DMVPN setup with PSK (GNS3 Lab)

Dynamic Multipoint VPNs (DMVPN) offer a low admin overhead and scalable VPN solution. It is also efficient at routing traffic as it can dynamically reconfigure itself from a hub and spoke to a partial or full mesh topology! This means that not all traffic has to pass through the hub device and we can prove/test this in our lab. There is a similar lab [here] for a cert based setup but CCIEv5 is specifically looking at PSK (PSK being slightly more straight forward).

screenshot

Two protocols that enable DMVPN deployments are Multipoint Generic Routing Encapsulation (mGRE) rfc2735 / rfc1701and Next Hop Resolution Protocol (NHRP) rfc2735. There is also a very good post on Packetlife about DMVPN.

The following if a GNS3 lab is relatively long compared to the other labs I have done and has quite a few steps so I have tried to arrange them in a logical order thats hopefully easy to follow with basic DMVPN setup on this page then adding encryption on the 2nd page. As always any feedback is welcome.

We will use the basic topology above and the initial GNS3 net file can be found [here]. It includes all the basic config and addressing done. There is full connectivity between the physical interfaces. I made this lab using 3600 running Version 12.4(25a) IOS.

Hub config

Step Description
1 ISAKMP Policy
2 Transform Set / IPSEC Profile
3 mGRE interface
4 NHRP Server
5 Addressing / MTU

We will start with the Hub configuration. The first two steps a pretty much the same for any IPSEC VPN setup. Steps 3 & 4 are where we make it a DMVPN 🙂

ISAKMP Policy & Profile

Just like a normal point to point VPN we need to configure phase one encrption parameters that need to match or be avilable on all devices in our DMVPN. In this example we configure AES 256, DH group 5, SHA-1 for hashing and define a preshared key for authentication rather than certs. Important to note the difference here is that for the key we need to define a host/mask of 0.0.0.0 since we might have lots of distinct sources connecting to our DMVPN.

HUB(config)#crypto isakmp policy 10
HUB(config-isakmp)#encryption aes 256
HUB(config-isakmp)#group 5
HUB(config-isakmp)#hash sha
HUB(config-isakmp)#authentication pre-share
HUB(config)#exit
HUB(config)#crypto isakmp key 0 MYDMVPN address 0.0.0.0 0.0.0.0

Transform Set / IPSEC profile

Now we configure our own custom transform set and get it to use tunnel mode. There are default transform sets so this step can be optional. Then we apply the transform set to the IPSEC protection profile we create also applying this to protect traffic traversing tun0. Again this config is common (and needs to match!) on all Hubs and spokes we configure here:

HUB(config)#crypto ipsec transform-set AES_128-SHA esp-aes 128 ah-sha-hmac
HUB(cfg-crypto-trans)#exit
HUB(config)#crypto ipsec profile IPsecProfile
HUB(ipsec-profile)#set transform-set AES_128-SHA
HUB(config)#int tun 0
HUB(config-if)#tunnel protection ipsec profile IPsecProfile

mGRE interface

Now we configure our tunnel interface then ask it to be a mGRE interface. It is possible to have multiple DMVPN networks running in parallel i.e a second DMVPN for failover. The “key” is used to distinguish between these. The tunnel source interface is the physical interface which the mGRE tunnel is bound to.

HUB(config)#int tunnel 0
HUB(config-if)#tunnel mode gre multipoint
HUB(config-if)#tunnel key 1
HUB(config-if)#tunnel source eth 0/0

NHRP Server

NHRP is configured on the tunnel interface. Again it is possible to have multiple NHRP networks so a network-id is used to differentiate them and we add an authentication password (max of 8 characters).

