When your public address is dynamic and it changes all the time (like ADSL connections), you can use DMVPN to have your own VPN network utilizing dynamic addresses on spoke sites and a static address for the Hub site, your head-quarter-The Hub knows about remote sites and can connect spokes directly talking to each others.
We can add IPsec to secure packets inside the tunnel for encryption and integrity checking.
DMVPN is built on top of GRE tunnels and a protocol called NHRP (Next hop resolution protocol). On each GRE tunnel, router has an address in GRE tunnel, as long as it’s a multipoint tunnel, NHRP resolves public dynamic addresses to the tunnel address of each router.
DMVPN is supported on IOS Routers (Not yet supported on ASA)
In this example public address of sites are 1.1.1.1, 1.1.1.2 and 1.1.1.3 for R1, R2 and R3.
Tunnel IP address is 172.16.16.0/24 and each router has its own LAN (192.168.x.0/24)
*** Step 1:
Basic tunnel configuration
Hub:
interface Tunnel0
ip address 172.16.16.1 255.255.255.0
no ip redirects
ip nhrp network-id 1
ip nhrp nhs 172.16.16.1
tunnel source Serial1/0
tunnel mode gre multipoint
Spoke:
interface Tunnel0
ip address 172.16.16.2 255.255.255.0
no ip redirects
ip nhrp map 172.16.16.1 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.16.1
tunnel source Serial0/0
tunnel mode gre multipoint
R2#sh ip nhrp
172.16.16.1/32 via 172.16.16.1, Tunnel0 created 00:02:01, never expire
Type: static, Flags: authoritative used
NBMA address: 1.1.1.1
*** Step2:
Running EIGRP inside tunnel as a routing protocol
router eigrp 1
network 172.16.0.0
network 192.168.1.0
no auto-summary
interface Tunnel0
ip nhrp map multicast dynamic
Spoke:
ip nhrp map multicast 172.16.16.1 (note: to the public address not tunnel address)
R3#sh ip route
D 192.168.1.0/24 [90/297372416] via 172.16.16.1, 00:05:01, Tunnel0
C 192.168.3.0/24 is directly connected, Loopback0
(Spokes can see hub and hub can see all spokes connected networks)
*** Step3:
Connecting spokes directly to each other (putting hub out of band)
interface Tunnel0
no ip split-horizon eigrp 1
! now spokes can see each other through hub:
R3#show ip route
D 192.168.1.0/24 [90/297372416] via 172.16.16.1, 00:05:59, Tunnel0
D 192.168.2.0/24 [90/310172416] via 172.16.16.1, 00:00:14, Tunnel0
*** Step4:
Resolving EIGRP problem as a distance-vector protocol…
R1(config-if)#no ip next-hop-self eigrp 1
R3#sh ip route
D 192.168.1.0/24 [90/297372416] via 172.16.16.1, 00:01:39, Tunnel0
D 192.168.2.0/24 [90/310172416] via 172.16.16.2, 00:01:40, Tunnel0
C 192.168.3.0/24 is directly connected, Loopback0
now spokes can see networks directly…
- The "next-hop-self eigrp" feature is recently added to IOS, if you’re using an old IOS version, workaround is to use a linkstate routing protocol like OSPF, or disabling CEF on spokes.
*** Step5:
Adjusting tunnel for TCP applications like all GRE tunnels:
ip mtu 1400
ip tcp adjust-mss 1360
*** Step6:
Adding security to NHRP and GRE on all spokes and hub:
ip nhrp authentication mysecret
tunnel key 100000
*** Step7:
IPsec encryption for ip traffic inside the tunnel…
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
mode transport
!
crypto ipsec profile profile1
set transform-set myset
!
interface Tunnel0
tunnel protection ipsec profile profile1
Final Configurations:
Hub:
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
mode transport
!
crypto ipsec profile profile1
set transform-set myset
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.16.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
ip nhrp authentication mysecret
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp nhs 172.16.16.1
no ip split-horizon eigrp 1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile profile1
!
interface Serial1/0
ip address 1.1.1.1 255.255.255.0
!
router eigrp 1
network 172.16.0.0
network 192.168.1.0
no auto-summary
!
Spoke (R2):
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
mode transport
!
crypto ipsec profile profile1
set transform-set myset
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.16.2 255.255.255.0
no ip redirects
ip nhrp authentication mysecret
ip nhrp map 172.16.16.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.16.1
tunnel source Serial0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile profile1
!
interface Serial0/0
ip address 1.1.1.2 255.255.255.0
!
router eigrp 1
network 172.16.0.0
network 192.168.2.0
no auto-summary
!
Spoke (R3):
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
mode transport
!
crypto ipsec profile profile1
set transform-set myset
!
interface Loopback0
ip address 192.168.3.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.16.3 255.255.255.0
no ip redirects
ip nhrp authentication mysecret
ip nhrp map 172.16.16.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.16.1
tunnel source Serial0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile profile1
!
interface Serial0/0
ip address 1.1.1.3 255.255.255.0
!
router eigrp 1
network 172.16.0.0
network 192.168.3.0
no auto-summary
Posted by Achiko on February 3, 2010 at 1:24 pm
Thank you very much. This is very good post and very helpful for beginners