Dynamic multi-point VPN is a cost-effective solution for interconnecting lots of branch offices together with ease of configuration and security. It reduces the configuration complexity and increases flexibility and scalability.
With DMVPN a central hub router in the head office manages all the spoke location router with the dynamic IP address and can access company resources anywhere from the locations.
DMVPN utilizes mGRE tunnels, NHRP, and IPSec encryption to interconnect spoke and hub routers together without compromising security and flexibility.
DMVPN Components
mGRE tunnels
Next hop Resolution Protocol (NHRP)
Routing Protocols
Dynamic IPSec encryption
mGRE Tunnels
No need to configure the Tunnel destination.
Mapping is through NHRP Protocol.
Endpoints are configured as mGRE tunnels
Only needed tunnel source and mode to mGRE for enable configuration.
NHRP Next hop resolution Protocol
Map the tunnel with the NBMA address.
Building Dynamic database of spoke address with dynamic public IP addresses
Routers can be configured as
Next hop server NHS
Next hop clients NHC
NHS act as a mapping agent store all registered mapping.
NHC sent a query to NHS if they want to communicate with another NHC
NHS reply with specific info to NHC
NHRP Messages
NHRP Registration request
Spoke registered with public IP and tunnel IP to NHS.
Required to build spoke to hub tunnel.
NHRP Request
Spoke request for NBMA and tunnel IP of other spokes.
Required to build spoke to spoke tunnels
NHRP Redirect
Required to build spoke to spoke tunnel.
NHS answers with spoke to spoke info in it.
DMVP operation
A permanent IPSec tunnel has been build between all Spoke and hub location
Hub router is the NHRP server (NHS) and all the spoke will register to NHS with their public IP address
When a spoke needs to send a packet to another location it queries the NHRP server for the real public IP of the destination spoke.
After obtaining the target public IP the of spoke can initiate a dynamic IPSec tunnel with spoke.
The spoke to spoke tunnel is built over mGRE tunnels
All the traffic from source to destination in went through the GRE tunnel are encrypted by IPSec protocol.
See the below sample diagram for the configuration of a DMVPN
Configuring the DMVPN Hub router for mGRE tunnel
Interface loopback 0
descrption LAN-Network
ip address 192.168.1.1 255.255.255.0
no shut
Interface f0/0
descrption WAN-Network
ip address 202.1.1.1 255.255.255.0
no shut
Tunnel configuration
Interface tunnel 0
description mGRE DMVPN tunnel
ip address 10.1.1.1 255.255.255.0
ip nhrp authentication @lpha
ip nhrp map mutlicast dynamic
ip nhrp network-id 1
tunnel source 202.1.1.1
tunnel mode gre multipoint
Configuring Spoke routers
Spoke-1
Interface lo 0
description LAN-Network
ip address 192.168.2.1 255.255.255.0
no shut
Interface e0/0
description WAN-Network
ip address 202.1.1.2 255.255.255.0
no shut
Interface tunnel 0
description mGRE
ip address 10.1.1.2 255.255.255.0
ip nhrp authentication @lpha
ip nhrp map multicast dynamic
ip nhrp map 10.1.1.1 202.1.1.1
ip nhrp map multicast 202.1.1.1
ip nhrp network-id 1
ip nhrp nhs 10.1.1.1
Tunnel source e0/0
Tunnel mode gre multipoint
Spoke-2
Interface loopback 0
description LAN-Network
ip address 192.168.3.1 255.255.255.0
No shu
Interface e0/0
description WAN-network
ip address 202.1.1.3 255.255.255.0
no shu
Interface tunnel 0
description mGRE
ip address 10.1.1.3 255.255.255.0
ip nhrp authentication @lpha
ip nhrp map multicast dynamic
ip nhrp map 10.1.1.1 202.1.1.1
ip nhrp map multicast 202.1.1.1
ip nhrp network-id 1
ip nhrp nhs 10.1.1.1
tunnel source e0/0
tunnel mode gre multipoint
mGRE Tunnel Protection configuration
Hub Router Configuration
Crypto isakmp policy 1
encryption 3des
Hash md5
authentication pre-share
Group 2
Crypto isakmp key @lpha address 0.0.0.0
Crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
Crypto ipsec profile DMVPN-PRO
Set transform-set DMVPN
Int tunnel 0
Tunnel protection ipsec profile DMVPN-PRO
Below are the Spoke router configuration applicable for all spoke locations.
