DMVPN over IPsec (Networklessons)

In our first DMVPN lesson we talked about the basics of DMVPN and its different phases. DMVPN is a “routing technique” that relies on multipoint GRE and NHRP and IPsec is not mandatory.

However since you probably use DMVPN with the Internet as the underlay network, it might be wise to encrypt your tunnels. In this lesson I’ll show you how to configure IPsec to encrypt your multipoint GRE tunnels. Here’s the topology we will use:

DMVPN Example Topology with hub, two spokes and loopback interfaces.

Above we have a hub and spoke topology which I used in all of my previous DMVPN examples. We’ll use a DMVPN phase 2 network with RIP as the routing protocol to test IPsec.

Configuration

Tunnel Interfaces

Let’s start with the tunnel interfaces on all routers. This is a basic DMVPN phase 2 configuration:

Hub(config)#interface Tunnel 0

Hub(config-if)#ip address 172.16.123.1 255.255.255.0

Hub(config-if)#ip nhrp authentication DMVPN

Hub(config-if)#ip nhrp map multicast dynamic

Hub(config-if)#ip nhrp network-id 1

Hub(config-if)#tunnel source GigabitEthernet0/1

Hub(config-if)#tunnel mode gre multipoint

Here are the spoke routers:

Spoke1(config)#interface Tunnel 0

Spoke1(config-if)#ip address 172.16.123.2 255.255.255.0

Spoke1(config-if)#ip nhrp authentication DMVPN

Spoke1(config-if)#ip nhrp map 172.16.123.1 192.168.123.1

Spoke1(config-if)#ip nhrp map multicast 192.168.123.1

Spoke1(config-if)#ip nhrp network-id 1

Spoke1(config-if)#ip nhrp nhs 172.16.123.1

Spoke1(config-if)#tunnel source GigabitEthernet0/1

Spoke1(config-if)#tunnel mode gre multipoint

Spoke2(config)#interface Tunnel 0

Spoke2(config-if)#ip address 172.16.123.3 255.255.255.0

Spoke2(config-if)#ip nhrp authentication DMVPN

Spoke2(config-if)#ip nhrp map 172.16.123.1 192.168.123.1

Spoke2(config-if)#ip nhrp map multicast 192.168.123.1

Spoke2(config-if)#ip nhrp network-id 1

Spoke2(config-if)#ip nhrp nhs 172.16.123.1

Spoke2(config-if)#tunnel source GigabitEthernet0/1

Spoke2(config-if)#tunnel mode gre multipoint

Now we can configure RIP…

RIP

We will advertise all interfaces in RIP, here’s the hub router:

Hub(config)#router rip

Hub(config-router)#version 2

Hub(config-router)#network 1.0.0.0

Hub(config-router)#network 172.16.0.0

Hub(config-router)#no auto-summary

Hub(config)#interface Tunnel 0

Hub(config-if)#no ip split-horizon

Don’t forget to disable split horizon. Here are the spoke routers:

Spoke2(config)#router rip

Spoke2(config-router)#version 2

Spoke2(config-router)#network 3.0.0.0

Spoke2(config-router)#network 172.16.0.0

Spoke2(config-router)#no auto-summary

Spoke1(config)#router rip

Spoke1(config-router)#version 2

Spoke1(config-router)#network 2.0.0.0

Spoke1(config-router)#network 172.16.0.0

Spoke1(config-router)#no auto-summary

That should do it. Now before we start messing around with IPsec, we should check if everything is working without encryption. Let’s check if the hub router has two NHRP registrations:

Hub#show dmvpn | begin Peer

Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 192.168.123.2      172.16.123.2    UP 00:06:15     D

     1 192.168.123.3      172.16.123.3    UP 00:06:22     D

That’s looking good. Do we have some RIP routes?

Hub#show ip route rip 

      2.0.0.0/32 is subnetted, 1 subnets

R        2.2.2.2 [120/1] via 172.16.123.2, 00:00:02, Tunnel0

      3.0.0.0/32 is subnetted, 1 subnets

R        3.3.3.3 [120/1] via 172.16.123.3, 00:00:11, Tunnel0

Spoke1#show ip route rip 

      1.0.0.0/32 is subnetted, 1 subnets

R        1.1.1.1 [120/1] via 172.16.123.1, 00:00:07, Tunnel0

      3.0.0.0/32 is subnetted, 1 subnets

R        3.3.3.3 [120/2] via 172.16.123.3, 00:00:07, Tunnel0

Spoke2#show ip route rip 

      1.0.0.0/32 is subnetted, 1 subnets

R        1.1.1.1 [120/1] via 172.16.123.1, 00:00:28, Tunnel0

      2.0.0.0/32 is subnetted, 1 subnets

R        2.2.2.2 [120/2] via 172.16.123.2, 00:00:28, Tunnel0

Yes we do! Everything is looking good so now we can focus on encryption.

