sabato, Dicembre 21, 2024

Dynamic Multipoint VPN

markoer
markoerhttp://www.linkedin.com/in/marcoermini
Trentatre anni, perito informatico, professionista da dieci nel mondo ICT, possiede varie certificazioni - nel mondo Cisco è CCNA da Dicembre. Lavora nel mondo Unix, Cisco ed Oracle per una delle maggiori telco a Düsseldorf (Germania) come deployment leader e responsabile della sicurezza. E' generalmente entusiasta di condividere le sue conoscenze e la sua visione del mondo con altri tecnici.

SNRS – Dynamic Multipoint VPN (DMVPN)

Solution

  • Uses hub-and-spoke design
  • Supports redundancy
  • Does not use crypto maps
  • Multipoint GRE tunnel interfaces
  • Spokes connect to the HUB and never vice versa
  • Multiple or single topology
    • Single topology: only one subnet on the HUB side
    • Multiple topology: multiple subnets on the HUB side

Components

  • Multipoint GRE (mGRE) tunnel interface
  • Next Hop Resolution Protocol (NHRP)
    • 20 years old, originally designed for ATM/X.25 tunnels
    • Before sending a packet, the spoke does an NHRP query to the HUB that acts as an NHRP server
    • The server answers with the real IP address and advertise the destination network
    • If the destination is not the HUB router, the spoke sets up an IPSec tunnel directly to the remote spoke, if using mGRE, bypassing the router
    • Spoke-to-spoke tunnels are automatically removed if idle for a certain time
  • IPSec profiles
  • Replace static crypto maps, still needs a transform set
    rt(config)# crypto isakmp policy priority_#
    rt(config-isakmp)# authentication rsa-sign|rsa-encr|pre-share
    rt(config-isakmp)# encryption des|3des|aes|aes 192|aes 256
    rt(config-isakmp)# group 1|2|5
    rt(config-isakmp)# hash md5|sha
    rt(config-isakmp)# lifetime #_of_seconds
    rt(config-isakmp)# exit
    rt(config)# crypto isakmp key key address 0.0.0.0
    
    rt(config)#	crypto ipsec transform-set tsname ts_1 [ts2 [ts3]]
    	rt(config)#		mode tunnel
    
  • Profile instead of map
    rt(config)#	crypto ipsec profile profile_name
    rt(ipsec-profile)# set transform-set tsname ts_1 [ts2 [ts3]]
    rt(ipsec-profile)# set pfs group1|group2|group3
    rt(ipsec-profile)# set security-association lifetime …
    
  • Configuration

    • HUB configuration
      rt(config)#	interface tunnel int_#
      rt(config-if)# ip address ip_addr
      rt(config-if)# ip mtu 1416
      rt(config-if)# ip nhrp authentication key
      rt(config-if)# ip nhrp map multicast dynamic   - needed for routing!
      rt(config-if)# ip nhrp network-id id#
      rt(config-if)# ip nhrp holdtime seconds
      rt(config-if)# tunnel source public_int_name
      rt(config-if)# tunnel key key_#
      rt(config-if)# tunnel mode gre multipoint
      rt(config-if)# tunnel protection ipsec profile profile
      
    • Spoke configuration
    • rt(config)#	interface tunnel int_#
      rt(config-if)# ip address ip_addr
      rt(config-if)# ip mtu 1416
      rt(config-if)# ip nhrp authentication key
      rt(config-if)# ip nhrp map HUB_public_IP
      rt(config-if)# ip nhrp map multicast HUB_public_IP
      rt(config-if)# ip nhrp nhs HUB_tunnel_IP
      rt(config-if)# ip nhrp network-id id#
      rt(config-if)# ip nhrp holdtime seconds
      rt(config-if)# tunnel source public_int_name
      rt(config-if)# tunnel key key_#
      rt(config-if)# tunnel mode gre multipoint
      rt(config-if)# tunnel protection ipsec profile profile
      
    • Routing considerations
      • Disable split horizon for EIGRP
      • no eigrp next-hop-self
      • eigrp stub connected
      • on OSPF, set the bandwidth parameter in the interface tunnel – does not affect functionality but may help in limiting fragmentation and increase performances
      • on OSPF, the HUB needs to have OSPF broadcast enabled

Articoli correlati

Noleggia una Tesla per il tuo evento ICT!

Categorie