Crypto isakmp policy 1
encryption 3des
Hash md5
Authe preshare
Group 2
Crypto isakmp key @lpha address 0.0.0.0
Crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
crypto ipsec profile DMVPN-PRO
set transform-set DMVPN
Int tunnel 0
tunnel protection ipsec profile DMVPN-PRO
ROUTING BETWEEN DMVPN mGRE TUNNELS
Hub Router
Ip route 192.168.2.0 255.255.255.0 10.1.1.2
Ip route 192.168.3.0 255.255.255.0 10.1.1.3
Spoke 1
Ip route 192.168.1.0 255.255.255.0 10.1.1.1
Ip route 192.168.3.0 255.255.255.0 10.1.1.3
Spoke 2
Ip route 192.168.1.0 255.255.255.0 10.1.1.1
Ip route 192.168.2.0 255.255.255.0 10.1.1.2
Hub#sh crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 202.1.1.2 port 500
IKE SA: local 202.1.1.1/500 remote 202.1.1.2/500 Active
IPSEC FLOW: permit 47 host 202.1.1.1 host 202.1.1.2
Active SAs: 2, origin: crypto map
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 202.1.1.3 port 500
IKE SA: local 202.1.1.1/500 remote 202.1.1.3/500 Active
IPSEC FLOW: permit 47 host 202.1.1.1 host 202.1.1.3
Active SAs: 2, origin: crypto map
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 202.1.1.4 port 500
IKE SA: local 202.1.1.1/500 remote 202.1.1.4/500 Active
IPSEC FLOW: permit 47 host 202.1.1.1 host 202.1.1.4
Active SAs: 2, origin: crypto map
Hub#sh crypto isakmp sa
dst src state conn-id slot status
202.1.1.1 202.1.1.4 QM_IDLE 3 0 ACTIVE
202.1.1.1 202.1.1.3 QM_IDLE 2 0 ACTIVE
202.1.1.1 202.1.1.2 QM_IDLE 1 0 ACTIVE
Hub#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 202.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (202.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (202.1.1.2/255.255.255.255/47/0)
current_peer 202.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 215, #pkts encrypt: 215, #pkts digest: 215
#pkts decaps: 204, #pkts decrypt: 204, #pkts verify: 204
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 202.1.1.1, remote crypto endpt.: 202.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xC32C6D83(3274468739)
inbound esp sas:
spi: 0xFD59AC3E(4250512446)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: SW:7, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4472732/1440)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC32C6D83(3274468739)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: SW:8, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4472731/1438)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (202.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (202.1.1.3/255.255.255.255/47/0)
current_peer 202.1.1.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 220, #pkts encrypt: 220, #pkts digest: 220
#pkts decaps: 209, #pkts decrypt: 209, #pkts verify: 209
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 202.1.1.1, remote crypto endpt.: 202.1.1.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xAB1C8A2A(2870774314)
inbound esp sas:
spi: 0xD59E7E94(3583934100)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2009, flow_id: SW:9, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4519789/1545)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xAB1C8A2A(2870774314)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2010, flow_id: SW:10, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4519788/1545)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (202.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (202.1.1.4/255.255.255.255/47/0)
current_peer 202.1.1.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 419, #pkts encrypt: 419, #pkts digest: 419
#pkts decaps: 407, #pkts decrypt: 407, #pkts verify: 407
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 202.1.1.1, remote crypto endpt.: 202.1.1.4
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD714BCE8(3608460520)
inbound esp sas:
spi: 0xE8BC10B4(3904639156)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4545803/1519)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD714BCE8(3608460520)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4545802/1518)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Comments