IPsec

IPsec has two phases, phase 1 and 2 (don’t confuse them with the DMVPN phases).

Phase 1

We need an ISAKMP policy that matches on all our routers. Let’s pick something:

Hub, Spoke1 & Spoke 2

(config)#crypto isakmp policy 10

(config-isakmp)#authentication pre-share 

(config-isakmp)#encryption aes 128

(config-isakmp)#group 5

(config-isakmp)#hash sha256

When it comes to encryption we can choose between pre-shared keys or PKI. To keep it simple, I’ll go for the pre-shared keys:

Hub(config)#crypto isakmp key DMVPN_KEY address ?       

  A.B.C.D  Peer IP address

  ipv6     define shared key with IPv6 address

When you configure the pre-shared key you have to enter the NBMA address. Keep in mind that encryption occurs before multipoint GRE / NHRP. We also have to specify a peer address, we have two options here:

Configure a pre-shared key for each “router pair” you have: this means we use a unique key for hub-spoke1, hub-spoke2 and spoke1-spoke2. This is secure but it’s not a very scalable solution, the more spoke routers we add to the network, the more keys we have to configure.

Configure a “wildcard” pre-shared key: this allows us to use a single key for all routers. This is the most convenient but it also means that if you want to change the key, you have to do it on all your routers.

LINK ĐẶT MUA TÀI LIỆU ONLINE

LINK ĐẶT MUA TÀI LIỆU ONLINE 1

LINK 1 - TÌM KIẾM SÁCH/TÀI LIỆU ONLINE (GIÁ ƯU ĐÃI NHẤT)

LINK 2 - TÌM KIẾM SÁCH/TÀI LIỆU ONLINE (GIÁ ƯU ĐÃI NHẤT)

LINK 3 - TÌM KIẾM SÁCH/TÀI LIỆU ONLINE (GIÁ ƯU ĐÃI NHẤT)

LINK 4 - TÌM KIẾM SÁCH/TÀI LIỆU ONLINE (GIÁ ƯU ĐÃI NHẤT)

LINK DOWNLOAD

In our first DMVPN lesson we talked about the basics of DMVPN and its different phases. DMVPN is a “routing technique” that relies on multipoint GRE and NHRP and IPsec is not mandatory.

However since you probably use DMVPN with the Internet as the underlay network, it might be wise to encrypt your tunnels. In this lesson I’ll show you how to configure IPsec to encrypt your multipoint GRE tunnels. Here’s the topology we will use:

DMVPN Example Topology with hub, two spokes and loopback interfaces.

Above we have a hub and spoke topology which I used in all of my previous DMVPN examples. We’ll use a DMVPN phase 2 network with RIP as the routing protocol to test IPsec.

Configuration

Tunnel Interfaces

Let’s start with the tunnel interfaces on all routers. This is a basic DMVPN phase 2 configuration:

Hub(config)#interface Tunnel 0

Hub(config-if)#ip address 172.16.123.1 255.255.255.0

Hub(config-if)#ip nhrp authentication DMVPN

Hub(config-if)#ip nhrp map multicast dynamic

Hub(config-if)#ip nhrp network-id 1

Hub(config-if)#tunnel source GigabitEthernet0/1

Hub(config-if)#tunnel mode gre multipoint

Here are the spoke routers:

Spoke1(config)#interface Tunnel 0

Spoke1(config-if)#ip address 172.16.123.2 255.255.255.0

Spoke1(config-if)#ip nhrp authentication DMVPN

Spoke1(config-if)#ip nhrp map 172.16.123.1 192.168.123.1

Spoke1(config-if)#ip nhrp map multicast 192.168.123.1

Spoke1(config-if)#ip nhrp network-id 1

Spoke1(config-if)#ip nhrp nhs 172.16.123.1

Spoke1(config-if)#tunnel source GigabitEthernet0/1

Spoke1(config-if)#tunnel mode gre multipoint

Spoke2(config)#interface Tunnel 0

Spoke2(config-if)#ip address 172.16.123.3 255.255.255.0

Spoke2(config-if)#ip nhrp authentication DMVPN

Spoke2(config-if)#ip nhrp map 172.16.123.1 192.168.123.1

Spoke2(config-if)#ip nhrp map multicast 192.168.123.1

Spoke2(config-if)#ip nhrp network-id 1

Spoke2(config-if)#ip nhrp nhs 172.16.123.1

Spoke2(config-if)#tunnel source GigabitEthernet0/1

Spoke2(config-if)#tunnel mode gre multipoint

Now we can configure RIP…

RIP

We will advertise all interfaces in RIP, here’s the hub router:

Hub(config)#router rip

Hub(config-router)#version 2

Hub(config-router)#network 1.0.0.0

Hub(config-router)#network 172.16.0.0

Hub(config-router)#no auto-summary

Hub(config)#interface Tunnel 0

Hub(config-if)#no ip split-horizon

Don’t forget to disable split horizon. Here are the spoke routers:

Spoke2(config)#router rip

Spoke2(config-router)#version 2

Spoke2(config-router)#network 3.0.0.0

Spoke2(config-router)#network 172.16.0.0

Spoke2(config-router)#no auto-summary

Spoke1(config)#router rip

Spoke1(config-router)#version 2

Spoke1(config-router)#network 2.0.0.0

Spoke1(config-router)#network 172.16.0.0

Spoke1(config-router)#no auto-summary

That should do it. Now before we start messing around with IPsec, we should check if everything is working without encryption. Let’s check if the hub router has two NHRP registrations:

Hub#show dmvpn | begin Peer

Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1 192.168.123.2      172.16.123.2    UP 00:06:15     D

     1 192.168.123.3      172.16.123.3    UP 00:06:22     D

That’s looking good. Do we have some RIP routes?

Hub#show ip route rip 

      2.0.0.0/32 is subnetted, 1 subnets

R        2.2.2.2 [120/1] via 172.16.123.2, 00:00:02, Tunnel0

      3.0.0.0/32 is subnetted, 1 subnets

R        3.3.3.3 [120/1] via 172.16.123.3, 00:00:11, Tunnel0

Spoke1#show ip route rip 

      1.0.0.0/32 is subnetted, 1 subnets

R        1.1.1.1 [120/1] via 172.16.123.1, 00:00:07, Tunnel0

      3.0.0.0/32 is subnetted, 1 subnets

R        3.3.3.3 [120/2] via 172.16.123.3, 00:00:07, Tunnel0

Spoke2#show ip route rip 

      1.0.0.0/32 is subnetted, 1 subnets

R        1.1.1.1 [120/1] via 172.16.123.1, 00:00:28, Tunnel0

      2.0.0.0/32 is subnetted, 1 subnets

R        2.2.2.2 [120/2] via 172.16.123.2, 00:00:28, Tunnel0

Yes we do! Everything is looking good so now we can focus on encryption.

IPsec

IPsec has two phases, phase 1 and 2 (don’t confuse them with the DMVPN phases).

Phase 1

We need an ISAKMP policy that matches on all our routers. Let’s pick something:

Hub, Spoke1 & Spoke 2

(config)#crypto isakmp policy 10

(config-isakmp)#authentication pre-share 

(config-isakmp)#encryption aes 128

(config-isakmp)#group 5

(config-isakmp)#hash sha256

When it comes to encryption we can choose between pre-shared keys or PKI. To keep it simple, I’ll go for the pre-shared keys:

Hub(config)#crypto isakmp key DMVPN_KEY address ?       

  A.B.C.D  Peer IP address

  ipv6     define shared key with IPv6 address

When you configure the pre-shared key you have to enter the NBMA address. Keep in mind that encryption occurs before multipoint GRE / NHRP. We also have to specify a peer address, we have two options here:

Configure a pre-shared key for each “router pair” you have: this means we use a unique key for hub-spoke1, hub-spoke2 and spoke1-spoke2. This is secure but it’s not a very scalable solution, the more spoke routers we add to the network, the more keys we have to configure.

Configure a “wildcard” pre-shared key: this allows us to use a single key for all routers. This is the most convenient but it also means that if you want to change the key, you have to do it on all your routers.

LINK ĐẶT MUA TÀI LIỆU ONLINE

LINK ĐẶT MUA TÀI LIỆU ONLINE 1

LINK 1 - TÌM KIẾM SÁCH/TÀI LIỆU ONLINE (GIÁ ƯU ĐÃI NHẤT)

LINK 2 - TÌM KIẾM SÁCH/TÀI LIỆU ONLINE (GIÁ ƯU ĐÃI NHẤT)

LINK 3 - TÌM KIẾM SÁCH/TÀI LIỆU ONLINE (GIÁ ƯU ĐÃI NHẤT)

LINK 4 - TÌM KIẾM SÁCH/TÀI LIỆU ONLINE (GIÁ ƯU ĐÃI NHẤT)

LINK DOWNLOAD

Chuyên mục: C. Bài giảng chuyên ngành Công nghệ thông tin (Information Technology)