top of page
Search
Writer's pictureSonicvision

Understanding Cisco DMVPN (Dynamic Multi-point VPN)

Dynamic multi-point VPN is a cost-effective solution for interconnecting lots of branch offices together with ease of configuration and security. It reduces the configuration complexity and increases flexibility and scalability.


With DMVPN a central hub router in the head office manages all the spoke location router with the dynamic IP address and can access company resources anywhere from the locations.


DMVPN utilizes mGRE tunnels, NHRP, and IPSec encryption to interconnect spoke and hub routers together without compromising security and flexibility.


DMVPN Components

  • mGRE tunnels

  • Next hop Resolution Protocol (NHRP)

  • Routing Protocols

  • Dynamic IPSec encryption

mGRE Tunnels

  • No need to configure the Tunnel destination.

  • Mapping is through NHRP Protocol.

  • Endpoints are configured as mGRE tunnels

  • Only needed tunnel source and mode to mGRE for enable configuration.

NHRP Next hop resolution Protocol

  • Map the tunnel with the NBMA address.

  • Building Dynamic database of spoke address with dynamic public IP addresses

  • Routers can be configured as

Next hop server NHS

Next hop clients NHC

  • NHS act as a mapping agent store all registered mapping.

  • NHC sent a query to NHS if they want to communicate with another NHC

  • NHS reply with specific info to NHC

NHRP Messages

  • NHRP Registration request

Spoke registered with public IP and tunnel IP to NHS.

Required to build spoke to hub tunnel.

  • NHRP Request

Spoke request for NBMA and tunnel IP of other spokes.

Required to build spoke to spoke tunnels

  • NHRP Redirect

Required to build spoke to spoke tunnel.

NHS answers with spoke to spoke info in it.

DMVP operation

  1. A permanent IPSec tunnel has been build between all Spoke and hub location

  2. Hub router is the NHRP server (NHS) and all the spoke will register to NHS with their public IP address

  3. When a spoke needs to send a packet to another location it queries the NHRP server for the real public IP of the destination spoke.

  4. After obtaining the target public IP the of spoke can initiate a dynamic IPSec tunnel with spoke.

  5. The spoke to spoke tunnel is built over mGRE tunnels

  6. All the traffic from source to destination in went through the GRE tunnel are encrypted by IPSec protocol.

See the below sample diagram for the configuration of a DMVPN

Configuring the DMVPN Hub router for mGRE tunnel


Interface loopback 0

descrption LAN-Network

ip address 192.168.1.1 255.255.255.0

no shut

Interface f0/0

descrption WAN-Network

ip address 202.1.1.1 255.255.255.0

no shut

Tunnel configuration

Interface tunnel 0

description mGRE DMVPN tunnel

ip address 10.1.1.1 255.255.255.0

ip nhrp authentication @lpha

ip nhrp map mutlicast dynamic

ip nhrp network-id 1

tunnel source 202.1.1.1

tunnel mode gre multipoint


Configuring Spoke routers


Spoke-1

Interface lo 0

description LAN-Network

ip address 192.168.2.1 255.255.255.0

no shut

Interface e0/0

description WAN-Network

ip address 202.1.1.2 255.255.255.0

no shut

Interface tunnel 0

description mGRE

ip address 10.1.1.2 255.255.255.0

ip nhrp authentication @lpha

ip nhrp map multicast dynamic

ip nhrp map 10.1.1.1 202.1.1.1

ip nhrp map multicast 202.1.1.1

ip nhrp network-id 1

ip nhrp nhs 10.1.1.1

Tunnel source e0/0

Tunnel mode gre multipoint

Spoke-2

Interface loopback 0

description LAN-Network

ip address 192.168.3.1 255.255.255.0

No shu

Interface e0/0

description WAN-network

ip address 202.1.1.3 255.255.255.0

no shu

Interface tunnel 0

description mGRE

ip address 10.1.1.3 255.255.255.0

ip nhrp authentication @lpha

ip nhrp map multicast dynamic

ip nhrp map 10.1.1.1 202.1.1.1

ip nhrp map multicast 202.1.1.1

ip nhrp network-id 1

ip nhrp nhs 10.1.1.1

tunnel source e0/0

tunnel mode gre multipoint


mGRE Tunnel Protection configuration


Hub Router Configuration

Crypto isakmp policy 1

encryption 3des

Hash md5

authentication pre-share

Group 2

Crypto isakmp key @lpha address 0.0.0.0

Crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac

Crypto ipsec profile DMVPN-PRO

Set transform-set DMVPN

Int tunnel 0

Tunnel protection ipsec profile DMVPN-PRO

Below are the Spoke router configuration applicable for all spoke locations.