HUB(config)#int tun 0
HUB(config-if)#ip nhrp network-id 1
HUB(config-if)#ip nhrp authentication IMAPASSWORD
% Authentication string exceeds 8 character maximum
HUB(config-if)#ip nhrp authentication IMAPASS
HUB(config-if)#ip nhrp map multicast dynamic

Addressing / MTU

Now we simply configure the IP of the mGRE interface. Its important to note that all tunnel interfaces across the DMVPN must be in the same subnet! This is so all next hops appear as directly connected to the tunnel interfaces. In our case we’ll use 172.16.16.0/24 so it can be easily differentiated then a quick review of all the config we have under the tunnel interface since that us completed the HUB config 🙂

HUB(config)#int tun 0
HUB(config-if)#ip add 172.16.16.1 255.255.255.0
HUB(config-if)#ip mtu 1450
HUB(config-if)#ip tcp adjust-mss 1410
HUB(config-if)#
HUB(config-if)#do show run int tun 0
Building configuration…

Current configuration : 271 bytes
!
interface Tunnel0
ip address 172.16.16.1 255.255.255.0
no ip redirects
ip mtu 1450
ip nhrp authentication IMAPASS
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1410
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile IPsecProfile
end

Thats the config done for the HUB 🙂

Spoke Config

The configuration of the spokes is very similar so I’ll just copy the similar config below. You can use either mGRE or GRE tunnels on the spokes. mGRE gives the option to dynamically build meshed topologies bypassing the HUB for spoke to spoke on the fly (almost the best thing about DMVPN? :))which is what we will configure.

ISAKMP / Transform set / IPSEC profile

Exactly the same as the Hub:

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key MYDMVPN address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set AES_128-SHA ah-sha-hmac esp-aes
!
crypto ipsec profile IPsecProfile
set transform-set AES_128-SHA

mGRE interface

Again pretty much the same as the configuration of the Hub router. Enable multipoint GRE make the key the same and add the physical interface as the source. Also adding the previously configured IPSEC protection profile. This config is quite standard only the IP is different I used .2 for left and .3 for right

interface Tunnel0
ip address 172.16.16.3 255.255.255.0
no ip redirects
ip mtu 1450
ip nhrp authentication IMAPASS
ip nhrp network-id 1
ip tcp adjust-mss 1410
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile IPsecProfile

NHRP Client

Now the NHRP config is a little different on the spokes than the Hub. Make the network-id match as well as the authentication. For NHRP clients we must configure the location of the NHRP server so we can resolve next hop IPs (nhs command and IP of Tun0 on HUB). In this case its the IP of the Hub routers eth0/0 interface for the map commands too.This config is the same for all spokes.

int tun 0
ip nhrp nhs 172.16.16.1
ip nhrp map multicast 192.168.1.1
ip nhrp map 172.16.16.1 192.168.1.1

Now you should have an ISAKMP and IPSEC SA’s built and stable between both spokes and the HUB.

Spoke_Right#show crypto isakmp sa
dst             src             state          conn-id slot status
192.168.1.1     192.168.3.1     QM_IDLE              1    0 ACTIVE

Spoke_Right#
Spoke_Right#show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 192.168.3.1

protected vrf: (none)
local  ident (addr/mask/prot/port): (192.168.3.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/47/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.3.1, remote crypto endpt.: 192.168.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0xDFCB88B8(3754657976)

inbound esp sas:
spi: 0x29A8A942(698919234)
transform: esp-aes ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4413228/3538)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:
spi: 0xD1CA2E5A(3519688282)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4413228/3536)
replay detection support: Y
Status: ACTIVE

inbound pcp sas:

outbound esp sas:
spi: 0xDFCB88B8(3754657976)
transform: esp-aes ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4413228/3536)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:
spi: 0x2EA812D3(782766803)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4413228/3535)
replay detection support: Y
Status: ACTIVE

outbound pcp sas:

Page 2 contains setting up dynamic routing and examining dynamic tunnel instantiation.

Page 2

Comments

  • hi i tried to configure the same but i cant bring up the tunnel..

