DMVPN with PKI authentication (GNS3 Lab)

Dynamic Multipoint VPNs (DMVPN) offer a low admin overhead and scalable VPN solution. It is also efficient at routing traffic as it can dynamically reconfigure itself from a hub and spoke to a partial or full mesh topology! This means that not all traffic has to pass through the hub device.

Two protocols that enable DMVPN deployments are Multipoint Generic Routing Encapsulation (mGRE) rfc2735 / rfc1701and Next Hop Resolution Protocol (NHRP) rfc2735. There is also a very good post on Packetlife  about DMVPN.

The following if a GNS3 lab is relatively long compared to the other labs I have done and has quite a few steps so I have tried to arrange them in a logical order thats hopefully easy to follow. As always any feedback is welcome.

We will use the basic topology above and the initial GNS3 net file can be found [here]. It includes all the basic config and addressing done. There is full connectivity between the physical interfaces. I made this lab using 3600 running Version 12.4(16a) of IOS. Certificate setup and routing is covered on the 2nd page of the post 🙂

Hub config

Step Description
1 ISAKMP Policy
2 Transform Set / IPSEC Profile
3 mGRE interface
4 NHRP Server
5 Addressing / MTU

   We will start with the Hub configuration. The first two steps a pretty much the same for any IPSEC VPN setup. Steps 3 & 4 are where we make it a DMVPN 🙂

   ISAKMP Policy & Profile

Since this step is common to both the Hub and spokes please follow the Certificate setup section of this lab found on the 2nd page of this post here: Certificate setup

   Transform Set / IPSEC profile

Now we configure our own custom transform set and get it to use tunnel mode. There are default transform sets so this step can be optional. Then we apply the transform set to the IPSEC protection profile we created earlier.

HUB#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
HUB(config)#crypto ipsec transform-set AES_128-SHA esp-aes 128 ah-sha-hmac
HUB(cfg-crypto-trans)#mode tunnel
HUB(config)#crypto ipsec profile IPsecProfile
HUB(ipsec-profile)#set transform-set AES_128-SHA

   mGRE interface

Now we configure our tunnel interface to be a mGRE interface. It is possible to have multiple DMVPN networks running in parallel i.e a second DMVPN for failover. The “key” is used to distinguish between these. The tunnel source interface is the physical interface which the mGRE tunnel is bound to.

HUB(config)#int tunnel 0
HUB(config-if)#tunnel mode gre multipoint
HUB(config-if)#tunnel key 123
HUB(config-if)#tunnel source s 0/0

   NHRP Server

NHRP is configured on the tunnel interface. Again it is possible to have multiple NHRP networks so a network-id is used to differentiate them and we add an authentication password (max of 8 characters).

HUB(config)#int tunnel 0
HUB(config-if)#ip nhrp network-id 10
HUB(config-if)#ip nhrp authentication pass@m00nie!
% Authentication string exceeds 8 character maximum
HUB(config-if)#ip nhrp authentication @m00nie!
HUB(config-if)#ip nhrp map multicast ?
  A.B.C.D  IP NBMA address
  dynamic  Dynamically learn destinations from client registrations on hub
HUB(config-if)#ip nhrp map multicast dynamic

   Addressing / MTU

Now we simply configure the IP of the mGRE interface. Its important to note that all tunnel interfaces across the DMVPN must be in the same subnet! This is so all next hops appear as directly connected to the tunnel interfaces.

HUB(config)#int tunnel 0
HUB(config-if)#ip add
HUB(config-if)#ip mtu 1450
HUB(config-if)#ip tcp adjust-mss 1410

Thats the config done for the HUB 🙂

Spoke Config

The configuration of the spokes is very similar so I’ll just copy the similar config below. You can use either mGRE or GRE tunnels on the spokes. mGRE gives the option to dynamically build meshed topologies bypassing the HUB for spoke to spoke on the fly which is what we will configure.

   ISAKMP / Transform set / IPSEC profile

Exactly the same as the Hub

crypto pki certificate map CertificateMap 10
 subject-name co o = m00nieco
crypto isakmp policy 100
 encr aes
 group 5
crypto isakmp profile ISAKMPProfile
   ca trust-point CA-Server
   match certificate CertificateMap
crypto ipsec transform-set AES_128-SHA ah-sha-hmac esp-aes
crypto ipsec profile IPsecProfile
 set transform-set AES_128-SHA
 set isakmp-profile ISAKMPProfile

   mGRE interface

Again pretty much the same as the configuration of the Hub router. Enable multipoint GRE make the key the same and add the physical interface as the source. Also adding the previously configured IPSEC protection profile

Bambi#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Bambi(config)#int tun
Bambi(config)#int tunnel 0
*Mar  1 01:44:38.559: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Bambi(config-if)#tunnel mode gre multipoint
Bambi(config-if)#tunnel source s 0/0
Bambi(config-if)#tunnel key 123

   NHRP Client

Now the NHRP config is a little different on the spokes than the Hub. Make the network-id match as well as the authentication. For NHRP clients we must configure the location of the NHRP server in this case its the IP of the Hub routers tunnel interface.

Bambi#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Bambi(config)#int tunnel 0
Bambi(config-if)#tunnel mode gre multipoint
Bambi(config-if)#tunnel source s 0/0
Bambi(config-if)#tunnel key 123
Bambi(config-if)#ip nhrp network-id 10
Bambi(config-if)#ip nhrp authentication @m00nie!
Bambi(config-if)#ip nhrp nhs
Bambi(config-if)#ip nhrp map multicast
Bambi(config-if)#ip nhrp map

   Addressing / MTU

Bambi(config-if)# ip mtu 1450
Bambi(config-if)# ip tcp adjust-mss 1410
Bambi(config-if)#ip add

Now you should have an ISAKMP and IPSEC SA’s built and stable between Bambi + HUB. The config for Borgy is exactly the same as Bambi but the IP on the tunnel interface is Now each spoke should have SA’s with the HUB.

Page 2