnections

In both cases, the Hub router is assigned a static public IP Address while the branch routers (spokes) can be assigned static or dynamic public IP addresses.

Example:

Physical Connectivity:

DMVPN Operation - How DMVPN Operates

Before diving into the configuration of our routers, we’ll briefly explain how the DMVPN is expected to work. This will help in understanding how DMVPN operates in a network:

• Each spoke has a permanent IPSec tunnel to the hub but not to the other spokes within the network.
• Each spoke registers as a client of the NHRP server. The Hub router undertakes the role of the NHRP server.
• When a spoke needs to send a packet to a destination (private) subnet on another spoke, it queries the NHRP server for the real (outside) address of the destination (target) spoke.
• After the originating spoke learns the peer address of the target spoke, it can initiate a dynamic IPSec tunnel to the target spoke.
• The spoke-to-spoke tunnel is built over the multipoint GRE (mGRE) interface.
• The spoke-to-spoke links are established on demand whenever there is traffic between the spokes. Thereafter, packets are able to bypass the hub and use the spoke-to-spoke tunnel.
• All data traversing the GRE tunnel is encrypted using IPSecurity (optional)

 configuration:

ROUTER 4 ISP

interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 speed auto
 full-duplex
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 speed auto
 full-duplex
!
interface FastEthernet1/0
 ip address 192.168.3.1 255.255.255.0
 speed auto
 full-duplex

ROUTER 1 (Hub)

interface Loopback0
 ip address 192.168.0.1 255.255.255.0
 !
!
interface Tunnel0
 ip address 10.1.1.1 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source 192.168.1.100
 tunnel mode gre multipoint
 !
!
interface FastEthernet0/0
 ip address 192.168.1.100 255.255.255.0
 duplex full
 speed auto
 !

!

ip route 192.168.2.0 255.255.255.0 192.168.1.1
ip route 192.168.3.0 255.255.255.0 192.168.1.1
!

ROUTER 2


!
interface Loopback0
 ip address 172.16.2.1 255.255.255.0
 !
!
interface Tunnel0
 ip address 10.1.1.2 255.255.255.0
 no ip redirects
 ip nhrp map 10.1.1.1 192.168.1.100
 ip nhrp map multicast 192.168.1.100
 ip nhrp network-id 1
 ip nhrp nhs 10.1.1.1
 tunnel source 192.168.2.2
 tunnel mode gre multipoint
 !
!
interface FastEthernet0/0
 ip address 192.168.2.2 255.255.255.0
 duplex full
 speed auto
 !

!
ip route 192.168.1.100 255.255.255.255 192.168.2.1
!

!


-==ROUTER 3
!
interface Loopback0
 ip address 172.16.3.1 255.255.255.0
 !
!
interface Tunnel0
 ip address 10.1.1.3 255.255.255.0
 no ip redirects
 ip nhrp map multicast 192.168.1.100
 ip nhrp map 10.1.1.1 192.168.1.100
 ip nhrp network-id 1
 ip nhrp nhs 10.1.1.1
 tunnel source 192.168.3.3
 tunnel mode gre multipoint
 !
!
interface FastEthernet0/0
 ip address 192.168.3.3 255.255.255.0
 duplex full
 speed auto
 !
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 !
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 192.168.1.100 255.255.255.255 192.168.3.1
!
!

-==== Until here we have the DMVPN without IPSEC-===

IPSEC:

Next you will need to add IPSEC, this will ensure that traffic is not sent in clear text. This configuration will be added to each router except router 4.

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key firewall address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

!

crypto ipsec profile protect-gre

set security-association lifetime seconds 86400

set transform-set TS

!

then 

(config-t) #

(config-if)#tunnel protection ipsec profile protect-gre

-=========

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Verification

R1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1     192.168.2.2        10.1.1.2    UP 00:00:00     D
     1     192.168.3.3        10.1.1.3    UP 00:00:01     D



R1#sh crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 192.168.2.2 port 500
  IKE SA: local 192.168.1.100/500 remote 192.168.2.2/500 Active
  IKE SA: local 192.168.1.100/500 remote 192.168.2.2/500 Inactive
  IPSEC FLOW: permit 47 host 192.168.1.100 host 192.168.2.2
        Active SAs: 2, origin: crypto map

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 192.168.3.3 port 500
  IKE SA: local 192.168.1.100/500 remote 192.168.3.3/500 Active
  IKE SA: local 192.168.1.100/500 remote 192.168.3.3/500 Inactive
  IPSEC FLOW: permit 47 host 192.168.1.100 host 192.168.3.3
        Active SAs: 2, origin: crypto map

!!!!!!!!!!!!!!!!!!!!!!!!!!!!! R2

R2#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1   192.168.1.100        10.1.1.1    UP 00:08:19     SR2 

R2#sh crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 192.168.1.100 port 500
  IKE SA: local 192.168.2.2/500 remote 192.168.1.100/500 Active
  IPSEC FLOW: permit 47 host 192.168.2.2 host 192.168.1.100
        Active SAs: 2, origin: crypto map

!!!!!!!!!!!!!!R3

R3#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1   192.168.1.100        10.1.1.1    UP 00:08:59     S


R3#sh crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 192.168.1.100 port 500
  IKE SA: local 192.168.3.3/500 remote 192.168.1.100/500 Active
  IPSEC FLOW: permit 47 host 192.168.3.3 host 192.168.1.100
        Active SAs: 2, origin: crypto map