    HUB:-

    HUB#sh run
    Building configuration…

    Current configuration : 1344 bytes
    !
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    !
    hostname HUB
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    no aaa new-model
    no ip icmp rate-limit unreachable
    ip cef
    !
    !
    !
    !
    !
    !
    no ip domain lookup
    no ipv6 cef
    !
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ip tcp synwait-time 5
    !
    !
    !
    !
    !
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 5
    crypto isakmp key MYDMVPN address 0.0.0.0
    !
    !
    crypto ipsec transform-set AES_128-SHA ah-sha-hmac esp-aes
    mode tunnel
    !
    crypto ipsec profile IPsecProfile
    set transform-set AES_128-SHA
    !
    !
    !
    !
    !
    !
    !
    interface Tunnel0
    ip address 172.16.16.1 255.255.255.0
    no ip redirects
    ip mtu 1450
    ip nhrp authentication IMAPASS
    ip nhrp map multicast dynamic
    ip nhrp network-id 1
    ip tcp adjust-mss 1410
    tunnel source FastEthernet0/0
    tunnel mode gre multipoint
    tunnel key 1
    tunnel protection ipsec profile IPsecProfile
    !
    interface FastEthernet0/0
    ip address 192.168.1.1 255.255.255.0
    duplex full
    !
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    ip route 0.0.0.0 0.0.0.0 192.168.1.2
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line vty 0 4
    login
    !
    !
    end

    ————————————————————————————————————————–

    Spoke Right:

    R3#sh run
    Building configuration…

    Current configuration : 1592 bytes
    !
    ! Last configuration change at 10:40:36 UTC Fri Feb 26 2016
    !
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    !
    hostname R3
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    no aaa new-model
    no ip icmp rate-limit unreachable
    ip cef
    !
    !
    !
    !
    !
    !
    no ip domain lookup
    no ipv6 cef
    !
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ip tcp synwait-time 5
    !
    !
    !
    !
    !
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 5
    crypto isakmp key MYDMVPN address 0.0.0.0
    !
    !
    crypto ipsec transform-set AES_128-SHA ah-sha-hmac esp-aes
    mode tunnel
    !
    crypto ipsec profile IPsecProfile
    set transform-set AES_128-SHA
    !
    !
    !
    !
    !
    !
    !
    interface Loopback0
    ip address 10.10.100.1 255.255.255.0
    !
    interface Tunnel0
    ip address 172.16.16.3 255.255.255.0
    no ip redirects
    ip mtu 1450
    ip nhrp authentication IMAPASS
    ip nhrp map multicast 192.168.1.1
    ip nhrp map 172.16.16.1 192.168.1.1
    ip nhrp network-id 1
    ip nhrp nhs 172.16.16.1
    ip tcp adjust-mss 1410
    tunnel source FastEthernet0/0
    tunnel key 1
    tunnel protection ipsec profile IPsecProfile
    !
    interface FastEthernet0/0
    ip address 192.168.3.1 255.255.255.0
    duplex full
    !
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    ip route 0.0.0.0 0.0.0.0 192.168.3.2 100
    ip route 10.10.10.0 255.255.255.0 Tunnel0
    ip route 10.10.200.0 255.255.255.0 Tunnel0
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line vty 0 4
    login
    !
    !
    end

    R3#

    ————————————————————————————————————————————————–*************

    R3#sh dmvpn detail
    Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
    N – NATed, L – Local, X – No Socket
    # Ent –> Number of NHRP entries with same NBMA peer
    NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting
    UpDn Time –> Up or Down Time for a Tunnel
    ==========================================================================

    Interface Tunnel0 is up/down, Addr. is 172.16.16.3, VRF “”
    Tunnel Src./Dest. addr: 192.168.3.1/UNKNOWN, Tunnel VRF “”
    Protocol/Transport: “GRE/IP”, Protect “IPsecProfile”
    Interface State Control: Disabled
    nhrp event-publisher : Disabled

    IPv4 NHS:
    172.16.16.1 E priority = 0 cluster = 0
    Type:Spoke, Total NBMA Peers (v4/v6): 1

    # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
    —– ————— ————— —– ——– —– —————–
    1 192.168.1.1 172.16.16.1 INTF never S 172.16.16.1/32

    Crypto Session Details:
    ——————————————————————————–

    Pending DMVPN Sessions:

    R3#ping 192.168.1.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 176/251/312 ms
    R3#sh cry
    R3#sh crypto is
    R3#sh crypto isakmp sa
    R3#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst src state conn-id status

    IPv6 Crypto ISAKMP SA

  • Hi Suju

    Have you created some traffic that would match the interesting traffic and/or checked the debug output to see whats going on? Whats the device you are running this config on?
    Cheers

    m00nie

Leave a Reply