martes, 5 de abril de 2016

[Cisco IOS] DMVPN Phase 3 with IKEv2

For my own personal reference I include the following information, so I would dive much into details, hope you can find this useful

DMVPN Operation

A Dynamic Multipoint VPN is an evolved iteration of hub and spoke tunneling, it provides a secure network where data exchange between sites is possible without needing to pass traffic through an organization's headquarter virtual private network (VPN) server or router.

DMVPN offers an elegant solution to this problem: multipoint GRE tunneling. Recall that a GRE tunnel encapsulates IP packets with a GRE header and a new IP header for transport across an untrusted network. Point-to-point GRE tunnels have exactly two endpoints, and each tunnel on a router requires a separate virtual interface with its own independent configuration. Conversely, a multipoint GRE tunnel allows for more than two endpoints, and is treated as a non-broadcast multiaccess (NBMA) network.

VPNs traditionally connect each remote site to the headquarters; the DMVPN essentially creates a mesh VPN topology. This means that each site (spoke) can connect directly with all other sites, no matter where they are located.

DMVPN deployments include mechanisms such as GRE tunneling and IPsec encryption with Next Hop Resolution Protocol (NHRP) routing that are designed to reduce administrative burden and provide reliable dynamic connectivity between sites.

For additional information please check the following links:
Cisco.com // Networkhobo.com // Firewall.cx

Below examples are based on the following network diagram, only relevant parts are shown.



#############################################
############# HUB CONFIGURATION #############
#############################################

router eigrp 100
 net 0.0.0.0
!
! crypto policy proposal, policy and key
crypto ikev2 proposal IKEv2_PROPOSAL
 encryption aes-gcm-256
 prf sha256
 group 5
!
crypto ikev2 keyring IKEV2_KEY
 peer DMVPN
  address 0.0.0.0 0.0.0.0
  pre-shared-key local cisco-ABC
  pre-shared-key remote cisco-123
!
crypto ikev2 policy IKEv2_POLICY
 proposal IKEv2_PROPOSAL
!
crypto ikev2 profile IKEV2_PROFILE
 match identity remote any
 authentication remote pre-share
 authentication local pre-share
 keyring local IKEV2_KEY
!
crypto ipsec transform-set TRANS esp-gcm 256
mode transport
!
crypto ipsec profile IKEV2_IPSEC
set transform-set TRANS
set ikev2-profile IKEV2_PROFILE
!
! tunnel configuration
interface Tunnel100
 ip address 172.16.1.1 255.255.255.0
 no ip redirects
 bandwidth 1000
 delay 1000
 tunnel source GigabitEthernet0/0
 ! there is not tunnel destination because is not p2p
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile IKEV2_IPSEC
 ! ensures longer packets are fragmented before they are encrypted;
 ! otherwise, the receiving router would have to do the reassembly.
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip nhrp authentication CISCO456
 ip nhrp network-id 100
 ip nhrp holdtime 300
 ip pim sparse-dense-mode
 ! enabling DMVPN phase 3, allowing dynamic spoke to spoke
 ip nhrp shortcut
 ip nhrp redirect
 ! only for HUBs
 ip nhrp map multicast dynamic
 no ip split-horizon eigrp 1


Please note that the only change between Spoke1 and Spoke 2 is the IP address of the tunnel.

################################################
########### SPOKE1 & 2 CONFIGURATION ############
################################################

router eigrp 100
 net 0.0.0.0
!
! crypto policy proposal, policy and key
crypto ikev2 proposal IKEv2_PROPOSAL
 encryption aes-gcm-256
 prf sha256
 group 5
!
crypto ikev2 keyring IKEV2_KEY
 peer DMVPN
  address 0.0.0.0 0.0.0.0
  pre-shared-key local cisco-123
  pre-shared-key remote cisco-ABC

!
crypto ikev2 policy IKEv2_POLICY
 proposal IKEv2_PROPOSAL
!
crypto ikev2 profile IKEV2_PROFILE
 match identity remote any
 authentication remote pre-share
 authentication local pre-share
 keyring local IKEV2_KEY
!
crypto ipsec transform-set TRANS esp-gcm 256
mode transport
!
crypto ipsec profile IKEV2_IPSEC
set transform-set TRANS
set ikev2-profile IKEV2_PROFILE
!
! tunnel configuration - SPOKE
interface Tunnel100
 ip address 172.16.1.2 255.255.255.0
 no ip redirects
 bandwidth 1000
 delay 1000
 tunnel source GigabitEthernet0/0
 ! there is not tunnel destination because is not p2p
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile IKEV2_IPSEC
 ! ensures longer packets are fragmented before they are encrypted;
 ! otherwise, the receiving router would have to do the reassembly.
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip nhrp authentication CISCO456
 ip nhrp network-id 100
 ip nhrp holdtime 300
 ip pim sparse-dense-mode
 ! enabling DMVPN phase 3, allowing dynamic spoke to spoke
 ip nhrp shortcut
 !
 ! Repeat the following lines for each HUB
 ! map hub tunnel ip with public accessible ip
 ip nhrp map 172.16.1.1 60.60.60.5
 ip nhrp map multicast 60.60.60.5
 ! next hop server config (hub)
 ip nhrp nhs 172.16.1.1