Configuring DMVPN Hub and Spokes With IPSec and OSPF on Cisco Routers

November 19, 2017

IT Network

, ,

1. Overview

 

Dynamic Multipoint VPN (DMVPN) with Hub-and-Spoke topology is one of the most scalable and most efficient VPN types supported by Cisco with a high scalability and minimal configuration complexity is required in connecting branch offices to a central HQ. It is a best VPN solution designed to connect central HQ to many remote offices with dynamic routing protocol such as OSPF.

In this article will demonstrate how to configure DMVPN hub and spoke with OSPF dynamic routing protocol between Cisco routers.

2. Prerequisites

 

In this tutorial, it is assumed that:

a. You already have Cisco router on GNS3 VM up and running. In case that you don’t, please follow this link. Installing GNS3 VM on VMware Workstation
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.

3. Lab Scenario Set up

 

Below is the network diagram of GNS3 Lab that will be used to demonstrate configuring DMVPN hub and spoke with IPSec and OSPF dynamic routing protocol between Cisco routers.

In headquarter there is an Cisco router with host name of HQRT-VPN01 and there is also a Cisco router locates in each branch office with host name BRRT-VPN01 and BRRT-VPN02. The following is the IP configuration of each device.

On PC1, PC2, and PC3

PC1> ip 10.10.10.10/24 ip 10.10.10.1
PC1> ip 20.20.20.10/24 ip 20.20.20.1
PC1> ip 30.30.30.10/24 ip 30.30.30.1

On HQRT-VPN01

#int f0/0
   no sh
   ip add 10.10.10.1 255.255.255.0
#int f0/1
   no sh
   ip add 1.1.1.1 255.255.255.252

On BRRT-VPN01

#int f0/0
   no sh
   ip add 20.20.20.1 255.255.255.0
#int f0/1
   no sh
   ip add 1.1.1.2 255.255.255.0

On BRRT-VPN02

#int f0/0
   no sh
   ip add 30.30.30.1 255.255.255.0
#int f0/1
   no sh
   ip add 1.1.1.3 255.255.255.0

4. IPSec DMVPN Form

 

The following is the information that IPSec for DMVPN will be used to in the configuration.

Configuration Headquarter All Branch Offices
Phase 1
IKE Encryption Algorithm 3DES 3DES
IKE Hash Algorithm SHA-1 SHA-1
IKE Security Lifetime 86400 86400
Diffie-Hellman Group 2 2
Pre-shared key vpn@HQ2BR vpn@HQ2BR
Phase 2
IPSEC security protocol ESP ESP
IPSEC Encryption Algorithm AES-256 AES-256
IPSEC Hash Algorithm SHA-1 SHA-1
IPSEC Security Lifetime (Optional) □ 14400 □ 28800 (default) □ 86400 □ Other:………. □ 14400 □ 28800 (default) □ 86400 □ Other: ……….
Perfect Forward Secrecy(PFS) (Optional) PFS □ No □Yes Group □ 2(default) □ 5 □ 7 PFS □ No □ Yes Group □ 2 (default) □ 5 □ 7

 

5. Configuration

5.1 Configure DMVPN

 

To configure DMVPN apply the  following configuration on Cisco router as the below.

On HQRT-VPN01

 # int tun1
     des DPLC-ISP01
     ip add 2.2.2.1 255.255.255.0
     ip nhrp map multicast dynamic
     ip nhrp network-id 1
     tunnel source fa0/1
     tunnel mode gre multipoint
# interface Tunnel1
 Create tunnel interface 
description DPLC-ISP01
 Provide a description for the tunnel interface 
ip address 2.2.2.1 255.255.255.0
 Configure an IP address for the tunnel interface 
ip nhrp map multicast dynamic
 To enables forwarding of multicast traffic across the tunnel 
ip nhrp network-id 1
 Configure the network identification and it has to be the same on all the routers 
tunnel source FastEthernet0/1
 The source of the tunnel which is the WAN interface of the router 
tunnel mode gre multipoint
 Set the tunnel as a mGRE tunnel

 