Crypto isakmp policy 1

encryption 3des

Hash md5

Authe preshare

Group 2

Crypto isakmp key @lpha address 0.0.0.0

Crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac

crypto ipsec profile DMVPN-PRO

set transform-set DMVPN

Int tunnel 0

tunnel protection ipsec profile DMVPN-PRO


ROUTING BETWEEN DMVPN mGRE TUNNELS

Hub Router

Ip route 192.168.2.0 255.255.255.0 10.1.1.2

Ip route 192.168.3.0 255.255.255.0 10.1.1.3

Spoke 1

Ip route 192.168.1.0 255.255.255.0 10.1.1.1

Ip route 192.168.3.0 255.255.255.0 10.1.1.3

Spoke 2

Ip route 192.168.1.0 255.255.255.0 10.1.1.1

Ip route 192.168.2.0 255.255.255.0 10.1.1.2





Hub#sh crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 202.1.1.2 port 500
  IKE SA: local 202.1.1.1/500 remote 202.1.1.2/500 Active
  IPSEC FLOW: permit 47 host 202.1.1.1 host 202.1.1.2
        Active SAs: 2, origin: crypto map

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 202.1.1.3 port 500
  IKE SA: local 202.1.1.1/500 remote 202.1.1.3/500 Active
  IPSEC FLOW: permit 47 host 202.1.1.1 host 202.1.1.3
        Active SAs: 2, origin: crypto map

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 202.1.1.4 port 500
  IKE SA: local 202.1.1.1/500 remote 202.1.1.4/500 Active
  IPSEC FLOW: permit 47 host 202.1.1.1 host 202.1.1.4
        Active SAs: 2, origin: crypto map



Hub#sh crypto isakmp sa
dst             src             state          conn-id slot status
202.1.1.1       202.1.1.4       QM_IDLE              3    0 ACTIVE
202.1.1.1       202.1.1.3       QM_IDLE              2    0 ACTIVE
202.1.1.1       202.1.1.2       QM_IDLE              1    0 ACTIVE


Hub#sh crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 202.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (202.1.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (202.1.1.2/255.255.255.255/47/0)
   current_peer 202.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 215, #pkts encrypt: 215, #pkts digest: 215
    #pkts decaps: 204, #pkts decrypt: 204, #pkts verify: 204
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 202.1.1.1, remote crypto endpt.: 202.1.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xC32C6D83(3274468739)

     inbound esp sas:
      spi: 0xFD59AC3E(4250512446)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2007, flow_id: SW:7, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4472732/1440)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xC32C6D83(3274468739)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2008, flow_id: SW:8, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4472731/1438)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (202.1.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (202.1.1.3/255.255.255.255/47/0)
   current_peer 202.1.1.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 220, #pkts encrypt: 220, #pkts digest: 220
    #pkts decaps: 209, #pkts decrypt: 209, #pkts verify: 209
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 202.1.1.1, remote crypto endpt.: 202.1.1.3
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xAB1C8A2A(2870774314)

     inbound esp sas:
      spi: 0xD59E7E94(3583934100)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2009, flow_id: SW:9, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4519789/1545)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xAB1C8A2A(2870774314)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2010, flow_id: SW:10, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4519788/1545)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (202.1.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (202.1.1.4/255.255.255.255/47/0)
   current_peer 202.1.1.4 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 419, #pkts encrypt: 419, #pkts digest: 419
    #pkts decaps: 407, #pkts decrypt: 407, #pkts verify: 407
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 202.1.1.1, remote crypto endpt.: 202.1.1.4
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xD714BCE8(3608460520)

     inbound esp sas:
      spi: 0xE8BC10B4(3904639156)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4545803/1519)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD714BCE8(3608460520)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4545802/1518)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

18 views0 comments

Recent Posts

See All

How an AI camera works ?

An AI camera works by combining traditional camera technology with artificial intelligence algorithms to capture, analyze, and interpret...

Comments


bottom of page