Dynamic Multi-point VPN (DMVPN)

Here is my first port and you’ll see more as I finish pre-post tasks! In the fist post I’m going to publish a sample basic configuration for DMVPN. As you maybe know, this topic is recently added to the CCIE V5 bluprint and it is supposed to be asked in the lab. I think this technology will play a important role in lab, just like FR in V4, and we will have to build it as part of preparing our infrastructure for later tasks. Anyway, here is what I wrote for you:

In this scenario we have a customer with a hub and 2 remote offices that are connected together through public network, like internet. We want to implement DMVPN so the customer can easily add remote networks in the feature without requiring him to change the hub or any other remote routers. The clients inside the remote branches also need to be able to access the internet resources as well.
According to the need for confidentiality, in the second phase we will apply authentication and encryption to the traffic that is transited between customer sites; that is the traffic destined to internet, should not be encrypted and must be intact. Our configuration is consists of some levels. In the first phase we will configure the sole DMVPN. In the second phase we will add IPSec to the existing DMVPN and at the final step we will configure internet reachability.

Phase one-playing with DMVPN:

R2 (border router of hub site):

interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 100.1.1.2 255.255.255.0
no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 10
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 10
!
interface FastEthernet0/0
ip address 12.12.12.2 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 26.26.26.2 255.255.255.0
ip summary-address eigrp 100 0.0.0.0 0.0.0.0 5
clock rate 2000000
!
interface FastEthernet0/1
ip address 23.23.23.2 255.255.255.0
duplex auto
speed auto
!
router eigrp 10
network 2.0.0.0
network 12.0.0.0
network 23.0.0.0
no auto-summary
!
router eigrp 100
network 26.0.0.0
network 100.0.0.0
no auto-summary

R1 (border router of remote branch office 1)

interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 100.1.1.1 255.255.255.0
no ip redirects
ip nhrp map multicast 2.2.2.2
ip nhrp map 100.1.1.2 2.2.2.2
ip nhrp network-id 10
ip nhrp nhs 100.1.1.2
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10
!
interface FastEthernet0/0
ip address 12.12.12.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 15.15.15.1 255.255.255.0
ip summary-address eigrp 100 0.0.0.0 0.0.0.0 5
duplex auto
speed auto
!
router eigrp 10
network 12.0.0.0
no auto-summary
!
router eigrp 100
network 15.0.0.0
network 100.0.0.0
no auto-summary

R3 (border router of branch office 3)

interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Loopback10
ip address 3.3.3.10 255.255.255.255
!
interface Tunnel0
ip address 100.1.1.3 255.255.255.0
no ip redirects
ip nhrp map 100.1.1.2 2.2.2.2
ip nhrp map multicast 2.2.2.2
ip nhrp network-id 10
ip nhrp nhs 100.1.1.2
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 10
!
interface FastEthernet0/0
ip address 34.34.34.3 255.255.255.0
ip summary-address eigrp 100 0.0.0.0 0.0.0.0 5
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 23.23.23.3 255.255.255.0
duplex auto
speed auto
!
router eigrp 10
network 23.0.0.0
no auto-summary
!
router eigrp 100
network 3.3.3.10 0.0.0.0
network 34.0.0.0
network 100.0.0.0
no auto-summary

According to config shown above, we use EIGRP 10 in Internet and EIGRP 100 inside customer sites and the tunnels that interconnect the sites together. So there is no leakage between two networks. Let’s verify the DMVPN.

R1(config-if)#do sh ip nhrp
100.1.1.2/32 via 100.1.1.2, Tunnel0 created 00:42:07, never expire 
  Type: static, Flags: used 
  NBMA address: 2.2.2.2

R3(config-if)#do sh ip nhrp
100.1.1.2/32 via 100.1.1.2, Tunnel0 created 00:56:32, never expire 
  Type: static, Flags: used 
  NBMA address: 2.2.2.2

R2(config-if)#do sh ip nhrp
100.1.1.1/32 via 100.1.1.1, Tunnel0 created 00:45:17, expire 01:56:35
  Type: dynamic, Flags: unique registered 
  NBMA address: 12.12.12.1 
100.1.1.3/32 via 100.1.1.3, Tunnel0 created 00:58:42, expire 01:20:45
  Type: dynamic, Flags: unique registered 
  NBMA address: 23.23.23.3
       

R2(config-if)#do sh ip eigrp 100 neigh
IP-EIGRP neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
2   100.1.1.3               Tu0               13 00:29:19   74  5000  0  24
1   100.1.1.1               Tu0               14 00:29:19  131  5000  0  29
0   26.26.26.6              Se0/0             11 01:33:22   40   240  0  15

R5(config)#do sh ip route
Gateway of last resort is 15.15.15.1 to network 0.0.0.0

     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     15.0.0.0/24 is subnetted, 1 subnets
C       15.15.15.0 is directly connected, FastEthernet0/1
D*   0.0.0.0/0 [90/307200] via 15.15.15.1, 00:29:52, FastEthernet0/1