On BRRT-VPN01

 # int tun1
     des DPLC-ISP01
     ip add 2.2.2.2 255.255.255.0
     ip nhrp map 2.2.2.1 1.1.1.1
     ip nhrp map multicast 1.1.1.1
     ip nhrp network-id 1
     ip nhrp nhs 2.2.2.1
     tunnel source fa0/1
     tunnel mode gre multipoint
# interface Tunnel1
 Create tunnel interface 
description DPLC-ISP01
 Provide a description for the tunnel interface 
ip address 2.2.2.2 255.255.255.0
 Configure an IP address for the tunnel interface 
 ip nhrp map 2.2.2.1 1.1.1.1
 Statically maps the tunnel IP address of the HUB to the WAN IP of the HUB 
 ip nhrp map multicast 1.1.1.1
 To allow multicast traffic to the Hub only. Hub will receive all multicast traffic such as routing protocol updates and then send out updates to all the Spoke routers, not from spoke to spoke. If you want to allow multicast traffic between spoke and spoke, change this line to ip nhrp map multicast dynamic. 
 ip nhrp network-id 1
 Configure the network identification and it has to be the same on all the routers 
ip nhrp nhs 2.2.2.1
 Configure NHRP client with the IP address of its NHRP server 
tunnel source FastEthernet0/1
 The source of the tunnel which is the WAN interface of the router 
tunnel mode gre multipoint
 Set the tunnel as a mGRE tunnel

 

On BRRT-VPN02

# int tun1
    des DPLC-ISP01
    ip add 2.2.2.3 255.255.255.0
    ip nhrp map 2.2.2.1 1.1.1.1
    ip nhrp map multicast 1.1.1.1
    ip nhrp network-id 1
    ip nhrp nhs 2.2.2.1
    ip ospf network point-to-multipoint
    tunnel source fa0/1
    tunnel mode gre multipoint
# interface Tunnel1
 Create tunnel interface 
description DPLC-ISP01
 Provide a description for the tunnel interface 
 ip address 2.2.2.3 255.255.255.0
 Configure an IP address for the tunnel interface 
ip nhrp map 2.2.2.1 1.1.1.1
 Statically maps the tunnel IP address of the HUB to the WAN IP of the HUB 
ip nhrp map multicast 1.1.1.1
 To allow multicast traffic to the Hub only. Hub will receive all multicast traffic such as routing protocol updates and then send out updates to all the Spoke routers, not from spoke to spoke. If you want to allow multicast traffic between spoke and spoke, change this line to ip nhrp map multicast dynamic. 
ip nhrp network-id 1
 Configure the network identification and it has to be the same on all the routers 
ip nhrp nhs 2.2.2.1
 Configure NHRP client with the IP address of its NHRP server 
tunnel source FastEthernet0/1
 The source of the tunnel which is the WAN interface of the router 
tunnel mode gre multipoint
 Set the tunnel as a mGRE tunnel

 

5.2 Configure OSPF Dynamic Routing Protocol

 

After tunnel interface are created, the next step to configure OSPF dynamic routing protocol for these tunnel interfaces. So, the local network of each router will reach each other through tunnel interfaces not through the real physical interfaces.

On HQRT-VPN01

# router ospf 10
   net 2.2.2.0 0.0.0.255 area 0
   net 10.10.10.0 0.0.0.255 area 0

On BRRT-VPN01

# router ospf 10
   net 2.2.2.0 0.0.0.255 area 0
   net 20.20.20.0 0.0.0.255 area 0

On BRRT-VPN02

# router ospf 10
   net 2.2.2.0 0.0.0.255 area 0
   net 30.30.30.0 0.0.0.255 area 0

5.3 Configure IPSec Encryption

 

Now it is time to apply an IPSec protection encryption policy to the tunnel interface on each route to protect tunnels.

Apply the following configuration on HQRT-VPN01.

# crypto isakmp policy 1
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
 
# crypto isakmp key vpn@HQ2BR address 1.1.1.0 255.255.255.0
# crypto ipsec transform-set HQ-TRSET01-AES256-SHA esp-aes 256 esp-sha-hmac
# crypto ipsec profile PR-HQ-DMVPN
    set transform-set HQ-TRSET01-AES256-SHA

# int tun 1
    tunnel protection ipsec profile PR-HQ-DMVPN
# crypto isakmp key P@ssw0rd address 1.1.1.0 255.255.255.0
 This is to establish IPSec tunnel connection from a 1.1.1.0/24 subnet to accommodate also dynamic spoke 
# int tun 1 
  tunnel protection ipsec profile PR-HQ-DMVPN
 It is to encrypts the traffic passing through this tunnel using IPSec

 

Apply the following configuration on BRRT-VPN01 and BRRT-VPN02.

# crypto isakmp policy 1
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
 
# crypto isakmp key vpn@HQ2BR address 1.1.1.0 255.255.255.0
# crypto ipsec transform-set BR-TRSET01-AES256-SHA esp-aes 256 esp-sha-hmac
# crypto ipsec profile PR-BR-DMVPN
    set transform-set BR-TRSET01-AES256-SHA

int tun 1
 tunnel protection ipsec profile PR-BR-DMVPN

5.7 Test and Verify the Configuration

 

check if the tunnel interface is up and can ping each other among the routers as the following.

# sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.10.10.1 YES NVRAM up up
FastEthernet0/1 1.1.1.1 YES NVRAM up up
Tunnel1 2.2.2.1 YES NVRAM up up
# ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/17/20 ms

# ping 2.2.2.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/32 ms

Check if PC in headquarter can ping to PCs in each remote branches.

PC1> ping 20.20.20.10
20.20.20.10 icmp_seq=1 timeout
20.20.20.10 icmp_seq=2 timeout
84 bytes from 20.20.20.10 icmp_seq=3 ttl=62 time=26.692 ms
84 bytes from 20.20.20.10 icmp_seq=4 ttl=62 time=28.432 ms
84 bytes from 20.20.20.10 icmp_seq=5 ttl=62 time=30.255 ms

PC1> ping 30.30.30.10
30.30.30.10 icmp_seq=1 timeout
30.30.30.10 icmp_seq=2 timeout
84 bytes from 30.30.30.10 icmp_seq=3 ttl=62 time=31.721 ms
84 bytes from 30.30.30.10 icmp_seq=4 ttl=62 time=29.571 ms
84 bytes from 30.30.30.10 icmp_seq=5 ttl=62 time=32.690 ms

Execute the following command to see a new DMVPN tunnel has been established.

# sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
 N - NATed, L - Local, X - No Socket
 # Ent --> Number of NHRP entries with same NBMA peer

Tunnel1, Type:Hub, NHRP Peers:2,
 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
 1 1.1.1.2 2.2.2.2 UP never D
 1 1.1.1.3 2.2.2.3 UP never D

Check OSPF routing protocol make sure the route leaned is via tunnel interfaces not via the real physical interfaces.

# sh ip route ospf
 2.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O 2.2.2.2/32 [110/11111] via 2.2.2.2, 06:34:24, Tunnel1
O 2.2.2.3/32 [110/11111] via 2.2.2.3, 06:33:37, Tunnel1
 20.0.0.0/24 is subnetted, 1 subnets
O 20.20.20.0 [110/11112] via 2.2.2.2, 06:34:24, Tunnel1
 30.0.0.0/24 is subnetted, 1 subnets
O 30.30.30.0 [110/11112] via 2.2.2.3, 06:33:37, Tunnel1

Execute the following command to verify the encrypt IPSec tunnel with following command.

# sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
F - IKE Fragmentation

Interface: Tunnel1
Uptime: 04:26:04
Session status: UP-ACTIVE
Peer: 1.1.1.2 port 500 fvrf: (none) ivrf: (none)
 Phase1_id: 1.1.1.2
 Desc: (none)
 IKE SA: local 1.1.1.1/500 remote 1.1.1.2/500 Active
 Capabilities:(none) connid:1001 lifetime:19:33:55
 IPSEC FLOW: permit 47 host 1.1.1.1 host 1.1.1.2
 Active SAs: 2, origin: crypto map
 Inbound: #pkts dec'ed 616 drop 0 life (KB/Sec) 4577777/1373
 Outbound: #pkts enc'ed 633 drop 1 life (KB/Sec) 4577776/1373

Interface: Tunnel1
Uptime: 04:25:52
Session status: UP-ACTIVE
Peer: 1.1.1.3 port 500 fvrf: (none) ivrf: (none)
 Phase1_id: 1.1.1.3
 Desc: (none)
 IKE SA: local 1.1.1.1/500 remote 1.1.1.3/500 Active
 Capabilities:(none) connid:1002 lifetime:19:34:07
 IPSEC FLOW: permit 47 host 1.1.1.1 host 1.1.1.3
 Active SAs: 2, origin: crypto map
 Inbound: #pkts dec'ed 617 drop 0 life (KB/Sec) 4401354/1564
 Outbound: #pkts enc'ed 633 drop 1 life (KB/Sec) 4401354/1564

6. Conclusion

 

Having finished this article,  you should be able to configure DMVPN hub and spoke with OSPF dynamic routing protocol between Cisco routers. It is a great idea if you could practice with GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments

Related posts:

Configuring Cisco AnyConnect Remote Access VPN on ASA 9.x Configuring Dual WAN Failover on Two Cisco RoutersConfiguring Dual WAN Failover on Two Cisco Routers Configuring Dual ISP load balancing on Single Cisco Router Configuring Dual ISP load balancing on Two Cisco RoutersConfiguring Dual ISP load balancing on Two Cisco Routers