DMVPN with PKI authentication (GNS3 Lab)
Two protocols that enable DMVPN deployments are Multipoint Generic Routing Encapsulation (mGRE) rfc2735 / rfc1701and Next Hop Resolution Protocol (NHRP) rfc2735. There is also a very good post on Packetlife about DMVPN.
The following if a GNS3 lab is relatively long compared to the other labs I have done and has quite a few steps so I have tried to arrange them in a logical order thats hopefully easy to follow. As always any feedback is welcome.
We will use the basic topology above and the initial GNS3 net file can be found [here]. It includes all the basic config and addressing done. There is full connectivity between the physical interfaces. I made this lab using 3600 running Version 12.4(16a) of IOS. Certificate setup and routing is covered on the 2nd page of the post 🙂
|2||Transform Set / IPSEC Profile|
|5||Addressing / MTU|
We will start with the Hub configuration. The first two steps a pretty much the same for any IPSEC VPN setup. Steps 3 & 4 are where we make it a DMVPN 🙂
ISAKMP Policy & Profile
Since this step is common to both the Hub and spokes please follow the Certificate setup section of this lab found on the 2nd page of this post here: Certificate setup
Transform Set / IPSEC profile
Now we configure our own custom transform set and get it to use tunnel mode. There are default transform sets so this step can be optional. Then we apply the transform set to the IPSEC protection profile we created earlier.
HUB#conf t Enter configuration commands, one per line. End with CNTL/Z. HUB(config)#crypto ipsec transform-set AES_128-SHA esp-aes 128 ah-sha-hmac HUB(cfg-crypto-trans)#mode tunnel HUB(cfg-crypto-trans)#exit HUB(config)#crypto ipsec profile IPsecProfile HUB(ipsec-profile)#set transform-set AES_128-SHA
Now we configure our tunnel interface to be a mGRE interface. It is possible to have multiple DMVPN networks running in parallel i.e a second DMVPN for failover. The “key” is used to distinguish between these. The tunnel source interface is the physical interface which the mGRE tunnel is bound to.
HUB(config)#int tunnel 0 HUB(config-if)#tunnel mode gre multipoint HUB(config-if)#tunnel key 123 HUB(config-if)#tunnel source s 0/0
NHRP is configured on the tunnel interface. Again it is possible to have multiple NHRP networks so a network-id is used to differentiate them and we add an authentication password (max of 8 characters).
HUB(config)#int tunnel 0 HUB(config-if)#ip nhrp network-id 10 HUB(config-if)#ip nhrp authentication pass@m00nie! % Authentication string exceeds 8 character maximum HUB(config-if)#ip nhrp authentication @m00nie! HUB(config-if)#ip nhrp map multicast ? A.B.C.D IP NBMA address dynamic Dynamically learn destinations from client registrations on hub HUB(config-if)#ip nhrp map multicast dynamic
Addressing / MTU
Now we simply configure the IP of the mGRE interface. Its important to note that all tunnel interfaces across the DMVPN must be in the same subnet! This is so all next hops appear as directly connected to the tunnel interfaces.
HUB(config)#int tunnel 0 HUB(config-if)#ip add 192.168.10.1 255.255.255.0 HUB(config-if)#ip mtu 1450 HUB(config-if)#ip tcp adjust-mss 1410
Thats the config done for the HUB 🙂
The configuration of the spokes is very similar so I’ll just copy the similar config below. You can use either mGRE or GRE tunnels on the spokes. mGRE gives the option to dynamically build meshed topologies bypassing the HUB for spoke to spoke on the fly which is what we will configure.
ISAKMP / Transform set / IPSEC profile
Exactly the same as the Hub
crypto pki certificate map CertificateMap 10 subject-name co o = m00nieco ! crypto isakmp policy 100 encr aes group 5 crypto isakmp profile ISAKMPProfile ca trust-point CA-Server match certificate CertificateMap ! ! crypto ipsec transform-set AES_128-SHA ah-sha-hmac esp-aes ! crypto ipsec profile IPsecProfile set transform-set AES_128-SHA set isakmp-profile ISAKMPProfile
Again pretty much the same as the configuration of the Hub router. Enable multipoint GRE make the key the same and add the physical interface as the source. Also adding the previously configured IPSEC protection profile
Bambi#conf t Enter configuration commands, one per line. End with CNTL/Z. Bambi(config)#int tun Bambi(config)#int tunnel 0 Bambi(config-if)# *Mar 1 01:44:38.559: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down Bambi(config-if)#tunnel mode gre multipoint Bambi(config-if)#tunnel source s 0/0 Bambi(config-if)#tunnel key 123
Now the NHRP config is a little different on the spokes than the Hub. Make the network-id match as well as the authentication. For NHRP clients we must configure the location of the NHRP server in this case its the IP of the Hub routers tunnel interface.
Bambi#conf t Enter configuration commands, one per line. End with CNTL/Z. Bambi(config)#int tunnel 0 Bambi(config-if)#tunnel mode gre multipoint Bambi(config-if)#tunnel source s 0/0 Bambi(config-if)#tunnel key 123 Bambi(config-if)#ip nhrp network-id 10 Bambi(config-if)#ip nhrp authentication @m00nie! Bambi(config-if)#ip nhrp nhs 192.168.10.1 Bambi(config-if)#ip nhrp map multicast 10.0.14.4 Bambi(config-if)#ip nhrp map 192.168.10.1 10.0.14.4
Addressing / MTU
Bambi(config-if)# ip mtu 1450 Bambi(config-if)# ip tcp adjust-mss 1410 Bambi(config-if)#ip add 192.168.10.2 255.255.255.0
Now you should have an ISAKMP and IPSEC SA’s built and stable between Bambi + HUB. The config for Borgy is exactly the same as Bambi but the IP on the tunnel interface is 192.168.10.3. Now each spoke should have SA’s with the HUB.