R5(config)#do ping 4.4.4.4 so lo0 rep 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 60/138/196 ms
R5(config)#

R5(config)#do ping 6.6.6.6 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/52/72 ms
R5(config)#

R2(config-if)#dir eig 100
     34.0.0.0/24 is subnetted, 1 subnets
D       34.34.34.0 [90/297270016] via 100.1.1.3, 00:33:04, Tunnel0
     3.0.0.0/32 is subnetted, 1 subnets
D       3.3.3.10 [90/297372416] via 100.1.1.3, 00:33:04, Tunnel0
     4.0.0.0/32 is subnetted, 1 subnets
D       4.4.4.4 [90/297398016] via 100.1.1.3, 00:33:04, Tunnel0
     5.0.0.0/32 is subnetted, 1 subnets
D       5.5.5.5 [90/297398016] via 100.1.1.1, 00:33:05, Tunnel0
     6.0.0.0/32 is subnetted, 1 subnets
D       6.6.6.6 [90/2297856] via 26.26.26.6, 01:37:08, Serial0/0
     15.0.0.0/24 is subnetted, 1 subnets
D       15.15.15.0 [90/297270016] via 100.1.1.1, 00:33:05, Tunnel0
D*   0.0.0.0/0 is a summary, 00:33:06, Null0
R2(config-if)#

R1(config-if)#dir ei 100
     34.0.0.0/24 is subnetted, 1 subnets
D       34.34.34.0 [90/310070016] via 100.1.1.3, 00:33:40, Tunnel0
     3.0.0.0/32 is subnetted, 1 subnets
D       3.3.3.10 [90/310172416] via 100.1.1.3, 00:33:40, Tunnel0
     4.0.0.0/32 is subnetted, 1 subnets
D       4.4.4.4 [90/310198016] via 100.1.1.3, 00:33:40, Tunnel0
     5.0.0.0/32 is subnetted, 1 subnets
D       5.5.5.5 [90/409600] via 15.15.15.5, 00:33:41, FastEthernet0/1
     6.0.0.0/32 is subnetted, 1 subnets
D       6.6.6.6 [90/297884416] via 100.1.1.2, 00:33:42, Tunnel0
     26.0.0.0/24 is subnetted, 1 subnets
D       26.26.26.0 [90/297756416] via 100.1.1.2, 00:33:42, Tunnel0
D*   0.0.0.0/0 is a summary, 00:33:42, Null0

We also performed phase 2 and 3 of DMVPN which is known as optimization. With this method, when one spoke needs to connect to resources inside another spoke, it will send it directly to another spoke through dynamically created NHRP map statements. When there is no such traffic, the map table will look like as I wrote above. But after establishing the traffic between sites, spoke routers create dynamic entries in the NHRP map table, so they will be able to find another remote IP address through NHRP protocol automatically. The result is that the traffic flows between spoke sites, will not be sent to hub and directly goes to another spoke IP address. We can see this when issuing trace command on R5:

R5(config)#do trace 4.4.4.4 ttl 0 4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  0 15.15.15.1 20 msec 24 msec 8 msec
  1 15.15.15.1 16 msec 8 msec 12 msec
  2 100.1.1.3 80 msec 72 msec 52 msec
  3 34.34.34.4 76 msec *  100 msec
R5(config)#

You see that the traffic don’t pass through R2 as of our hub router, otherwise we would see 100.1.1.2 (IP address of R2) in the output. Also we can verify the map table:

R1(config-if)#do sh ip nhrp
100.1.1.2/32 via 100.1.1.2, Tunnel0 created 00:42:07, never expire 
  Type: static, Flags: used 
  NBMA address: 2.2.2.2 
100.1.1.3/32 via 100.1.1.3, Tunnel0 created 00:26:23, expire 01:33:37
  Type: dynamic, Flags: router 
  NBMA address: 23.23.23.3
You can see the “dynamic” entry that is created automatically by R1 as one of spoke routers. With the help of this dynamic entry, now router R1 knows the IP address of R3, another remote office router, and how it can be reached and as of result, it establishes the direct link with R3 instead of sending the traffic first to the hub router. The commands used in DMVPN phase 2 and 3 are as follows which are applied to interface tunnel 0 of hub router (R2):

no ip next-hop-self eigrp 100
no ip split-horizon eigrp 100

without these commands, spoke routers will see spoke routes with the next hop of hub router (100.1.1.2), but after applying the commands, the next-hop will changed to another spoke router. That is, R1 sees remote routes with the next-hop of R3 and vice versa.
By now we complete DMVPN portion of configuration and move to the second part; adding IPSec. The configuration is as follows:

R1, R2, R3 shared configuration:

crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TEST_SET esp-aes esp-sha-hmac
!
crypto ipsec profile TEST_PROFILE
set transform-set TEST_SET
!
interface Tunnel0
tunnel protection ipsec profile TEST_PROFILE
you see that the IPSec configuration is easy and straight-forward procedure which also is the same on all routers. It is like a template that can be applied on hub and spoke routers. Just remember that, DMVPN is DYNAMIC and the tunnels are created don’t have any destination addresses. Also for the same reason we determined the peer IP address of ISAKMP SA as 0.0.0.0 which will be determined DYNAMICALLY and AUTOMATICALLY by routers.
Again when there is no traffic between remote sites, the output of “show crypto ipsec sa” command on remote site router just contains single SA:

R1(config-if)#do sh crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 12.12.12.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (12.12.12.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
   current_peer 2.2.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 117, #pkts encrypt: 117, #pkts digest: 117
    #pkts decaps: 117, #pkts decrypt: 117, #pkts verify: 117
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 12.12.12.1, remote crypto endpt.: 2.2.2.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xF8E9B64A(4176066122)

     inbound esp sas:
      spi: 0xF35C40BD(4082909373)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4406022/3528)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF8E9B64A(4176066122)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4406022/3526)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

R1(config-if)#
But after establishing this kind of traffic, spoke routers creates the SAs as needed between each other.

R1(config-if)#do sh crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 12.12.12.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (12.12.12.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
   current_peer 2.2.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1276, #pkts encrypt: 1276, #pkts digest: 1276
    #pkts decaps: 1276, #pkts decrypt: 1276, #pkts verify: 1276
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 12.12.12.1, remote crypto endpt.: 2.2.2.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x60DC94CB(1625068747)

     inbound esp sas:
      spi: 0x877836CF(2272802511)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: SW:5, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4390664/1758)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x60DC94CB(1625068747)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: SW:6, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4390664/1755)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (12.12.12.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (23.23.23.3/255.255.255.255/47/0)
   current_peer 23.23.23.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1210, #pkts encrypt: 1210, #pkts digest: 1210
    #pkts decaps: 1211, #pkts decrypt: 1211, #pkts verify: 1211
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 12.12.12.1, remote crypto endpt.: 23.23.23.3
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x68D4AE9D(1758768797)

     inbound esp sas:
      spi: 0x7FCBBFB9(2144059321)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 7, flow_id: SW:7, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4534397/2439)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x68D4AE9D(1758768797)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 8, flow_id: SW:8, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4534397/2438)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R1(config-if)#

After establishing SAs to remote offices, all of the traffic destined to remote sites go through these SAs without travelling to Hub router. For the sake of testing, you can ping one of R4 IP addresses on R5. This makes the second SA establishes between branch routers R1 and R3 automatically and the counters displayed in the output, increase just on the SAs created between two remote sites, not on the SAs to hub router.

The final part of our configuration is about providing internet reachability to customer clients. The traffic destined to internet should not be encrypted and must through the routers intact. Also the internet routers should not have reachability information about customer internal IP addresses. So we need to configure NAT on border routers to hide internal schema while providing Internet access to customer clients reside inside hub and remote branches. The configuration of R2 is as follows:

R1(config)#ip access ex FOR_NAT
R1(config-ext-nacl)#permit ip 15.0.0.0 0.255.255.255 any
R1(config-ext-nacl)#permit ip 5.0.0.0 0.255.255.255 any
R1(config)#ip nat inside source list FOR_NAT inter f0/0 overload
R1(config)#inter f0/1
R1(config-if)#ip nat ins
R1(config-if)#inter f0/0
R1(config-if)#ip nat out
R1(config-if)#  
For verifying our configuration, I wrote an ACL on R2 to capture the ICMP traffic and issued the “debug ip packet 100” on that router and then established a ping test on R5 toward some internet IP (23.23.23.3 for example). For the results to be shown, you must disable CEF on R2, so I entered “no ip route-catch” on f0/0 of R2.

R2(config-if)#access-list 100 permit icmp any any
R2(config)#do debug ip packet 100
IP packet debugging is on for access list 100
R2(config)#inter f0/0
R2(config-if)#no ip route-catch

R5(config)#do ping 23.23.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/56/104 ms
R5(config)#

R2(config)#
*Mar 1 03:17:48.387: IP: tableid=0, s=12.12.12.1 (FastEthernet0/0), d=23.23.23.3 (FastEthernet0/1), routed via FIB
*Mar 1 03:17:48.387: IP: s=12.12.12.1 (FastEthernet0/0), d=23.23.23.3 (FastEthernet0/1), g=23.23.23.3, len 100, forward
R2(config)#
Now we have reachability to internet and according to the messages appear on R2, the source is changed from 15.15.15.5 to 12.12.12.1. if you issue the ping again on R5 toward some customer internal IP address, like R4, R6, etc, the ping test succeeds without affecting by NAT and you will not see any output on R2. This is because customer internal traffic that is follows between hub and spoke sites, redirected through tunnel interface that has not nat command on it. But traffic follows through physical ethernet interface, NATed because of nat command. The configuration of NAT on other border routers is the same as above.

Leave a Comment

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

2,028 Spam Comments Blocked so far by Spam Free Wordpress

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>